标题: SDCMS通杀漏洞利用工具及提权拿SHELL [打印本页] 作者: admin 时间: 2012-11-9 20:57 标题: SDCMS通杀漏洞利用工具及提权拿SHELL 作者:T00LS 鬼哥, r' S {; F" n5 ~, Q1 Z! K
漏洞文件:后台目录/index.asp 9 u( |9 U4 c7 P# m. I% }! h9 |% p! c/ i$ S* q3 ]: B4 F: z
Sub Check3 l& S, e9 S% h+ h% V/ j0 x& |2 W
Dim username,password,code,getcode,Rs1 s+ T5 F; e; [2 o5 ~3 f4 W# ?- E: q
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub0 s7 {4 [3 y' n) }
username=FilterText(Trim(Request.Form("username")),1)0 @! ~1 U1 _& @$ Y: `
password=FilterText(Trim(Request.Form("password")),1) # K/ _, s8 ?# c4 A d code=Trim(Request.Form("yzm")), l s% {8 b9 q
getcode=Session("SDCMSCode") $ p: w/ H; F+ G. h F6 c% t% ] IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died+ T! u" c8 F4 B/ M3 R, H0 i
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)"ied( k4 g$ ]9 U- j9 e/ X* j0 b, i$ V
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied8 }% F8 v. t1 t
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied3 f2 U2 x; i; Z$ Q; G/ a
IF username="" or password="" Then 5 H: m) b" f/ z# t; Y Echo "用户名或密码不能为空"ied% t# c: a* L A# N
Else $ [- R$ ~1 n9 U0 ?0 k4 t% N8 G Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")4 Q4 M# j5 p4 p0 I; D& G8 R
IF Rs.Eof Then 1 h3 o/ @' C, V$ ?/ ?3 P AddLog username,GetIp,"登录失败",1( Y O ^0 {* ^$ V2 g2 s
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"1 b X0 i' K* u& ]$ e
Else4 B* O6 z, f7 h. Z6 s
Add_Cookies "sdcms_id",Rs(0)3 z4 M4 ]; o; f T4 Y' d
Add_Cookies "sdcms_name",username # K7 A F0 V* Y3 n1 P0 ` Add_Cookies "sdcms_pwd",Rs(2) ) d6 q, Z! X3 r: \& l Add_Cookies "sdcms_admin",Rs(3) : L, B' a3 x/ c* C1 k$ b/ n6 A Add_Cookies "sdcms_alllever",Rs(4)2 |) G) |4 Y4 W! f k* `+ h
Add_Cookies "sdcms_infolever",Rs(5)8 B) a& O! K/ ]2 a, S
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"") 6 b* u% H1 j+ ~7 d2 _+ ]7 B* p AddLog username,GetIp,"登录成功",1 4 w/ Z0 L/ N o' @ '自动删除30天前的Log记录 * P1 |+ y& S, j+ Q IF Sdcms_DataType Then 0 s' n J$ m: g Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30") 2 @2 q- l+ V5 ^/ v- Y! E1 ~ Else 0 j: r# v0 d+ \9 m' r Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30") * N8 d, ]" t. R' g7 n( [) w End IF - h! U" B; q8 N+ S Go("sdcms_index.asp") % }$ v6 q2 h5 Z End IF ! `1 U: w2 b, w# ~; I ^* I( _ @ Rs.Close; S4 p8 x' l& }8 J9 ?+ q
Set Rs=Nothing $ O9 @8 o J& t" D End IF . ]7 [& g# x s- r- h! gEnd Sub/ u- s4 V t; K% M2 v+ W
1 O; I7 u6 Z! @$ I7 a7 V3 C’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码, y0 u) n2 k- J; t/ R L
3 J; v) M a, L4 s" X7 L
Function FilterText(ByVal t0,ByVal t1) 3 F, x8 w* X& m5 Q+ Z- L1 D4 y+ C IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function% x/ u/ B$ ^+ {0 i8 ?" S
t0=Trim(t0) g5 Q. n9 Y9 A: j4 K5 a t7 L8 h* k
Select Case t1 6 t( c5 e0 ^5 w+ x! ?1 ? Case "1" ( j: n/ A' a& {4 l/ j t0=Replace(t0,Chr(32),"")8 Y6 s- Y3 I# {) A% h- [! j. ^
t0=Replace(t0,Chr(13),"")1 h# P( A3 R% J& _2 k
t0=Replace(t0,Chr(10)&Chr(10),"")3 V; a4 k, |, t. r* `8 e" @, ~( i
t0=Replace(t0,Chr(10),"")- \) h/ ?( l; C; V0 \
Case "2". k4 \% a6 Y( ~% H0 `& _
t0=Replace(t0,Chr(8),"")'回格# X( Y+ U& D& _) [7 A8 j
t0=Replace(t0,Chr(9),"")'tab(水平制表符) 8 ^6 g+ c) p# p4 d t0=Replace(t0,Chr(10),"")'换行; n f* m$ w; b# D
t0=Replace(t0,Chr(11),"")'tab(垂直制表符) - K% p6 t0 `) J1 W t0=Replace(t0,Chr(12),"")'换页 : J6 M T" j* l6 K t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合 % x \$ F+ `; V6 P' q$ {5 f3 A t0=Replace(t0,Chr(22),"")8 G4 {# q& u7 B
t0=Replace(t0,Chr(32),"")'空格 SPACE ; `' ~( B* B/ E! {! C2 {! z t0=Replace(t0,Chr(33),"")'!- L2 B+ s8 V; r' `7 Q6 x2 @& ?
t0=Replace(t0,Chr(34),"")'" 8 G3 [4 N( ]- n" d3 V( ]0 d8 a t0=Replace(t0,Chr(35),"")'#6 L% G6 j6 @2 b
t0=Replace(t0,Chr(36),"")'$ $ k6 r& `/ l/ \, Y. I t0=Replace(t0,Chr(37),"")'%, W' _: w h4 K
t0=Replace(t0,Chr(38),"")'& " N; _. g# J: t' L9 o7 w$ N3 t- I t0=Replace(t0,Chr(39),"")''! l' P2 Q+ `* ^, n
t0=Replace(t0,Chr(40),"")'( - \1 {( s3 y, Z8 A2 f- b H3 E t0=Replace(t0,Chr(41),"")')- m# V* i* L/ S! `" I+ _, ?
t0=Replace(t0,Chr(42),"")'* - L+ n4 b" f, J. x5 x: k* M$ t t0=Replace(t0,Chr(43),"")'+8 G, `6 F* u" b. C/ O9 z
t0=Replace(t0,Chr(44),"")',0 A& D% q6 A/ z+ _8 F) L6 j
t0=Replace(t0,Chr(45),"")'- 7 |8 s" e3 n1 Q" B" W" m+ \ t0=Replace(t0,Chr(46),"")'. : f, H1 k5 L% k1 w/ X* w+ h6 I t0=Replace(t0,Chr(47),"")'/9 S7 r, E, X4 m' ]: x6 Y
t0=Replace(t0,Chr(58),"")': + G# B+ m/ i% J1 n# @/ B h t0=Replace(t0,Chr(59),"")';* J7 @8 a2 L" i
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'> ' t8 b. f' \! D2 j# C t0=Replace(t0,Chr(63),"")'? 2 R- L e3 x+ [ t0=Replace(t0,Chr(64),"")'@4 m( U5 F k" i: p7 n, Y
t0=Replace(t0,Chr(91),"")'\2 E" } u# i; v) _5 C
t0=Replace(t0,Chr(92),"")'\ $ _% y, v" m. \" s& J t0=Replace(t0,Chr(93),"")']9 {: {4 _8 p& R# k' i. J( ` _
t0=Replace(t0,Chr(94),"")'^ 4 [1 F2 g; W- [* z9 W t0=Replace(t0,Chr(95),"")'_ % M- J" I. ? J5 C+ m' C6 y t0=Replace(t0,Chr(96),"")'`/ {. V+ r8 }+ P) h5 `4 m1 l; l
t0=Replace(t0,Chr(123),"")'{* C) M% g7 X7 R4 K
t0=Replace(t0,Chr(124),"")'|6 T$ v+ }) d- k W9 s) U9 y% m: T
t0=Replace(t0,Chr(125),"")'}: l) C! U% W' e) p G- P( F# ~# \
t0=Replace(t0,Chr(126),"")'~ + Z$ R+ O$ @) g. e# j2 Y Case Else0 o4 x7 p9 u8 l5 V( {+ r- i' ?- Y
t0=Replace(t0, "&", "&") # N) r% ^/ P# \% w3 u$ t" d t0=Replace(t0, "'", "'") & V z+ H' U, B! @' m t0=Replace(t0, """", """)$ W% ^/ R* y% r. o) D
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">") ; m, e& Y- Q5 e2 A End Select; C! S/ Z1 J& \4 p0 V9 K( ]
IF Instr(Lcase(t0),"expression")>0 Then " u* } |- i( G2 H9 V, {; \ `$ I3 ? t0=Replace(t0,"expression","e­xpression", 1, -1, 0) ) d2 \# z3 f7 a" h End If1 q A; H) k* s& W& z; m
FilterText=t05 b% w1 R& r s4 ~9 c/ V, x' Z5 _
End Function 7 u, t0 _! ?5 ~4 Z' T, f+ a2 j ) Y0 C4 j! M! U' T+ o% P, x看到没。直接参数是1 只过滤 ; Q6 p7 Z! @/ z$ f' c t0=Replace(t0,Chr(32)," ")+ \. N/ v! C* F3 z2 U) v+ x3 I
t0=Replace(t0,Chr(13),"") s2 @, _7 F p t0=Replace(t0,Chr(10)&Chr(10),"& l# {% V+ s5 m! H1 z
")( S4 D/ G! T% d
t0=Replace(t0,Chr(10)," * R0 K% q1 k. `")9 j* Z- X, o' Q4 H# s- p
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!. F' d8 d7 f) }/ {
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP1 n* ]/ S' s2 j% [
9 R7 x4 Y( q6 o测试: $ {% d" Y5 o; ^2 s; h: R' |' W9 B, q% L! d5 R2 y9 P. `
* o8 R5 T0 R. {: x
现在输入工具上验证码,然后点OK9 {+ v8 r6 o+ r0 u' n, W, p _
% Q% v+ J$ D5 H9 u2 W
- d/ t. f& }; Y4 Q" S6 ?3 l8 L看到我们直接进入后台管理界面了,呵呵! * x. j, N$ a" ?5 g3 I. L9 I3 { + k- U2 G& l/ O7 g8 j7 d' w2 ?/ L% ?# c: }5 X# B, \: a
& a" _* N% ~# h3 a* E+ a
这样直接进入后台了。。。。 2 h, G' W/ N0 P. v - p* l7 o( g9 P3 z3 K1 R2 ? ! y1 \+ m' W( M6 {! F