sdcms_php_web,SDCMS通杀漏洞
作者:T00LS 鬼哥
漏洞文件:后臺目錄/index.asp
作者聲明:轉載請注明 T00ls 鬼哥
Sub Check
Dim username,password,code,getcode,Rs
IF Check_post Then Echo "1禁止從外部提交數據!":Exit Sub
username=FilterText(Trim(Request.Form("username")),1)
password=FilterText(Trim(Request.Form("password")),1)
code=Trim(Request.Form("yzm"))
getcode=Session("SDCMSCode")
IF errnum>=loginnum Then Echo "系統已禁止您今日再登錄":died
IF code="" Then Alert "驗證碼不能為空!","javascript:history.go(-1)":Died
IF code<>"" And Not Isnumeric(code) Then Alert "驗證碼必須為數字!","javascript:history.go(-1)":Died
IF code<>getcode Then Alert "驗證碼錯誤!","javascript:history.go(-1)":Died
IF username="" or password="" Then
Echo "用戶名或密碼不能為空":Died
Else
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
IF Rs.Eof Then
AddLog username,GetIp,"登錄失敗",1
Echo "用戶名或密碼錯誤,今日還有 "&loginnum-errnum&" 次機會"
Else
Add_Cookies "sdcms_id",Rs(0)
Add_Cookies "sdcms_name",username
Add_Cookies "sdcms_pwd",Rs(2)
Add_Cookies "sdcms_admin",Rs(3)
Add_Cookies "sdcms_alllever",Rs(4)
Add_Cookies "sdcms_infolever",Rs(5)
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
AddLog username,GetIp,"登錄成功",1
'自動刪除30天前的Log記錄
IF Sdcms_DataType Then
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
Else
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
End IF
Go("sdcms_index.asp")
End IF
Rs.Close
Set Rs=Nothing
End IF
End Sub
’我們可以看到username是通過FilterText來過濾的。我們看看FilterText的代碼
Function FilterText(ByVal t0,ByVal t1)
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
t0=Trim(t0)
Select Case t1
Case "1"
t0=Replace(t0,Chr(32),"")
t0=Replace(t0,Chr(13),"")
t0=Replace(t0,Chr(10)&Chr(10),"")
t0=Replace(t0,Chr(10),"")
Case "2"
t0=Replace(t0,Chr(8),"")'回格
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
t0=Replace(t0,Chr(10),"")'換行
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
t0=Replace(t0,Chr(12),"")'換頁
t0=Replace(t0,Chr(13),"")'回車 chr(13)&chr(10) 回車和換行的組合
t0=Replace(t0,Chr(22),"")
t0=Replace(t0,Chr(32),"")'空格 SPACE
t0=Replace(t0,Chr(33),"")'!
t0=Replace(t0,Chr(34),"")'"
t0=Replace(t0,Chr(35),"")'#
t0=Replace(t0,Chr(36),"")'$
t0=Replace(t0,Chr(37),"")'%
t0=Replace(t0,Chr(38),"")'&
t0=Replace(t0,Chr(39),"")''
t0=Replace(t0,Chr(40),"")'(
t0=Replace(t0,Chr(41),"")')
t0=Replace(t0,Chr(42),"")'*
t0=Replace(t0,Chr(43),"")'+
t0=Replace(t0,Chr(44),"")',
t0=Replace(t0,Chr(45),"")'-
t0=Replace(t0,Chr(46),"")'.
t0=Replace(t0,Chr(47),"")'/
t0=Replace(t0,Chr(58),"")':
t0=Replace(t0,Chr(59),"")';
t0=Replace(t0,Chr(60),"")'<
t0=Replace(t0,Chr(61),"")'=
t0=Replace(t0,Chr(62),"")'>
t0=Replace(t0,Chr(63),"")'?
t0=Replace(t0,Chr(64),"")'@
t0=Replace(t0,Chr(91),"")'\
t0=Replace(t0,Chr(92),"")'\
t0=Replace(t0,Chr(93),"")']
t0=Replace(t0,Chr(94),"")'^
t0=Replace(t0,Chr(95),"")'_
t0=Replace(t0,Chr(96),"")'`
t0=Replace(t0,Chr(123),"")'{
t0=Replace(t0,Chr(124),"")'|
t0=Replace(t0,Chr(125),"")'}
t0=Replace(t0,Chr(126),"")'~
Case Else
t0=Replace(t0, "&", "&")
t0=Replace(t0, "'", "'")
t0=Replace(t0, """", """)
t0=Replace(t0, "", ">")
End Select
IF Instr(Lcase(t0),"expression")>0 Then
t0=Replace(t0,"expression","e-xpression", 1, -1, 0)
End If
FilterText=t0
End Function
看到沒。直接參數是1 只過濾
t0=Replace(t0,Chr(32),"?")
t0=Replace(t0,Chr(13),"")
t0=Replace(t0,Chr(10)&Chr(10),"
")
t0=Replace(t0,Chr(10),"
")
并沒過濾SQL語句。直接導致SQL注入 危害極大
漏洞導致可以直接拿到后臺帳號密碼。
默認后臺地址/admin/
轉載請注明來自WebShell'S Blog,本文地址:https://www.webshell.cc/1717.html
總結
以上是生活随笔為你收集整理的sdcms_php_web,SDCMS通杀漏洞的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 解决从Android studio 粘贴
- 下一篇: JS实现购物网站商品放大镜效果