作者：T00LS 鬼哥

漏洞文件：后臺目錄/index.asp

作者聲明：轉(zhuǎn)載請注明 T00ls 鬼哥

Sub Check

Dim username,password,code,getcode,Rs

IF Check_post Then Echo "1禁止從外部提交數(shù)據(jù)!":Exit Sub

username=FilterText(Trim(Request.Form("username")),1)

password=FilterText(Trim(Request.Form("password")),1)

code=Trim(Request.Form("yzm"))

getcode=Session("SDCMSCode")

IF errnum>=loginnum Then Echo "系統(tǒng)已禁止您今日再登錄":died

IF code="" Then Alert "驗(yàn)證碼不能為空！","javascript:history.go(-1)":Died

IF code<>"" And Not Isnumeric(code) Then Alert "驗(yàn)證碼必須為數(shù)字！","javascript:history.go(-1)":Died

IF code<>getcode Then Alert "驗(yàn)證碼錯誤！","javascript:history.go(-1)":Died

IF username="" or password="" Then

Echo "用戶名或密碼不能為空":Died

Else

Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")

IF Rs.Eof Then

AddLog username,GetIp,"登錄失敗",1

Echo "用戶名或密碼錯誤,今日還有 "&loginnum-errnum&" 次機(jī)會"

Else

Add_Cookies "sdcms_id",Rs(0)

Add_Cookies "sdcms_name",username

Add_Cookies "sdcms_pwd",Rs(2)

Add_Cookies "sdcms_admin",Rs(3)

Add_Cookies "sdcms_alllever",Rs(4)

Add_Cookies "sdcms_infolever",Rs(5)

Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")

AddLog username,GetIp,"登錄成功",1

'自動刪除30天前的Log記錄

IF Sdcms_DataType Then

Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")

Else

Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")

End IF

Go("sdcms_index.asp")

End IF

Rs.Close

Set Rs=Nothing

End IF

End Sub

’我們可以看到username是通過FilterText來過濾的。我們看看FilterText的代碼

Function FilterText(ByVal t0,ByVal t1)

IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function

t0=Trim(t0)

Select Case t1

Case "1"

t0=Replace(t0,Chr(32),"")

t0=Replace(t0,Chr(13),"")

t0=Replace(t0,Chr(10)&Chr(10),"")

t0=Replace(t0,Chr(10),"")

Case "2"

t0=Replace(t0,Chr(8),"")'回格

t0=Replace(t0,Chr(9),"")'tab(水平制表符)

t0=Replace(t0,Chr(10),"")'換行

t0=Replace(t0,Chr(11),"")'tab(垂直制表符)

t0=Replace(t0,Chr(12),"")'換頁

t0=Replace(t0,Chr(13),"")'回車 chr(13)&chr(10) 回車和換行的組合

t0=Replace(t0,Chr(22),"")

t0=Replace(t0,Chr(32),"")'空格 SPACE

t0=Replace(t0,Chr(33),"")'!

t0=Replace(t0,Chr(34),"")'"

t0=Replace(t0,Chr(35),"")'#

t0=Replace(t0,Chr(36),"")'$

t0=Replace(t0,Chr(37),"")'%

t0=Replace(t0,Chr(38),"")'&

t0=Replace(t0,Chr(39),"")''

t0=Replace(t0,Chr(40),"")'(

t0=Replace(t0,Chr(41),"")')

t0=Replace(t0,Chr(42),"")'*

t0=Replace(t0,Chr(43),"")'+

t0=Replace(t0,Chr(44),"")',

t0=Replace(t0,Chr(45),"")'-

t0=Replace(t0,Chr(46),"")'.

t0=Replace(t0,Chr(47),"")'/

t0=Replace(t0,Chr(58),"")':

t0=Replace(t0,Chr(59),"")';

t0=Replace(t0,Chr(60),"")'<

t0=Replace(t0,Chr(61),"")'=

t0=Replace(t0,Chr(62),"")'>

t0=Replace(t0,Chr(63),"")'?

t0=Replace(t0,Chr(64),"")'@

t0=Replace(t0,Chr(91),"")'\

t0=Replace(t0,Chr(92),"")'\

t0=Replace(t0,Chr(93),"")']

t0=Replace(t0,Chr(94),"")'^

t0=Replace(t0,Chr(95),"")'_

t0=Replace(t0,Chr(96),"")'`

t0=Replace(t0,Chr(123),"")'{

t0=Replace(t0,Chr(124),"")'|

t0=Replace(t0,Chr(125),"")'}

t0=Replace(t0,Chr(126),"")'~

Case Else

t0=Replace(t0, "&", "&")

t0=Replace(t0, "'", "'")

t0=Replace(t0, """", """)

t0=Replace(t0, "", ">")

End Select

IF Instr(Lcase(t0),"expression")>0 Then

t0=Replace(t0,"expression","e-xpression", 1, -1, 0)

End If

FilterText=t0

End Function

看到?jīng)]。直接參數(shù)是1 只過濾

t0=Replace(t0,Chr(32),"?")

t0=Replace(t0,Chr(13),"")

t0=Replace(t0,Chr(10)&Chr(10),"

")

t0=Replace(t0,Chr(10),"

")

并沒過濾SQL語句。直接導(dǎo)致SQL注入 危害極大

漏洞導(dǎo)致可以直接拿到后臺帳號密碼。

默認(rèn)后臺地址/admin/

轉(zhuǎn)載請注明來自WebShell'S Blog，本文地址：https://www.webshell.cc/1717.html

總結(jié)

以上是生活随笔為你收集整理的sdcms_php_web,SDCMS通杀漏洞的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。