作者:T00LS 鬼哥

漏洞文件:后台目录/index.asp

作者声明:转载请注明 T00ls 鬼哥

Sub Check
Dim username,password,code,getcode,Rs
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
username=FilterText(Trim(Request.Form("username")),1)
password=FilterText(Trim(Request.Form("password")),1)
code=Trim(Request.Form("yzm"))
getcode=Session("SDCMSCode")
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)":Died
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)":Died
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)":Died
IF username="" or password="" Then
Echo "用户名或密码不能为空":Died
Else
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
IF Rs.Eof Then
AddLog username,GetIp,"登录失败",1
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
Else
Add_Cookies "sdcms_id",Rs(0)
Add_Cookies "sdcms_name",username
Add_Cookies "sdcms_pwd",Rs(2)
Add_Cookies "sdcms_admin",Rs(3)
Add_Cookies "sdcms_alllever",Rs(4)
Add_Cookies "sdcms_infolever",Rs(5)
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
AddLog username,GetIp,"登录成功",1
'自动删除30天前的Log记录
IF Sdcms_DataType Then
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
Else
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
End IF
Go("sdcms_index.asp")
End IF
Rs.Close
Set Rs=Nothing
End IF
End Sub

’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码

Function FilterText(ByVal t0,ByVal t1)
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
t0=Trim(t0)
Select Case t1
Case "1"
t0=Replace(t0,Chr(32),"")
t0=Replace(t0,Chr(13),"")
t0=Replace(t0,Chr(10)&Chr(10),"")
t0=Replace(t0,Chr(10),"")
Case "2"
t0=Replace(t0,Chr(8),"")'回格
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
t0=Replace(t0,Chr(10),"")'换行
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
t0=Replace(t0,Chr(12),"")'换页
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
t0=Replace(t0,Chr(22),"")
t0=Replace(t0,Chr(32),"")'空格 SPACE
t0=Replace(t0,Chr(33),"")'!
t0=Replace(t0,Chr(34),"")'"
t0=Replace(t0,Chr(35),"")'#
t0=Replace(t0,Chr(36),"")'$
t0=Replace(t0,Chr(37),"")'%
t0=Replace(t0,Chr(38),"")'&
t0=Replace(t0,Chr(39),"")''
t0=Replace(t0,Chr(40),"")'(
t0=Replace(t0,Chr(41),"")')
t0=Replace(t0,Chr(42),"")'*
t0=Replace(t0,Chr(43),"")'+
t0=Replace(t0,Chr(44),"")',
t0=Replace(t0,Chr(45),"")'-
t0=Replace(t0,Chr(46),"")'.
t0=Replace(t0,Chr(47),"")'/
t0=Replace(t0,Chr(58),"")':
t0=Replace(t0,Chr(59),"")';
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
t0=Replace(t0,Chr(63),"")'?
t0=Replace(t0,Chr(64),"")'@
t0=Replace(t0,Chr(91),"")'\
t0=Replace(t0,Chr(92),"")'\
t0=Replace(t0,Chr(93),"")']
t0=Replace(t0,Chr(94),"")'^
t0=Replace(t0,Chr(95),"")'_
t0=Replace(t0,Chr(96),"")'`
t0=Replace(t0,Chr(123),"")'{
t0=Replace(t0,Chr(124),"")'|
t0=Replace(t0,Chr(125),"")'}
t0=Replace(t0,Chr(126),"")'~
Case Else
t0=Replace(t0, "&", "&")
t0=Replace(t0, "'", "'")
t0=Replace(t0, """", """)
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
End Select
IF Instr(Lcase(t0),"expression")>0 Then
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
End If
FilterText=t0
End Function
看到没。直接参数是1 只过滤
t0=Replace(t0,Chr(32)," ")
t0=Replace(t0,Chr(13),"")
t0=Replace(t0,Chr(10)&Chr(10),"
")
t0=Replace(t0,Chr(10),"
")
并没过滤SQL语句。直接导致SQL注入 危害极大

漏洞导致可以直接拿到后台帐号密码。
默认后台地址/admin/

转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/1717.html