网站地图    收藏   

主页 > 后端 > 网站安全 >

sdcms 1.3 最新版缺陷及修复 - 网站安全 - 自学php

来源:自学PHP网    时间:2015-04-17 14:47 作者: 阅读:

[导读] # Team:t00ls# Author: 鬼哥############################################################################漏洞版本:通杀所有sdcms漏洞危害:直接导致网站被入侵漏洞条件: 需要知道后台路径测试版本:sdc......

 

#  Team:t00ls

 

#  Author: 鬼哥

############################################################################

 

漏洞版本:通杀所有sdcms

漏洞危害:直接导致网站被入侵

漏洞条件: 需要知道后台路径

测试版本:sdcms 1.3 最新版

漏洞文件:后台目录/index.asp

 

Vul Code :

Sub Check

        Dim username,password,code,getcode,Rs

        IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub

        username=FilterText(Trim(Request.Form("username")),1) 

        password=FilterText(Trim(Request.Form("password")),1)

        code=Trim(Request.Form("yzm"))

        getcode=Session("SDCMSCode")

        IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died

        IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)":Died

        IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)":Died

        IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)":Died

        IF username="" or password="" Then

                Echo "用户名或密码不能为空":Died

        Else

                Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")

                IF Rs.Eof Then

                        AddLog username,GetIp,"登录失败",1

                        Echo "用户名或密码错误,今日还有"&loginnum-errnum&" 次机会"

                Else

                        Add_Cookies "sdcms_id",Rs(0)

                        Add_Cookies "sdcms_name",username

                        Add_Cookies "sdcms_pwd",Rs(2)

                        Add_Cookies "sdcms_admin",Rs(3)

                        Add_Cookies "sdcms_alllever",Rs(4)

                        Add_Cookies "sdcms_infolever",Rs(5)

                        Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")

                        AddLog username,GetIp,"登录成功",1

                        '自动删除30天前的Log记录

                        IF Sdcms_DataType Then

                                Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")

                        Else

                                Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")

                        End IF

                        Go("sdcms_index.asp")

                End IF

                Rs.Close

                Set Rs=Nothing

        End IF

End Sub

//我们可以看到username是通过filtertext来过滤的。我们看看filtertext代码

Function FilterText(ByVal t0,ByVal t1)

        IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function

        t0=Trim(t0)

        Select Case t1

                Case "1"

                        t0=Replace(t0,Chr(32)," ")

                        t0=Replace(t0,Chr(13),"")

                        t0=Replace(t0,Chr(10)&Chr(10),"")

                        t0=Replace(t0,Chr(10),"")

                Case "2"

                        t0=Replace(t0,Chr(8),"")'回格

                        t0=Replace(t0,Chr(9),"")'tab(水平制表符)

                        t0=Replace(t0,Chr(10),"")'换行

                        t0=Replace(t0,Chr(11),"")'tab(垂直制表符)

                        t0=Replace(t0,Chr(12),"")'换页

                        t0=Replace(t0,Chr(13),"")'回车chr(13)&chr(10) 回车和换行的组合

                        t0=Replace(t0,Chr(22),"")

                        t0=Replace(t0,Chr(32),"")'空格SPACE

                        t0=Replace(t0,Chr(33),"")'!

                        t0=Replace(t0,Chr(34),"")'"

                        t0=Replace(t0,Chr(35),"")'#

                        t0=Replace(t0,Chr(36),"")'$

                        t0=Replace(t0,Chr(37),"")'% 

                        t0=Replace(t0,Chr(38),"")'&

                        t0=Replace(t0,Chr(39),"")''

                        t0=Replace(t0,Chr(40),"")'( 

                        t0=Replace(t0,Chr(41),"")')

                        t0=Replace(t0,Chr(42),"")'*

                        t0=Replace(t0,Chr(43),"")'+

                        t0=Replace(t0,Chr(44),"")',

                        t0=Replace(t0,Chr(45),"")'-

                        t0=Replace(t0,Chr(46),"")'.

                        t0=Replace(t0,Chr(47),"")'/

                        t0=Replace(t0,Chr(58),"")':

                        t0=Replace(t0,Chr(59),"")';

                        t0=Replace(t0,Chr(60),"")'<

                        t0=Replace(t0,Chr(61),"")'=

                        t0=Replace(t0,Chr(62),"")'>

                        t0=Replace(t0,Chr(63),"")'?

                        t0=Replace(t0,Chr(64),"")'@

                        t0=Replace(t0,Chr(91),"")'\

                        t0=Replace(t0,Chr(92),"")'\

                        t0=Replace(t0,Chr(93),"")'] 

                        t0=Replace(t0,Chr(94),"")'^

                        t0=Replace(t0,Chr(95),"")'_

                        t0=Replace(t0,Chr(96),"")'`

                        t0=Replace(t0,Chr(123),"")'{  

                        t0=Replace(t0,Chr(124),"")'|

                        t0=Replace(t0,Chr(125),"")'}

                        t0=Replace(t0,Chr(126),"")'~

        Case Else

                t0=Replace(t0, "&", "&")

                t0=Replace(t0, "'", "'")

                t0=Replace(t0, """", """)

                t0=Replace(t0, "<", "<")

                t0=Replace(t0, ">", ">")

        End Select

        IF Instr(Lcase(t0),"expression")>0 Then

                t0=Replace(t0,"expression","e­xpression", 1, -1, 0)

        End If

        FilterText=t0 

End Function

 

#看到没。直接参数是1只过滤。

                        t0=Replace(t0,Chr(32)," ")

                        t0=Replace(t0,Chr(13),"")

                        t0=Replace(t0,Chr(10)&Chr(10),"

")

                        t0=Replace(t0,Chr(10),"

")

 

#并没有过滤sql语句。直接导致sql注入危害极大

#漏洞导致可以直接拿到后台账号密码。

默认后台/admin/

 

修复:过滤

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论