来源:自学PHP网 时间:2015-04-17 14:47 作者: 阅读:次
[导读] # Team:t00ls# Author: 鬼哥############################################################################漏洞版本:通杀所有sdcms漏洞危害:直接导致网站被入侵漏洞条件: 需要知道后台路径测试版本:sdc......
# Team:t00ls
# Author: 鬼哥 ############################################################################
漏洞版本:通杀所有sdcms 漏洞危害:直接导致网站被入侵 漏洞条件: 需要知道后台路径 测试版本:sdcms 1.3 最新版 漏洞文件:后台目录/index.asp
Vul Code : Sub Check Dim username,password,code,getcode,Rs IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub username=FilterText(Trim(Request.Form("username")),1) password=FilterText(Trim(Request.Form("password")),1) code=Trim(Request.Form("yzm")) getcode=Session("SDCMSCode") IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)":Died IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)":Died IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)":Died IF username="" or password="" Then Echo "用户名或密码不能为空":Died Else Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'") IF Rs.Eof Then AddLog username,GetIp,"登录失败",1 Echo "用户名或密码错误,今日还有"&loginnum-errnum&" 次机会" Else Add_Cookies "sdcms_id",Rs(0) Add_Cookies "sdcms_name",username Add_Cookies "sdcms_pwd",Rs(2) Add_Cookies "sdcms_admin",Rs(3) Add_Cookies "sdcms_alllever",Rs(4) Add_Cookies "sdcms_infolever",Rs(5) Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"") AddLog username,GetIp,"登录成功",1 '自动删除30天前的Log记录 IF Sdcms_DataType Then Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30") Else Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30") End IF Go("sdcms_index.asp") End IF Rs.Close Set Rs=Nothing End IF End Sub //我们可以看到username是通过filtertext来过滤的。我们看看filtertext代码 Function FilterText(ByVal t0,ByVal t1) IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function t0=Trim(t0) Select Case t1 Case "1" t0=Replace(t0,Chr(32)," ") t0=Replace(t0,Chr(13),"") t0=Replace(t0,Chr(10)&Chr(10),"") t0=Replace(t0,Chr(10),"") Case "2" t0=Replace(t0,Chr(8),"")'回格 t0=Replace(t0,Chr(9),"")'tab(水平制表符) t0=Replace(t0,Chr(10),"")'换行 t0=Replace(t0,Chr(11),"")'tab(垂直制表符) t0=Replace(t0,Chr(12),"")'换页 t0=Replace(t0,Chr(13),"")'回车chr(13)&chr(10) 回车和换行的组合 t0=Replace(t0,Chr(22),"") t0=Replace(t0,Chr(32),"")'空格SPACE t0=Replace(t0,Chr(33),"")'! t0=Replace(t0,Chr(34),"")'" t0=Replace(t0,Chr(35),"")'# t0=Replace(t0,Chr(36),"")'$ t0=Replace(t0,Chr(37),"")'% t0=Replace(t0,Chr(38),"")'& t0=Replace(t0,Chr(39),"")'' t0=Replace(t0,Chr(40),"")'( t0=Replace(t0,Chr(41),"")') t0=Replace(t0,Chr(42),"")'* t0=Replace(t0,Chr(43),"")'+ t0=Replace(t0,Chr(44),"")', t0=Replace(t0,Chr(45),"")'- t0=Replace(t0,Chr(46),"")'. t0=Replace(t0,Chr(47),"")'/ t0=Replace(t0,Chr(58),"")': t0=Replace(t0,Chr(59),"")'; t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'> t0=Replace(t0,Chr(63),"")'? t0=Replace(t0,Chr(64),"")'@ t0=Replace(t0,Chr(91),"")'\ t0=Replace(t0,Chr(92),"")'\ t0=Replace(t0,Chr(93),"")'] t0=Replace(t0,Chr(94),"")'^ t0=Replace(t0,Chr(95),"")'_ t0=Replace(t0,Chr(96),"")'` t0=Replace(t0,Chr(123),"")'{ t0=Replace(t0,Chr(124),"")'| t0=Replace(t0,Chr(125),"")'} t0=Replace(t0,Chr(126),"")'~ Case Else t0=Replace(t0, "&", "&") t0=Replace(t0, "'", "'") t0=Replace(t0, """", """) t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">") End Select IF Instr(Lcase(t0),"expression")>0 Then t0=Replace(t0,"expression","expression", 1, -1, 0) End If FilterText=t0 End Function
#看到没。直接参数是1只过滤。 t0=Replace(t0,Chr(32)," ") t0=Replace(t0,Chr(13),"") t0=Replace(t0,Chr(10)&Chr(10)," ") t0=Replace(t0,Chr(10)," ")
#并没有过滤sql语句。直接导致sql注入危害极大 #漏洞导致可以直接拿到后台账号密码。 默认后台/admin/
修复:过滤 |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com