发布日期:2011-10.3

发布作者:鬼哥

漏洞类型:SQL注射

漏洞版本:通杀sdcms所有版本

漏洞危害:直接导致网站被入侵

漏洞条件:需要知道后台路径

测试版本:sdcms 1.3 最新版(官方下载的)

漏洞文件:后台目录/index.asp

作者声明:转载请注明 T00ls 鬼哥

以下是引用片段:

Sub Check
    Dim username,password,code,getcode,Rs
    IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
    username=FilterText(Trim(Request.Form("username")),1)
    password=FilterText(Trim(Request.Form("password")),1)
    code=Trim(Request.Form("yzm"))
    getcode=Session("SDCMSCode")
    IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
    IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)":Died
    IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)":Died
    IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)":Died
    IF username="" or password="" Then
        Echo "用户名或密码不能为空":Died
    Else
        Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
        IF Rs.Eof Then
            AddLog username,GetIp,"登录失败",1
            Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
        Else
            Add_Cookies "sdcms_id",Rs(0)
            Add_Cookies "sdcms_name",username
            Add_Cookies "sdcms_pwd",Rs(2)
            Add_Cookies "sdcms_admin",Rs(3)
            Add_Cookies "sdcms_alllever",Rs(4)
            Add_Cookies "sdcms_infolever",Rs(5)
            Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
            AddLog username,GetIp,"登录成功",1
            '自动删除30天前的Log记录
            IF Sdcms_DataType Then
                Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
            Else
                Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
            End IF
            Go("sdcms_index.asp")
        End IF
        Rs.Close
        Set Rs=Nothing
    End IF
End Sub

    我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码

以下是引用片段:

Function FilterText(ByVal t0,ByVal t1)
    IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
    t0=Trim(t0)
    Select Case t1
        Case "1"
            t0=Replace(t0,Chr(32),"")
            t0=Replace(t0,Chr(13),"")
            t0=Replace(t0,Chr(10)&Chr(10),"")
            t0=Replace(t0,Chr(10),"")
        Case "2"
            t0=Replace(t0,Chr(8),"")'回格
            t0=Replace(t0,Chr(9),"")'tab(水平制表符)
            t0=Replace(t0,Chr(10),"")'换行
            t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
            t0=Replace(t0,Chr(12),"")'换页
            t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
            t0=Replace(t0,Chr(22),"")
            t0=Replace(t0,Chr(32),"")'空格 SPACE
            t0=Replace(t0,Chr(33),"")'!
            t0=Replace(t0,Chr(34),"")'"
            t0=Replace(t0,Chr(35),"")'#
            t0=Replace(t0,Chr(36),"")'$
            t0=Replace(t0,Chr(37),"")'%
            t0=Replace(t0,Chr(38),"")'&
            t0=Replace(t0,Chr(39),"")''
            t0=Replace(t0,Chr(40),"")'(
            t0=Replace(t0,Chr(41),"")')
            t0=Replace(t0,Chr(42),"")'*
            t0=Replace(t0,Chr(43),"")'+
            t0=Replace(t0,Chr(44),"")',
            t0=Replace(t0,Chr(45),"")'-
            t0=Replace(t0,Chr(46),"")'.
            t0=Replace(t0,Chr(47),"")'/
            t0=Replace(t0,Chr(58),"")':
            t0=Replace(t0,Chr(59),"")';
            t0=Replace(t0,Chr(60),"")'<
            t0=Replace(t0,Chr(61),"")'=
            t0=Replace(t0,Chr(62),"")'>
            t0=Replace(t0,Chr(63),"")'?
            t0=Replace(t0,Chr(64),"")'@
            t0=Replace(t0,Chr(91),"")'\
            t0=Replace(t0,Chr(92),"")'\
            t0=Replace(t0,Chr(93),"")']
            t0=Replace(t0,Chr(94),"")'^
            t0=Replace(t0,Chr(95),"")'_
            t0=Replace(t0,Chr(96),"")'`
            t0=Replace(t0,Chr(123),"")'{
            t0=Replace(t0,Chr(124),"")'|
            t0=Replace(t0,Chr(125),"")'}
            t0=Replace(t0,Chr(126),"")'~
    Case Else
        t0=Replace(t0, "&", "&amp;")
        t0=Replace(t0, "'", "&#39;")
        t0=Replace(t0, """", "&#34;")
        t0=Replace(t0, "<", "&lt;")
        t0=Replace(t0, ">", "&gt;")
    End Select
    IF Instr(Lcase(t0),"expression")>0 Then
        t0=Replace(t0,"expression","e&#173;xpression", 1, -1, 0)
    End If
    FilterText=t0
End Function

看到没。直接参数是1 只过滤
                        t0=Replace(t0,Chr(32),"&nbsp;")
                        t0=Replace(t0,Chr(13),"")
                        t0=Replace(t0,Chr(10)&Chr(10),"<br>")
                        t0=Replace(t0,Chr(10),"<br>")
并没过滤SQL语句。直接导致SQL注入 危害极大

漏洞导致可以直接拿到后台帐号密码。
默认后台地址/admin/


exp过几天再发。请大大多多顶下。
你们自己可以构造出来的。毕竟危害极大