Defects and repair of the latest sdcms 1.3 version

Source: Internet
Author: User

 

# Team: t00ls

 

# Author: ghost Brother

######################################## ####################################

 

Vulnerability version: Kill all sdcms

Hazards: website intrusion

Vulnerability condition: You need to know the background path.

Test version: sdcms 1.3 Latest Version

Vulnerability file: Background directory/index. asp

 

Vul Code:

Sub Check

Dim username, password, code, getcode, Rs

IF Check_post Then Echo "1 do not submit data from outside! ": Exit Sub

Username = FilterText (Trim (Request. Form ("username"), 1)

Password = FilterText (Trim (Request. Form ("password"), 1)

Code = Trim (Request. Form ("yzm "))

Getcode = Session ("SDCMSCode ")

IF errnum> = loginnum Then Echo "you are not allowed to log on again today": died

IF code = "" Then Alert "Verification code cannot be blank! "," Javascript: history. go (-1) ": Died

IF code <> "" And Not Isnumeric (code) Then Alert "the verification code must be a number! "," Javascript: history. go (-1) ": Died

IF code <> getcode Then Alert "Verification code error! "," Javascript: history. go (-1) ": Died

IF username = "" or password = "" Then

Echo "User Name or password cannot be blank": Died

Else

Set Rs = Conn. execute ("Select Id, Sdcms_Name, Sdcms_Pwd, isadmin, alllever, infolever From Sd_Admin Where Sdcms_name = '" & username & "' And Sdcms_Pwd = '" & md5 (password) &"'")

IF Rs. Eof Then

AddLog username, GetIp, "Logon Failed", 1

Echo "the user name or password is incorrect." & loginnum-errnum & "Opportunities" are available today"

Else

Add_Cookies "sdcms_id", Rs (0)

Add_Cookies "sdcms_name", username

Add_Cookies "sdcms_pwd", Rs (2)

Add_Cookies "sdcms_admin", Rs (3)

Add_Cookies "sdcms_alllever", Rs (4)

Add_Cookies "sdcms_infolever", Rs (5)

Conn. Execute ("Update Sd_Admin Set logintimes = logintimes + 1, LastIp = '" & GetIp & "'where id =" & Rs (0 )&"")

AddLog username, GetIp, "Logon successful", 1

'Automatic deletion of Log records 30 days ago

IF Sdcms_DataType Then

Conn. Execute ("Delete From Sd_Log Where DateDiff ('D', adddate, Now ()> 30 ")

Else

Conn. Execute ("Delete From Sd_Log Where DateDiff (d, adddate, GetDate ()> 30 ")

End IF

Go ("sdcms_index.asp ")

End IF

Rs. Close

Set Rs = Nothing

End IF

End Sub

// We can see that username is filtered by filtertext. Let's look at the filtertext code.

Function FilterText (ByVal t0, ByVal t1)

IF Len (t0) = 0 Or IsNull (t0) Or IsArray (t0) Then FilterText = "": Exit Function

T0 = Trim (t0)

Select Case t1

Case "1"

T0 = Replace (t0, Chr (32 ),"")

T0 = Replace (t0, Chr (13 ),"")

T0 = Replace (t0, Chr (10) & Chr (10 ),"")

T0 = Replace (t0, Chr (10 ),"")

Case "2"

T0 = Replace (t0, Chr (8), "") 'Return

T0 = Replace (t0, Chr (9), "") 'tab (horizontal tab)

T0 = Replace (t0, Chr (10), "") 'line feed

T0 = Replace (t0, Chr (11), "") 'tab (vertical tab)

T0 = Replace (t0, Chr (12 ), "")'

T0 = Replace (t0, Chr (13), "") 'Carriage return chr (13) & chr (10) combination of carriage return and line feed

T0 = Replace (t0, Chr (22 ),"")

T0 = Replace (t0, Chr (32), "") 'space

T0 = Replace (t0, Chr (33 ),"")'!

T0 = Replace (t0, Chr (34 ),"")'"

T0 = Replace (t0, Chr (35 ),"")'#

T0 = Replace (t0, Chr (36), "") '$

T0 = Replace (t0, Chr (37), "") '%

T0 = Replace (t0, Chr (38 ),"")'&

T0 = Replace (t0, Chr (39 ),"")''

T0 = Replace (t0, Chr (40 ),"")'(

T0 = Replace (t0, Chr (41 ),"")')

T0 = Replace (t0, Chr (42 ),"")'*

T0 = Replace (t0, Chr (43), "") '+

T0 = Replace (t0, Chr (44 ),"")',

T0 = Replace (t0, Chr (45 ),"")'-

T0 = Replace (t0, Chr (46 ),"")'.

T0 = Replace (t0, Chr (47 ),"")'/

T0 = Replace (t0, Chr (58 ),"")':

T0 = Replace (t0, Chr (59 ),"")';

T0 = Replace (t0, Chr (60), "") '<

T0 = Replace (t0, Chr (61), "") '=

T0 = Replace (t0, Chr (62), "") '>

T0 = Replace (t0, Chr (63 ),"")'?

T0 = Replace (t0, Chr (64 ),"")'@

T0 = Replace (t0, Chr (91 ),"")'\

T0 = Replace (t0, Chr (92 ),"")'\

T0 = Replace (t0, Chr (93), "") ']

T0 = Replace (t0, Chr (94), "") '^

T0 = Replace (t0, Chr (95 ),"")'_

T0 = Replace (t0, Chr (96 ),"")''

T0 = Replace (t0, Chr (123 ),"")'{

T0 = Replace (t0, Chr (124), "") '|

T0 = Replace (t0, Chr (125 ),"")'}

T0 = Replace (t0, Chr (126 ),"")'~

Case Else

T0 = Replace (t0 ,"&","&")

T0 = Replace (t0 ,"'","'")

T0 = Replace (t0 ,"""",""")

T0 = Replace (t0, "<", "<")

T0 = Replace (t0, ">", "> ")

End Select

IF Instr (Lcase (t0), "expression")> 0 Then

T0 = Replace (t0, "expression", "e-xpression", 1,-1, 0)

End If

FilterText = t0

End Function

 

# No. The direct parameter is 1 for filtering.

T0 = Replace (t0, Chr (32 ),"")

T0 = Replace (t0, Chr (13 ),"")

T0 = Replace (t0, Chr (10) & Chr (10 ),"

")

T0 = Replace (t0, Chr (10 ),"

")

 

# No SQL statement is filtered. Directly causing great harm to SQL Injection

# This vulnerability allows you to directly obtain the background account password.

Default background/admin/

 

Fix: Filter

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.