# Team: t00ls
# Author: ghost Brother
######################################## ####################################
Vulnerability version: Kill all sdcms
Hazards: website intrusion
Vulnerability condition: You need to know the background path.
Test version: sdcms 1.3 Latest Version
Vulnerability file: Background directory/index. asp
Vul Code:
Sub Check
Dim username, password, code, getcode, Rs
IF Check_post Then Echo "1 do not submit data from outside! ": Exit Sub
Username = FilterText (Trim (Request. Form ("username"), 1)
Password = FilterText (Trim (Request. Form ("password"), 1)
Code = Trim (Request. Form ("yzm "))
Getcode = Session ("SDCMSCode ")
IF errnum> = loginnum Then Echo "you are not allowed to log on again today": died
IF code = "" Then Alert "Verification code cannot be blank! "," Javascript: history. go (-1) ": Died
IF code <> "" And Not Isnumeric (code) Then Alert "the verification code must be a number! "," Javascript: history. go (-1) ": Died
IF code <> getcode Then Alert "Verification code error! "," Javascript: history. go (-1) ": Died
IF username = "" or password = "" Then
Echo "User Name or password cannot be blank": Died
Else
Set Rs = Conn. execute ("Select Id, Sdcms_Name, Sdcms_Pwd, isadmin, alllever, infolever From Sd_Admin Where Sdcms_name = '" & username & "' And Sdcms_Pwd = '" & md5 (password) &"'")
IF Rs. Eof Then
AddLog username, GetIp, "Logon Failed", 1
Echo "the user name or password is incorrect." & loginnum-errnum & "Opportunities" are available today"
Else
Add_Cookies "sdcms_id", Rs (0)
Add_Cookies "sdcms_name", username
Add_Cookies "sdcms_pwd", Rs (2)
Add_Cookies "sdcms_admin", Rs (3)
Add_Cookies "sdcms_alllever", Rs (4)
Add_Cookies "sdcms_infolever", Rs (5)
Conn. Execute ("Update Sd_Admin Set logintimes = logintimes + 1, LastIp = '" & GetIp & "'where id =" & Rs (0 )&"")
AddLog username, GetIp, "Logon successful", 1
'Automatic deletion of Log records 30 days ago
IF Sdcms_DataType Then
Conn. Execute ("Delete From Sd_Log Where DateDiff ('D', adddate, Now ()> 30 ")
Else
Conn. Execute ("Delete From Sd_Log Where DateDiff (d, adddate, GetDate ()> 30 ")
End IF
Go ("sdcms_index.asp ")
End IF
Rs. Close
Set Rs = Nothing
End IF
End Sub
// We can see that username is filtered by filtertext. Let's look at the filtertext code.
Function FilterText (ByVal t0, ByVal t1)
IF Len (t0) = 0 Or IsNull (t0) Or IsArray (t0) Then FilterText = "": Exit Function
T0 = Trim (t0)
Select Case t1
Case "1"
T0 = Replace (t0, Chr (32 ),"")
T0 = Replace (t0, Chr (13 ),"")
T0 = Replace (t0, Chr (10) & Chr (10 ),"")
T0 = Replace (t0, Chr (10 ),"")
Case "2"
T0 = Replace (t0, Chr (8), "") 'Return
T0 = Replace (t0, Chr (9), "") 'tab (horizontal tab)
T0 = Replace (t0, Chr (10), "") 'line feed
T0 = Replace (t0, Chr (11), "") 'tab (vertical tab)
T0 = Replace (t0, Chr (12 ), "")'
T0 = Replace (t0, Chr (13), "") 'Carriage return chr (13) & chr (10) combination of carriage return and line feed
T0 = Replace (t0, Chr (22 ),"")
T0 = Replace (t0, Chr (32), "") 'space
T0 = Replace (t0, Chr (33 ),"")'!
T0 = Replace (t0, Chr (34 ),"")'"
T0 = Replace (t0, Chr (35 ),"")'#
T0 = Replace (t0, Chr (36), "") '$
T0 = Replace (t0, Chr (37), "") '%
T0 = Replace (t0, Chr (38 ),"")'&
T0 = Replace (t0, Chr (39 ),"")''
T0 = Replace (t0, Chr (40 ),"")'(
T0 = Replace (t0, Chr (41 ),"")')
T0 = Replace (t0, Chr (42 ),"")'*
T0 = Replace (t0, Chr (43), "") '+
T0 = Replace (t0, Chr (44 ),"")',
T0 = Replace (t0, Chr (45 ),"")'-
T0 = Replace (t0, Chr (46 ),"")'.
T0 = Replace (t0, Chr (47 ),"")'/
T0 = Replace (t0, Chr (58 ),"")':
T0 = Replace (t0, Chr (59 ),"")';
T0 = Replace (t0, Chr (60), "") '<
T0 = Replace (t0, Chr (61), "") '=
T0 = Replace (t0, Chr (62), "") '>
T0 = Replace (t0, Chr (63 ),"")'?
T0 = Replace (t0, Chr (64 ),"")'@
T0 = Replace (t0, Chr (91 ),"")'\
T0 = Replace (t0, Chr (92 ),"")'\
T0 = Replace (t0, Chr (93), "") ']
T0 = Replace (t0, Chr (94), "") '^
T0 = Replace (t0, Chr (95 ),"")'_
T0 = Replace (t0, Chr (96 ),"")''
T0 = Replace (t0, Chr (123 ),"")'{
T0 = Replace (t0, Chr (124), "") '|
T0 = Replace (t0, Chr (125 ),"")'}
T0 = Replace (t0, Chr (126 ),"")'~
Case Else
T0 = Replace (t0 ,"&","&")
T0 = Replace (t0 ,"'","'")
T0 = Replace (t0 ,"""",""")
T0 = Replace (t0, "<", "<")
T0 = Replace (t0, ">", "> ")
End Select
IF Instr (Lcase (t0), "expression")> 0 Then
T0 = Replace (t0, "expression", "e-xpression", 1,-1, 0)
End If
FilterText = t0
End Function
# No. The direct parameter is 1 for filtering.
T0 = Replace (t0, Chr (32 ),"")
T0 = Replace (t0, Chr (13 ),"")
T0 = Replace (t0, Chr (10) & Chr (10 ),"
")
T0 = Replace (t0, Chr (10 ),"
")
# No SQL statement is filtered. Directly causing great harm to SQL Injection
# This vulnerability allows you to directly obtain the background account password.
Default background/admin/
Fix: Filter