当前位置:
首页 > 其他 > 解析新云2.1&3.0的两个跨站

解析新云2.1&3.0的两个跨站

文章作者:神無月
还是老规矩 直接来吧 因为早上去下3.0下不了 所以图是2.1时候截的 不过后来下了3.0 还是有洞
漏洞文件1:user/changeinfo.asp







================省略部分代码==============================================
<% End If Rs.Close:Set Rs = Nothing End If If Founderr = True Then Call Returnerr(ErrMsg) End If Sub ChangeUserInfo() On Error Resume Next Dim username, password,userid Dim usersex,sex username = Newasp.CheckBadstr(Newasp.membername) userid = Newasp.ChkNumeric(memberid) If Newasp.CheckPost=False Then ErrMsg = ErrMsg + Postmsg FoundErr = True Exit Sub End If If Newasp.IsValidPassword(Request.Form("answer")) = False And Trim(Request.Form("answer")) <> "" Then
ErrMsg = ErrMsg + "

  • 密码问题答案中含有非法字符!
  • "
    Founderr = True
    End If
    If Trim(Request.Form("username")) <> username Then
    ErrMsg = ErrMsg + "

  • 非法操作!
  • "
    Founderr = True
    End If
    If Trim(Request.Form("password")) = "" Then
    ErrMsg = ErrMsg + "

  • 请输入用户密码!
  • "
    Founderr = True
    Else
    password = md5(Request.Form("password"))
    End If
    If userid = 0 Then
    FoundErr = True
    ErrMsg = ErrMsg + "

  • Sorry!您选择了错误的系统参数。
  • "
    Exit Sub
    End If

    If Trim(Request.Form("nickname")) = "" Then
    ErrMsg = ErrMsg + "

  • 用户昵称不能为空!
  • "
    Founderr = True
    End If
    If Newasp.IsValidStr(Request.Form("nickname")) = False Then
    ErrMsg = ErrMsg + "

  • 用户昵称中含有非法字符!
  • "
    Founderr = True
    End If
    If Trim(Request.Form("TrueName")) = "" Then
    ErrMsg = ErrMsg + "

  • 真实姓名不能为空!
  • "
    Founderr = True
    End If
    If Newasp.IsValidStr(Request.Form("TrueName")) = False Then
    ErrMsg = ErrMsg + "

  • 真实姓名中含有非法字符!
  • "
    Founderr = True
    End If
    If Trim(Request.Form("usermail")) = "" Then
    ErrMsg = ErrMsg + "

  • 您的Email不能为空!
  • "
    Founderr = True
    End If
    If IsValidEmail(Request.Form("usermail")) = False Then
    ErrMsg = ErrMsg + "

  • 您的Email有错误!
  • "
    Founderr = True
    End If
    If Not IsNumeric(Request.Form("oicq")) And Trim(Request.Form("oicq")) <> "" Then
    FoundErr = True
    ErrMsg = ErrMsg + "

  • QQ号码请用数字填写。
  • "
    End If
    If Trim(Request.Form("HomePage")) <> "" And Left(Request.Form("HomePage"),7) <> "http://" Then
    FoundErr = True
    ErrMsg = ErrMsg + "

  • 个人主页地址输入有误,请以“http://”开头。
  • "
    End If
    If Not Newasp.CodeIsTrue() Then
    ErrMsg = ErrMsg + "

  • 验证码校验失败,请返回刷新页面再试。两秒后自动返回
  • "
    Session("GetCode") = ""
    Founderr = True
    Exit Sub
    End If
    Session("GetCode") = ""
    If Trim(Request.Form("usersex")) = "" Then
    ErrMsg = ErrMsg + "

  • 您的姓别不能为空!
  • "
    Founderr = True
    Else
    usersex = Newasp.CheckBadstr(Request.Form("usersex"))
    End If
    If usersex = "女" Then
    sex = 0
    Else
    sex = 1
    End If

    If Founderr = True Then Exit Sub
    Set Rs = Server.CreateObject("ADODB.RecordSet")
    SQL = "Select * FROM [NC_user] Where username='" & username & "' And userid=" & CLng(userid)
    Rs.Open SQL, Conn, 1, 3
    If Rs.bof And Rs.EOF Then
    ErrMsg = ErrMsg + "

  • Sorry!没有找到此用户信息信息!
  • "
    Founderr = True
    Exit Sub
    Else
    If password <> Rs("password") Then
    ErrMsg = ErrMsg + "

  • 您输入的密码错误!
  • "
    Founderr = True
    Exit Sub
    End If
    If Founderr = False Then
    '-----------------------------------------------------------------
    '系统整合
    '-----------------------------------------------------------------
    Dim API_Newasp,API_SaveCookie,SysKey
    If API_Enable Then
    Set API_Newasp = New API_Conformity
    API_Newasp.NodeValue "action","update",0,False
    API_Newasp.NodeValue "username",UserName,1,False
    Md5OLD = 1
    SysKey = Md5(API_Newasp.XmlNode("username") & API_ConformKey)
    Md5OLD = 0
    API_Newasp.NodeValue "syskey",SysKey,0,False
    API_Newasp.NodeValue "password","",1,False
    API_Newasp.NodeValue "answer",Request.Form("answer"),1,False
    API_Newasp.NodeValue "question",Request.Form("question"),1,False
    API_Newasp.NodeValue "email",Request.Form("usermail"),1,False
    API_Newasp.NodeValue "gender",sex,0,False
    API_Newasp.SendHttpData
    If API_Newasp.Status = "1" Then
    Founderr = True
    ErrMsg = API_Newasp.Message
    Exit Sub
    End If
    Set API_Newasp = Nothing
    End If
    '-----------------------------------------------------------------
    End If
    Rs("nickname") = Newasp.CheckBadstr(Request.Form("nickname"))
    Rs("TrueName") = Newasp.CheckBadstr(Request.Form("TrueName"))
    Rs("usermail") = Trim(Request.Form("usermail"))
    If Trim(Request.Form("HomePage")) <> "" Then Rs("HomePage") = Trim(Request.Form("HomePage"))
    If Trim(Request.Form("usersex")) <> "" Then Rs("usersex") = usersex
    If Trim(Request.Form("question")) <> "" Then Rs("question") = Trim(Request.Form("question"))
    If Trim(Request.Form("answer")) <> "" Then Rs("answer") = md5(Trim(Request.Form("answer")))
    If Trim(Request.Form("phone")) <> "" Then Rs("phone") = Trim(Request.Form("phone"))
    If Trim(Request.Form("oicq")) <> "" Then Rs("oicq") = Trim(Request.Form("oicq"))
    If Trim(Request.Form("postcode")) <> "" Then Rs("postcode") = Trim(Request.Form("postcode"))
    If Trim(Request.Form("UserIDCard")) <> "" Then Rs("UserIDCard") = Trim(Request.Form("UserIDCard"))
    If Trim(Request.Form("address")) <> "" Then Rs("address") = Trim(Request.Form("address"))
    If Trim(Request.Form("BuyCode")) <> "" Then Rs("BuyCode") = md5(Trim(Request.Form("BuyCode")))
    Rs.Update
    End If
    Rs.Close
    Set Rs = Nothing
    Call Returnsuc("

  • 恭喜您!用户资料修改成功。
  • ")
    End Sub
    %>

    nickname跟Truename被checkbadstr函数过滤了

    函数代码 inc/cls_main.asp

    Public Function CheckBadstr(str)
    If IsNull(str) Then
    CheckBadstr = vbNullString
    Exit Function
    End If
    str = Replace(str, Chr(0), vbNullString)
    str = Replace(str, Chr(34), vbNullString)
    str = Replace(str, "%", vbNullString)
    str = Replace(str, "@", vbNullString)
    str = Replace(str, "!", vbNullString)
    str = Replace(str, "^", vbNullString)
    str = Replace(str, "=", vbNullString)
    str = Replace(str, "--", vbNullString)
    str = Replace(str, "$", vbNullString)
    str = Replace(str, "'", vbNullString)
    str = Replace(str, ";", vbNullString)
    CheckBadstr = Trim(str)
    End Function

    过滤了单引双引 没过滤<> 开始本来以为可以跨 可是后来进后台才发现需要用'>闭合前面的代码 所以

    就放弃了 有人能过告诉我

    usermail就被IsValidEmail函数过滤了 还蛮严格的 只能输入英文+数字还有_-.几个字符

    函数代码 inc/chkinput.asp

    Function IsValidEmail(email)
    Dim names, Name, i, c
    IsValidEmail = true
    names = Split(email, "@")
    If UBound(names) <> 1 Then
    IsValidEmail = false
    Exit Function
    End If
    For Each Name in names
    If Len(Name) <= 0 Then IsValidEmail = false Exit Function End If For i = 1 To Len(Name) c = LCase(Mid(Name, i, 1)) If InStr("abcdefghijklmnopqrstuvwxyz_-.", c) <= 0 And Not IsNumeric(c) Then IsValidEmail = false Exit Function End If Next If Left(Name, 1) = "." or Right(Name, 1) = "." Then IsValidEmail = false Exit Function End If Next If InStr(names(1), ".") <= 0 Then IsValidEmail = false Exit Function End If i = Len(names(1)) - InStrRev(names(1), ".") If i <> 2 And i <> 3 Then
    IsValidEmail = false
    Exit Function
    End If
    If InStr(email, "..") > 0 Then
    IsValidEmail = false
    End If

    End Function

    usersex跟name那情况差不多 也放弃

    question的没有过滤就进库了 直接'>< 就可以跨了 answer经过MD5加密 放弃咯 phone跟question 也是一样 下面的postcode,UserIDCard,address也是没过滤 BuyCode就被MD5了 还是很好跨的. 我就直接用address直接跨测试下咯 漏洞文件2:user/confirm.asp ====================省略部分代码================================

    <% Response.Write "

    交费确认
    注意:请一定要正确填写以下含*的选项,以方便我们核对!
    汇款日期: "> *
    汇款金额: *
    定 单 号: *
    汇款方式: 电汇
    邮汇
    网上支付
    用户名: "> *
    汇款人名称: *
    汇款人邮箱: *
    其它说明: *

    "
    End Sub
    Sub SaveConfirm()
    If Newasp.CheckPost=False Then
    ErrMsg = ErrMsg + Postmsg
    FoundErr = True
    Exit Sub
    End If
    If Not IsDate(Request.Form("PayDate")) Then
    FoundErr = True
    ErrMsg = ErrMsg + "

  • 日期输入错误。
  • "
    End If
    If Not IsNumeric(Request.Form("PayMoney")) Then
    FoundErr = True
    ErrMsg = ErrMsg + "

  • 汇款金额输入错误。
  • "
    End If
    If Trim(Request.Form("indent")) = "" Then
    FoundErr = True
    ErrMsg = ErrMsg + "

  • 你的定单号没有填咧?
  • "
    End If
    If IsValidEmail(Request.Form("Email")) = False Then
    ErrMsg = ErrMsg + "

  • 您的Email有错误!
  • "
    Founderr = True
    End If
    If Trim(Request.Form("customer")) = "" Then
    FoundErr = True
    ErrMsg = ErrMsg + "

  • 汇款人名称不能为空。
  • "
    End If
    If Trim(Request.Form("username")) = "" Then
    FoundErr = True
    ErrMsg = ErrMsg + "

  • 用户名不能为空?
  • "
    End If
    If Founderr = True Then Exit Sub
    Set Rs = Server.CreateObject("ADODB.Recordset")
    SQL = "select * from NC_Confirm where (id is null)"
    Rs.Open SQL,Conn,1,3
    Rs.Addnew
    Rs("paymode").Value = Trim(Request.Form("paymode"))
    Rs("PayDate").Value = Trim(Request.Form("PayDate"))
    Rs("PayMoney").Value = Trim(Request.Form("PayMoney"))
    Rs("indent").Value = Left(Newasp.ChkFormStr(Request.Form("indent")),35)
    Rs("Email").Value = Trim(Request.Form("Email"))
    Rs("customer").Value = Left(Newasp.ChkFormStr(Request.Form("customer")),30)
    Rs("username").Value = Left(Newasp.ChkFormStr(Request.Form("username")),30)
    Rs("readme").Value = Left(Newasp.ChkFormStr(Request.Form("readme")),200)
    Rs("isPass").Value = 0
    Rs.Update
    Rs.close:set Rs = Nothing
    Call Returnsuc("

  • 恭喜您!确认信息提交成功,我们会在一个工作日内处理你的定单。")
    End Sub

    %>

    还是以前的过滤函数 不过就paymode没有过滤 因为它类型是radio 单选项 本来以为把它保存到本地修改一下类型就可以了

    但是新云有防止本地提交 所以就只能抓包了 过程也不说怎么说 2.1没有验证码直接就抓包跨了可是3.0我加了验证码还是显示我错误

    刷新N次也不行 不知道什么原因 官方倒是不会显示我验证码错误 也成功弹出(我去问官方官方告诉我的^_^)本机就出错了

    所以这个跨站我只能在2.0测试这个比个人资料的好 因为个人资料 人家管理员不一定会点你的资料 可是订单的只要点交费确认就直接弹的,需

    要点你的那个订单

    方便多了 不过这个paymode貌似只限制提交70个字符 不过也够我们调用JS之类的,貌似盗了COOKIE可以直接欺骗后台吧? 呵呵 官方的后台

    原来是newasp_admin 后来喊他改了 HOHO 漏洞也补了

  • 解析新云2.1&3.0的两个跨站:等您坐沙发呢!

    发表评论

    表情
    还能输入210个字