解析新云2.1&3.0的两个跨站
文章作者:神無月
还是老规矩 直接来吧 因为早上去下3.0下不了 所以图是2.1时候截的 不过后来下了3.0 还是有洞
漏洞文件1:user/changeinfo.asp
================省略部分代码==============================================
<%
End If
Rs.Close:Set Rs = Nothing
End If
If Founderr = True Then
Call Returnerr(ErrMsg)
End If
Sub ChangeUserInfo()
On Error Resume Next
Dim username, password,userid
Dim usersex,sex
username = Newasp.CheckBadstr(Newasp.membername)
userid = Newasp.ChkNumeric(memberid)
If Newasp.CheckPost=False Then
ErrMsg = ErrMsg + Postmsg
FoundErr = True
Exit Sub
End If
If Newasp.IsValidPassword(Request.Form("answer")) = False And Trim(Request.Form("answer")) <> "" Then
ErrMsg = ErrMsg + "
"
Founderr = True
End If
If Trim(Request.Form("username")) <> username Then
ErrMsg = ErrMsg + "
"
Founderr = True
End If
If Trim(Request.Form("password")) = "" Then
ErrMsg = ErrMsg + "
"
Founderr = True
Else
password = md5(Request.Form("password"))
End If
If userid = 0 Then
FoundErr = True
ErrMsg = ErrMsg + "
"
Exit Sub
End If
If Trim(Request.Form("nickname")) = "" Then
ErrMsg = ErrMsg + "
"
Founderr = True
End If
If Newasp.IsValidStr(Request.Form("nickname")) = False Then
ErrMsg = ErrMsg + "
"
Founderr = True
End If
If Trim(Request.Form("TrueName")) = "" Then
ErrMsg = ErrMsg + "
"
Founderr = True
End If
If Newasp.IsValidStr(Request.Form("TrueName")) = False Then
ErrMsg = ErrMsg + "
"
Founderr = True
End If
If Trim(Request.Form("usermail")) = "" Then
ErrMsg = ErrMsg + "
"
Founderr = True
End If
If IsValidEmail(Request.Form("usermail")) = False Then
ErrMsg = ErrMsg + "
"
Founderr = True
End If
If Not IsNumeric(Request.Form("oicq")) And Trim(Request.Form("oicq")) <> "" Then
FoundErr = True
ErrMsg = ErrMsg + "
"
End If
If Trim(Request.Form("HomePage")) <> "" And Left(Request.Form("HomePage"),7) <> "http://" Then
FoundErr = True
ErrMsg = ErrMsg + "
"
End If
If Not Newasp.CodeIsTrue() Then
ErrMsg = ErrMsg + "
"
Session("GetCode") = ""
Founderr = True
Exit Sub
End If
Session("GetCode") = ""
If Trim(Request.Form("usersex")) = "" Then
ErrMsg = ErrMsg + "
"
Founderr = True
Else
usersex = Newasp.CheckBadstr(Request.Form("usersex"))
End If
If usersex = "女" Then
sex = 0
Else
sex = 1
End If
If Founderr = True Then Exit Sub
Set Rs = Server.CreateObject("ADODB.RecordSet")
SQL = "Select * FROM [NC_user] Where username='" & username & "' And userid=" & CLng(userid)
Rs.Open SQL, Conn, 1, 3
If Rs.bof And Rs.EOF Then
ErrMsg = ErrMsg + "
"
Founderr = True
Exit Sub
Else
If password <> Rs("password") Then
ErrMsg = ErrMsg + "
"
Founderr = True
Exit Sub
End If
If Founderr = False Then
'-----------------------------------------------------------------
'系统整合
'-----------------------------------------------------------------
Dim API_Newasp,API_SaveCookie,SysKey
If API_Enable Then
Set API_Newasp = New API_Conformity
API_Newasp.NodeValue "action","update",0,False
API_Newasp.NodeValue "username",UserName,1,False
Md5OLD = 1
SysKey = Md5(API_Newasp.XmlNode("username") & API_ConformKey)
Md5OLD = 0
API_Newasp.NodeValue "syskey",SysKey,0,False
API_Newasp.NodeValue "password","",1,False
API_Newasp.NodeValue "answer",Request.Form("answer"),1,False
API_Newasp.NodeValue "question",Request.Form("question"),1,False
API_Newasp.NodeValue "email",Request.Form("usermail"),1,False
API_Newasp.NodeValue "gender",sex,0,False
API_Newasp.SendHttpData
If API_Newasp.Status = "1" Then
Founderr = True
ErrMsg = API_Newasp.Message
Exit Sub
End If
Set API_Newasp = Nothing
End If
'-----------------------------------------------------------------
End If
Rs("nickname") = Newasp.CheckBadstr(Request.Form("nickname"))
Rs("TrueName") = Newasp.CheckBadstr(Request.Form("TrueName"))
Rs("usermail") = Trim(Request.Form("usermail"))
If Trim(Request.Form("HomePage")) <> "" Then Rs("HomePage") = Trim(Request.Form("HomePage"))
If Trim(Request.Form("usersex")) <> "" Then Rs("usersex") = usersex
If Trim(Request.Form("question")) <> "" Then Rs("question") = Trim(Request.Form("question"))
If Trim(Request.Form("answer")) <> "" Then Rs("answer") = md5(Trim(Request.Form("answer")))
If Trim(Request.Form("phone")) <> "" Then Rs("phone") = Trim(Request.Form("phone"))
If Trim(Request.Form("oicq")) <> "" Then Rs("oicq") = Trim(Request.Form("oicq"))
If Trim(Request.Form("postcode")) <> "" Then Rs("postcode") = Trim(Request.Form("postcode"))
If Trim(Request.Form("UserIDCard")) <> "" Then Rs("UserIDCard") = Trim(Request.Form("UserIDCard"))
If Trim(Request.Form("address")) <> "" Then Rs("address") = Trim(Request.Form("address"))
If Trim(Request.Form("BuyCode")) <> "" Then Rs("BuyCode") = md5(Trim(Request.Form("BuyCode")))
Rs.Update
End If
Rs.Close
Set Rs = Nothing
Call Returnsuc("
")
End Sub
%>
nickname跟Truename被checkbadstr函数过滤了
函数代码 inc/cls_main.asp
Public Function CheckBadstr(str)
If IsNull(str) Then
CheckBadstr = vbNullString
Exit Function
End If
str = Replace(str, Chr(0), vbNullString)
str = Replace(str, Chr(34), vbNullString)
str = Replace(str, "%", vbNullString)
str = Replace(str, "@", vbNullString)
str = Replace(str, "!", vbNullString)
str = Replace(str, "^", vbNullString)
str = Replace(str, "=", vbNullString)
str = Replace(str, "--", vbNullString)
str = Replace(str, "$", vbNullString)
str = Replace(str, "'", vbNullString)
str = Replace(str, ";", vbNullString)
CheckBadstr = Trim(str)
End Function
过滤了单引双引 没过滤<> 开始本来以为可以跨 可是后来进后台才发现需要用'>闭合前面的代码 所以
就放弃了 有人能过告诉我
usermail就被IsValidEmail函数过滤了 还蛮严格的 只能输入英文+数字还有_-.几个字符
函数代码 inc/chkinput.asp
Function IsValidEmail(email)
Dim names, Name, i, c
IsValidEmail = true
names = Split(email, "@")
If UBound(names) <> 1 Then
IsValidEmail = false
Exit Function
End If
For Each Name in names
If Len(Name) <= 0 Then
IsValidEmail = false
Exit Function
End If
For i = 1 To Len(Name)
c = LCase(Mid(Name, i, 1))
If InStr("abcdefghijklmnopqrstuvwxyz_-.", c) <= 0 And Not IsNumeric(c) Then
IsValidEmail = false
Exit Function
End If
Next
If Left(Name, 1) = "." or Right(Name, 1) = "." Then
IsValidEmail = false
Exit Function
End If
Next
If InStr(names(1), ".") <= 0 Then
IsValidEmail = false
Exit Function
End If
i = Len(names(1)) - InStrRev(names(1), ".")
If i <> 2 And i <> 3 Then
IsValidEmail = false
Exit Function
End If
If InStr(email, "..") > 0 Then
IsValidEmail = false
End If
End Function
usersex跟name那情况差不多 也放弃
question的没有过滤就进库了 直接'>< 就可以跨了 answer经过MD5加密 放弃咯 phone跟question 也是一样 下面的postcode,UserIDCard,address也是没过滤 BuyCode就被MD5了 还是很好跨的. 我就直接用address直接跨测试下咯 漏洞文件2:user/confirm.asp ====================省略部分代码================================
交费确认 | |
---|---|
注意:请一定要正确填写以下含*的选项,以方便我们核对! |
"
End Sub
Sub SaveConfirm()
If Newasp.CheckPost=False Then
ErrMsg = ErrMsg + Postmsg
FoundErr = True
Exit Sub
End If
If Not IsDate(Request.Form("PayDate")) Then
FoundErr = True
ErrMsg = ErrMsg + "
"
End If
If Not IsNumeric(Request.Form("PayMoney")) Then
FoundErr = True
ErrMsg = ErrMsg + "
"
End If
If Trim(Request.Form("indent")) = "" Then
FoundErr = True
ErrMsg = ErrMsg + "
"
End If
If IsValidEmail(Request.Form("Email")) = False Then
ErrMsg = ErrMsg + "
"
Founderr = True
End If
If Trim(Request.Form("customer")) = "" Then
FoundErr = True
ErrMsg = ErrMsg + "
"
End If
If Trim(Request.Form("username")) = "" Then
FoundErr = True
ErrMsg = ErrMsg + "
"
End If
If Founderr = True Then Exit Sub
Set Rs = Server.CreateObject("ADODB.Recordset")
SQL = "select * from NC_Confirm where (id is null)"
Rs.Open SQL,Conn,1,3
Rs.Addnew
Rs("paymode").Value = Trim(Request.Form("paymode"))
Rs("PayDate").Value = Trim(Request.Form("PayDate"))
Rs("PayMoney").Value = Trim(Request.Form("PayMoney"))
Rs("indent").Value = Left(Newasp.ChkFormStr(Request.Form("indent")),35)
Rs("Email").Value = Trim(Request.Form("Email"))
Rs("customer").Value = Left(Newasp.ChkFormStr(Request.Form("customer")),30)
Rs("username").Value = Left(Newasp.ChkFormStr(Request.Form("username")),30)
Rs("readme").Value = Left(Newasp.ChkFormStr(Request.Form("readme")),200)
Rs("isPass").Value = 0
Rs.Update
Rs.close:set Rs = Nothing
Call Returnsuc("
End Sub
%>
还是以前的过滤函数 不过就paymode没有过滤 因为它类型是radio 单选项 本来以为把它保存到本地修改一下类型就可以了
但是新云有防止本地提交 所以就只能抓包了 过程也不说怎么说 2.1没有验证码直接就抓包跨了可是3.0我加了验证码还是显示我错误
刷新N次也不行 不知道什么原因 官方倒是不会显示我验证码错误 也成功弹出(我去问官方官方告诉我的^_^)本机就出错了
所以这个跨站我只能在2.0测试这个比个人资料的好 因为个人资料 人家管理员不一定会点你的资料 可是订单的只要点交费确认就直接弹的,需
要点你的那个订单
方便多了 不过这个paymode貌似只限制提交70个字符 不过也够我们调用JS之类的,貌似盗了COOKIE可以直接欺骗后台吧? 呵呵 官方的后台
原来是newasp_admin 后来喊他改了 HOHO 漏洞也补了
解析新云2.1&3.0的两个跨站:等您坐沙发呢!