学步园

漏洞文件
1:user/changeinfo.asp

<!--#include file="config.asp"-->
<!--#include file="check.asp"-->
<!--#include file="../inc/md5.asp"-->
<!--#include file="../inc/chkinput.asp"-->
<!--#include file="../api/cls_api.asp"-->
<!--#include file="head.inc"-->
================省略部分代码==============================================
<%
End If
Rs.Close:Set Rs = Nothing
End If
If Founderr = True Then
Call Returnerr(ErrMsg)
End If
Sub ChangeUserInfo()
On Error Resume Next
Dim username, password,userid
Dim usersex,sex
username = Newasp.CheckBadstr(Newasp.membername)
userid = Newasp.ChkNumeric(memberid)
If Newasp.CheckPost=False Then
ErrMsg = ErrMsg + Postmsg
FoundErr = True
Exit Sub
End If
If Newasp.IsValidPassword(Request.Form("answer")) = False And Trim(Request.Form("answer")) <> "" Then
ErrMsg = ErrMsg + "<li>密码问题答案中含有非法字符！</li>"
Founderr = True
End If
If Trim(Request.Form("username")) <> username Then
ErrMsg = ErrMsg + "<li>非法操作！</li>"
Founderr = True
End If
If Trim(Request.Form("password")) = "" Then
ErrMsg = ErrMsg + "<li>请输入用户密码！</li>"
Founderr = True
Else
password = md5(Request.Form("password"))
End If
If userid = 0 Then
FoundErr = True
ErrMsg = ErrMsg + "<li>Sorry！您选择了错误的系统参数。</li>"
Exit Sub
End If

If Trim(Request.Form("nickname")) = "" Then
ErrMsg = ErrMsg + "<li>用户昵称不能为空！</li>"
Founderr = True
End If
If Newasp.IsValidStr(Request.Form("nickname")) = False Then
ErrMsg = ErrMsg + "<li>用户昵称中含有非法字符！</li>"
Founderr = True
End If
If Trim(Request.Form("TrueName")) = "" Then
ErrMsg = ErrMsg + "<li>真实姓名不能为空！</li>"
Founderr = True
End If
If Newasp.IsValidStr(Request.Form("TrueName")) = False Then
ErrMsg = ErrMsg + "<li>真实姓名中含有非法字符！</li>"
Founderr = True
End If
If Trim(Request.Form("usermail")) = "" Then
ErrMsg = ErrMsg + "<li>您的Email不能为空！</li>"
Founderr = True
End If
If IsValidEmail(Request.Form("usermail")) = False Then
ErrMsg = ErrMsg + "<li>您的Email有错误！</li>"
Founderr = True
End If
If Not IsNumeric(Request.Form("oicq")) And Trim(Request.Form("oicq")) <> "" Then
FoundErr = True
ErrMsg = ErrMsg + "<li>QQ号码请用数字填写。</li>"
End If
If Trim(Request.Form("HomePage")) <> "" And Left(Request.Form("HomePage"),7) <> "http://" Then
FoundErr = True
ErrMsg = ErrMsg + "<li>个人主页地址输入有误，请以“http://”开头。</li>"
End If
If Not Newasp.CodeIsTrue() Then
ErrMsg = ErrMsg + "<meta http-equiv=""refresh"" content=""2;URL=changeinfo.asp""><li>验证码校验失败，请返回刷新页面再试。两秒后自动返回</li>"
Session("GetCode") = ""
Founderr = True
Exit Sub
End If
Session("GetCode") = ""
If Trim(Request.Form("usersex")) = "" Then
ErrMsg = ErrMsg + "<li>您的姓别不能为空！</li>"
Founderr = True
Else
usersex = Newasp.CheckBadstr(Request.Form("usersex"))
End If
If usersex = "女" Then
sex = 0
Else
sex = 1
End If

If Founderr = True Then Exit Sub
Set Rs = Server.CreateObject("ADODB.RecordSet")
SQL = "Select * FROM [NC_user] Where username='" & username & "' And userid=" & CLng(userid)
Rs.Open SQL, Conn, 1, 3
If Rs.bof And Rs.EOF Then
ErrMsg = ErrMsg + "<li>Sorry！没有找到此用户信息信息！</li>"
Founderr = True
Exit Sub
Else
If password <> Rs("password") Then
ErrMsg = ErrMsg + "<li>您输入的密码错误！</li>"
Founderr = True
Exit Sub
End If
If Founderr = False Then
'-----------------------------------------------------------------
'系统整合
'-----------------------------------------------------------------
Dim API_Newasp,API_SaveCookie,SysKey
If API_Enable Then
Set API_Newasp = New API_Conformity
API_Newasp.NodeValue "action","update",0,False
API_Newasp.NodeValue "username",UserName,1,False
Md5OLD = 1
SysKey = Md5(API_Newasp.XmlNode("username") & API_ConformKey)
Md5OLD = 0
API_Newasp.NodeValue "syskey",SysKey,0,False
API_Newasp.NodeValue "password","",1,False
API_Newasp.NodeValue "answer",Request.Form("answer"),1,False
API_Newasp.NodeValue "question",Request.Form("question"),1,False
API_Newasp.NodeValue "email",Request.Form("usermail"),1,False
API_Newasp.NodeValue "gender",sex,0,False
API_Newasp.SendHttpData
If API_Newasp.Status = "1" Then
Founderr = True
ErrMsg = API_Newasp.Message
Exit Sub
End If
Set API_Newasp = Nothing
End If
'-----------------------------------------------------------------
End If
Rs("nickname") = Newasp.CheckBadstr(Request.Form("nickname"))
Rs("TrueName") = Newasp.CheckBadstr(Request.Form("TrueName"))
Rs("usermail") = Trim(Request.Form("usermail"))
If Trim(Request.Form("HomePage")) <> "" Then Rs("HomePage") = Trim(Request.Form("HomePage"))
If Trim(Request.Form("usersex")) <> "" Then Rs("usersex") = usersex
If Trim(Request.Form("question")) <> "" Then Rs("question") = Trim(Request.Form("question"))
If Trim(Request.Form("answer")) <> "" Then Rs("answer") = md5(Trim(Request.Form("answer")))
If Trim(Request.Form("phone")) <> "" Then Rs("phone") = Trim(Request.Form("phone"))
If Trim(Request.Form("oicq")) <> "" Then Rs("oicq") = Trim(Request.Form("oicq"))
If Trim(Request.Form("postcode")) <> "" Then Rs("postcode") = Trim(Request.Form("postcode"))
If Trim(Request.Form("UserIDCard")) <> "" Then Rs("UserIDCard") = Trim(Request.Form("UserIDCard"))
If Trim(Request.Form("address")) <> "" Then Rs("address") = Trim(Request.Form("address"))
If Trim(Request.Form("BuyCode")) <> "" Then Rs("BuyCode") = md5(Trim(Request.Form("BuyCode")))
Rs.Update
End If
Rs.Close
Set Rs = Nothing
Call Returnsuc("<li>恭喜您！用户资料修改成功。</li>")
End Sub
%>
<!--#include file="foot.inc"-->

nickname跟Truename被checkbadstr函数过滤了

函数代码 inc/cls_main.asp

Public Function CheckBadstr(str)
If IsNull(str) Then
CheckBadstr = vbNullString
Exit Function
End If
str = Replace(str, Chr(0), vbNullString)
str = Replace(str, Chr(34), vbNullString)
str = Replace(str, "%", vbNullString)
str = Replace(str, "@", vbNullString)
str = Replace(str, "!", vbNullString)
str = Replace(str, "^", vbNullString)
str = Replace(str, "=", vbNullString)
str = Replace(str, "--", vbNullString)
str = Replace(str, "$", vbNullString)
str = Replace(str, "'", vbNullString)
str = Replace(str, ";", vbNullString)
CheckBadstr = Trim(str)
End Function

过滤了单引双引 没过滤<> 开始本来以为可以跨 可是后来进后台才发现需要用'>闭合前面的代码 所以

就放弃了 有人能过告诉我

usermail就被IsValidEmail函数过滤了 还蛮严格的 只能输入英文+数字还有_-.几个字符

函数代码 inc/chkinput.asp

Function IsValidEmail(email)
Dim names, Name, i, c
IsValidEmail = true
names = Split(email, "@")
If UBound(names) <> 1 Then
IsValidEmail = false
Exit Function
End If
For Each Name in names
If Len(Name) <= 0 Then
IsValidEmail = false
Exit Function
End If
For i = 1 To Len(Name)
c = LCase(Mid(Name, i, 1))
If InStr("abcdefghijklmnopqrstuvwxyz_-.", c) <= 0 And Not IsNumeric(c) Then
IsValidEmail = false
Exit Function
End If
Next
If Left(Name, 1) = "." or Right(Name, 1) = "." Then
IsValidEmail = false
Exit Function
End If
Next
If InStr(names(1), ".") <= 0 Then
IsValidEmail = false
Exit Function
End If
i = Len(names(1)) - InStrRev(names(1), ".")
If i <> 2 And i <> 3 Then
IsValidEmail = false
Exit Function
End If
If InStr(email, "..") > 0 Then
IsValidEmail = false
End If

End Function

usersex跟name那情况差不多 也放弃

question的没有过滤就进库了 直接'><script>alert('test')</script>< 就可以跨了

answer经过MD5加密 放弃咯

phone跟question 也是一样

下面的postcode,UserIDCard,address也是没过滤 BuyCode就被MD5了

还是很好跨的. 我就直接用address直接跨测试下咯 看图

漏洞文件2:
user/confirm.asp

====================省略部分代码================================

<table cellspacing=1 align=center cellpadding=3 border=0 class=Usertableborder>
<tr height=20>
<th colspan=2>交费确认</th>
</tr>
<tr height=20 align=center>
<td class=Usertablerow2 colspan=2><font color=red>注意：</font><font color=blue>请一定要正确填写以下含*的选项，以方便我们核对！</font></td>
</tr>
<form name=form2 method=post action=?action=save>
<tr height=20>
<td class=Usertablerow1 width="20%" align=right>汇款日期：</td>
<td class=Usertablerow1 width="80%"><input type="text" name="PayDate" size=15 value="<%=date()%>"> <font color=red>*</font></td>
</tr>
<tr height=20>
<td class=Usertablerow1 align=right>汇款金额：</td>
<td class=Usertablerow1><input type="text" name="PayMoney" size=15 onkeyup=if(isNaN(this.value))this.value=''> 元 <font color=red>*</font></td>
</tr>
<tr height=20>
<td class=Usertablerow1 align=right>定 单 号：</td>
<td class=Usertablerow1><input type="text" name="indent" size=30> <font color=red>*</font></td>
</tr>
<tr height=20>
<td class=Usertablerow1 align=right>汇款方式：</td>
<td class=Usertablerow1>
<input type=radio name=paymode value="银行汇款" checked> 电汇
<input type=radio name=paymode value="邮局汇款"> 邮汇
<input type=radio name=paymode value="网上支付"> 网上支付
</td>
</tr>
<tr height=20>
<td class=Usertablerow1 align=right>用户名：</td>
<td class=Usertablerow1><input type="text" name="username" size=15 value="<%=Newasp.MemberName%>"> <font color=red>*</font></td>
</tr>
<tr height=20>
<td class=Usertablerow1 align=right>汇款人名称：</td>
<td class=Usertablerow1><input type="text" name="customer" size=30> <font color=red>*</font></td>
</tr>
<tr height=20>
<td class=Usertablerow1 align=right>汇款人邮箱：</td>
<td class=Usertablerow1><input type="text" name="Email" size=30> <font color=red>*</font></td>
</tr>
<tr height=20>
<td class=Usertablerow1 align=right>其它说明：</td>
<td class=Usertablerow1><textarea name=readme rows=5 cols=50></textarea> <font color=red>*</font></td>
</tr>
<tr height=20 align=center>
<td class=Usertablerow2 colspan=2><input type=submit value=" 确认提交 " class=Button></td>
</tr>
</form>
<%
Response.Write "</table>"
End Sub
Sub SaveConfirm()
If Newasp.CheckPost=False Then
ErrMsg = ErrMsg + Postmsg
FoundErr = True
Exit Sub
End If
If Not IsDate(Request.Form("PayDate")) Then
FoundErr = True
ErrMsg = ErrMsg + "<li>日期输入错误。</li>"
End If
If Not IsNumeric(Request.Form("PayMoney")) Then
FoundErr = True
ErrMsg = ErrMsg + "<li>汇款金额输入错误。</li>"
End If
If Trim(Request.Form("indent")) = "" Then
FoundErr = True
ErrMsg = ErrMsg + "<li>你的定单号没有填咧？</li>"
End If
If IsValidEmail(Request.Form("Email")) = False Then
ErrMsg = ErrMsg + "<li>您的Email有错误！</li>"
Founderr = True
End If
If Trim(Request.Form("customer")) = "" Then
FoundErr = True
ErrMsg = ErrMsg + "<li>汇款人名称不能为空。</li>"
End If
If Trim(Request.Form("username")) = "" Then
FoundErr = True
ErrMsg = ErrMsg + "<li>用户名不能为空？</li>"
End If
If Founderr = True Then Exit Sub
Set Rs = Server.CreateObject("ADODB.Recordset")
SQL = "select * from NC_Confirm where (id is null)"
Rs.Open SQL,Conn,1,3
Rs.Addnew
Rs("paymode").Value = Trim(Request.Form("paymode"))
Rs("PayDate").Value = Trim(Request.Form("PayDate"))
Rs("PayMoney").Value = Trim(Request.Form("PayMoney"))
Rs("indent").Value = Left(Newasp.ChkFormStr(Request.Form("indent")),35)
Rs("Email").Value = Trim(Request.Form("Email"))
Rs("customer").Value = Left(Newasp.ChkFormStr(Request.Form("customer")),30)
Rs("username").Value = Left(Newasp.ChkFormStr(Request.Form("username")),30)
Rs("readme").Value = Left(Newasp.ChkFormStr(Request.Form("readme")),200)
Rs("isPass").Value = 0
Rs.Update
Rs.close:set Rs = Nothing
Call Returnsuc("<li>恭喜您！确认信息提交成功，我们会在一个工作日内处理你的定单。")
End Sub

%>
<!--#include file="foot.inc"-->

还是以前的过滤函数 不过就paymode没有过滤 因为它类型是radio 单选项 本来以为把它保存到本地修改一下类型就可以了

但是新云有防止本地提交 所以就只能抓包了 过程也不说怎么说 2.1没有验证码直接就抓包跨了可是3.0我加了验证码还是显示我错误

刷新N次也不行 不知道什么原因 官方倒是不会显示我验证码错误 也成功弹出(我去问官方官方告诉我的^_^)本机就出错了

所以这个跨站我只能在2.0测试这个比个人资料的好 因为个人资料 人家管理员不一定会点你的资料 可是订单的只要点交费确认就直接弹的,需

要点你的那个订单

方便多了 不过这个paymode貌似只限制提交70个字符 不过也够我们调用JS之类的,貌似盗了COOKIE可以直接欺骗后台吧? 呵呵 官方的后台

原来是newasp_admin 后来喊他改了 HOHO 漏洞也补了

没什么技术含量 纯属娱乐别见笑哈.