VULHUB ™

### 简要描述： Maccms ASP版本后台盲打。 ### 详细说明： /inc/ajax.asp 255行reporterr函数 ``` sub reporterr() dim g_vid,g_name,g_content,g_audit,g_ip,g_time g_vid = be("post","g_vid") : g_vid = chkSql(g_vid, True) g_name = be("post","g_name") : g_name = chkSql(g_name, True) g_content = be("post","g_content") : g_content = chkSql(g_content, True) if not isNum(g_vid) then alert "请填写正确参数" : exit sub if len(g_name) > 64 then g_name = left(g_name,64) if len(g_content) > 255 then g_content = left(g_content,255) if app_gbookaudit=1 then g_audit=0 else g_audit=1 g_ip = getIP() g_time = Now() If getTimeSpan("lastreportErrTime") < app_gbooktime Then alert "请稍后再试": Exit Sub objdb.add "{pre}gbook", Array("g_vid","g_audit","g_name", "g_ip", "g_time", "g_content"), Array(g_vid, g_audit, g_name, g_ip, g_time, g_content) Session("lastreportErrTime") = Now writeA "报错成功,多谢支持!<script>setTimeout(""window.close()"",1000)</script>" end sub ``` 获取了用户提交的留言信息。其中调用getIP()获得IP地址，看看 ``` function getIP() dim x, y x =...

### 简要描述： Maccms ASP版本后台盲打。 ### 详细说明： /inc/ajax.asp 255行reporterr函数 ``` sub reporterr() dim g_vid,g_name,g_content,g_audit,g_ip,g_time g_vid = be("post","g_vid") : g_vid = chkSql(g_vid, True) g_name = be("post","g_name") : g_name = chkSql(g_name, True) g_content = be("post","g_content") : g_content = chkSql(g_content, True) if not isNum(g_vid) then alert "请填写正确参数" : exit sub if len(g_name) > 64 then g_name = left(g_name,64) if len(g_content) > 255 then g_content = left(g_content,255) if app_gbookaudit=1 then g_audit=0 else g_audit=1 g_ip = getIP() g_time = Now() If getTimeSpan("lastreportErrTime") < app_gbooktime Then alert "请稍后再试": Exit Sub objdb.add "{pre}gbook", Array("g_vid","g_audit","g_name", "g_ip", "g_time", "g_content"), Array(g_vid, g_audit, g_name, g_ip, g_time, g_content) Session("lastreportErrTime") = Now writeA "报错成功,多谢支持!<script>setTimeout(""window.close()"",1000)</script>" end sub ``` 获取了用户提交的留言信息。其中调用getIP()获得IP地址，看看 ``` function getIP() dim x, y x = Request.ServerVariables("HTTP_X_FORWARDED_FOR") y = Request.ServerVariables("REMOTE_ADDR") if(isN(x) or lCase(x)="unknown") then getIP=y else getIP=x if instr(getIP,".")=0 then getIP = "0.0.0.0" end function ``` 从HTTP_X_FORWARDED_FOR获得IP，并且没有过滤。 不过注入是不行了，可以XSS盲打。 数据库路IP字长是32字符，基本满足最短盲打要求，而且可以拼接。我就不多提了，只演示一下弹窗。 ### 漏洞证明： 提交的时候改包： [<img src="https://images.seebug.org/upload/201408/0120331578b4ddbf33cf590b4a9de1e5df684902.jpg" alt="004.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/0120331578b4ddbf33cf590b4a9de1e5df684902.jpg) 后台查看留言的时候弹窗： [<img src="https://images.seebug.org/upload/201408/01203810b11f5d426a3bcf92bdd477657e9d766a.jpg" alt="005.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/01203810b11f5d426a3bcf92bdd477657e9d766a.jpg)