今天渗透一站点,发现旁站有这个系统果断,马上百度一下 然后下载下来,下一步当然是分析 能挖到0day最好了!
噢耶,因为系统看起来还是比较简单了,很快就在
searchpic.asp
<!--#include file="top.asp"-->
<%
if session("skins")<>"" then
set rstmp=conn.execute("select skin_pic,id from skins where id="&session("skins")&"")
else
set rstmp=conn.execute("select skin_pic from skins where default=true")
end if
show=rstmp(0)
set rstmp=nothing
call myweb
if instr(show,"$show_userlogin$")>0 then
call showuserlogin()
show=replace(show,"$show_userlogin$",show_userlogin)
end if
response.Write show
%><!--#include file="foot.asp"-->
<%
'==================================================
'过程名:showpic
'作 用:显示具体的产品
'参 数:无
'==================================================
sub showpic()
show_pic="<table border='0' width='100%' bgcolor='#EEEEEE' cellspacing='1' cellpadding='3' align='center'><tr bgcolor='#FFFFFF'><td colspan='3'>您的位置:<a href='index.asp'>网站首页</a>→<a href='product.asp'>产品中心</a>→搜索产品</td></tr>"
show_pic=show_pic&"<tr bgcolor='#F3F3F3'><td width='7%'><p align='center'>编号</td><td width='67%'><p align='center'>名称</td><td width='25%'><p align='center'>发布日期</td></tr>"
dim searchpic
searchpic=trim(request.form("searchpic"))
If Len(Trim(Request("page")))=0 Then '返回目标页码的判断
page=1
Else
page=CInt(Trim(Request("page")))
End If
set rs=Server.CreateObject("ADODB.RecordSet")
if searchpic="" then
sql="select * from [pic] order by id desc"
else
sql="select * from [pic] where pictitle like '%"&searchpic&"%' or content like '%"&searchpic&"%' order by id desc"
end if //fuck 噢耶
rs.open sql,conn,1,3
rs.PageSize=20
if rs.eof then
show_pic=show_pic&"<tr bgcolor='#FFFFFF'><td colspan='3'><font color=red>没有您要搜索的产品</font></td></tr>"
end if
if not rs.eof then
rs.AbsolutePage=page
for k=1 to rs.PageSize
.......//
post形式注入
表 admin
字段分别为 myweb_name myweb_pwd
默认后台Admin_login.asp
掉进牛逼死(nbsi)果断给力
如图:
接着继续分析一下后台
admin_login.asp
<%if request("action")="check" then
dim name,pwd,code
dim GetCode,valicode
Code=trim(request.form("Code"))
GetCode=trim(request("Code"))
valicode=trim(session("Code"))
name=trim(request.form("name"))
pwd=trim(request.form("pwd"))
if not isnumeric(Code) then
response.write"<script>alert(""验证码格式错误!"");location.href=""javascript:history.go(-1)"";</script>"
response.end
end if
if name<>"" and instr(name,chr(39))>0 or instr(name,chr(34))>0 then
response.write"<script>alert(""用户名非法!"");location.href=""javascript:history.go(-1)"";</script>"
response.end
end if
if GetCode<>valicode then
response.write"<script>alert(""验证码错误!"");location.href=""javascript:history.go(-1)"";</script>"
response.end
end if
set rs=conn.execute("select * from admin where myweb_name='"&name&"' and myweb_pwd='"&md5(pwd)&"'")
if rs.eof then
response.write"<script>alert(""用户名或者密码错误!"");location.href=""javascript:history.go(-1)"";</script>"
else
session("admin")=name / /session 验证
response.redirect"admin_index.asp"
rs.close
end if
end if
%>
接着看了一下 admin_index.asp
<%if session("admin")="" then (当session为空的时候来到index.asp 反之就来到管理页面)
response.redirect"index.asp"
response.end
end if
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>后台管理</title>
</head>
<frameset rows="*" framespacing="0" frameborder="0" border="false" id="frame" scrolling="yes">
<frameset cols="181,*" framespacing="0" frameborder="0" border="false" id="frame" scrolling="yes">
<frame name="left" scrolling="auto" marginwidth="0" marginheight="0" src="admin_index_left.asp" target="main">
<frameset framespacing="0" border="false" rows="35,*" frameborder="0" scrolling="yes">
<frame name="top" scrolling="no" src="admin_index_top.asp">
<frame name="main" scrolling="auto" src="admin_index_main.asp">
</frameset>
</frameset>
</frameset>
<noframes>
<body leftmargin="2" topmargin="0" marginwidth="0" marginheight="0">
<p>你的浏览器版本过低!!!本系统要求IE5及以上版本才能使用本系统。</p>
</body>
</noframes>
</html>
随即新建123.asp
如图:
然后访问123.asp再来到admin_index.asp,
测试成功!果断给力
后台很强大的 拿webshell不会是问题把!今天就到这里把 小菜我新手上路不容易啊 其中有错 望大家指点指点!感激感激!!噢耶!求交流 求淫荡!
BY:暗月式(darkmoon)
首发暗月渗透联盟