最近在看一套信息分类系统。看了好久毫无头绪,结果意外的发现了他们使用了万众电子期刊ASP版本。于是找来源码看了下。意外的发现了sql注入以及集合IIS6的getshell
1.sql注入
ASP
‘登录验证
sub login
username=request.form(“username”)
password=request.form(“password”)
if username=””or password=”” then
response.write”<script>alert(‘账号和密码不能为空!’);</script>”
else
set rs=server.createobject(“adodb.recordset”)
sql=”select * from W_user where W_user_name='”&username&”‘ and W_user_password='”&md5(password)&”‘”
rs.open sql,conn,1,1
if rs.eof then
response.write”<script>alert(‘用户名或密码错误!’);</script>”
else
Session(“login_user_name”)=username
Session(“login_user_password”)=md5(password)
response.write”<script>location.href = ‘index.asp'</script>”
end if
end if
end sub
很明显的
Transact-SQL
sql=”select * from W_user where W_user_name='”&username&”‘ and W_user_password='”&md5(password)&”‘”
直接就admin’or’=’or’就可以万能密码登录了
2.getshell 需要结合解析来进行
ASP
<%
response.charset = “GBK”
dim picdir
picdir = request.querystring(“picdir”)
if request.querystring(“menu”) = “up” then
dim fileup,formpath,file,filename
picdir2 = request.querystring(“picdir”)
‘当点击了上传之后,执行上传操作
set fileup=new Upload_file ‘实例化一个类 fileup就是一个对象
fileup.GetDate(-1) ‘
formpath=”upload/” & picdir2 & “/” ‘上传的路径
Set fs = Server.CreateObject(“Scripting.FileSystemObject”)
If not fs.FolderExists(server.mappath(formpath)) Then
fs.CreateFolder(server.mappath(formpath))
End If
set file=fileup.file(“file”) ‘创建一个file对象,通过上面一个对象的file方法传入一个”file”参数
‘这个方法能够返回你上传文件的后缀
‘只允许上传指定的图片文件
if file.fileext <> “jpg” and file.fileext <> “gif” and file.fileext <> “png” and file.fileext <> “jpeg” then
response.write “<script>alert(‘图片类型必须是jpg,gif,png这三种’);window.close();</script>”
response.end
end if
‘建立一个完整的路径
filename = formpath & year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now) & “.” & file.fileext
file.savetofile server.mappath(filename)
set file = nothing
set fileup = nothing
response.write “<script>a(‘”&filename&”‘);</script>”
response.write “<script>alert(‘图片上传成功’);window.close();</script>”
else
%>
<div class=”upfile”>
<form enctype=”multipart/form-data” method=”post” action=”?menu=up&picdir=<%=picdir%>”>
<input type=”file” name=”file” size=”30″>
<input type=”submit” value=”上 传 ” />
</form>
</div>
<%
end if
%>
很明显,我稍微处理下
ASP
picdir = request.querystring(“picdir”) 获取dir
‘当点击了上传之后,执行上传操作
set fileup=new Upload_file ‘实例化一个类 fileup就是一个对象
fileup.GetDate(-1) ‘
formpath=”upload/” & picdir2 & “/” ‘上传的路径
Set fs = Server.CreateObject(“Scripting.FileSystemObject”)
If not fs.FolderExists(server.mappath(formpath)) Then
fs.CreateFolder(server.mappath(formpath))
End If
set file=fileup.file(“file”) ‘创建一个file对象,通过上面一个对象的file方法传入一个”file”参数
‘这个方法能够返回你上传文件的后缀
如果我传入的picdir=1.ASP;.JPG那么不是就生成了这个目录。然后随便传入图片马儿就可以getshell了