Good subtle Bo system using the upload program when it is submitted to verify the local path, causing the file name to determine the error upload 1. asp;xxx. jpg the special file name. Caused by IIS6. 0 parse error, thereby executing the asp script vulnerability. There is vulnerability file: upload\upfile_image. asp Use of premise: since the file exists in the session validation, so be the first registered user.
The process is as follows:
A registered user and logged in
Personality settings, custom upload
Right click, View Source, in the action behind the Supplement full URL: http://www.xxx.com/upload/upfile_image.asp
Then down, came to
<input type="hidden" name="filepath" value="/UploadFile/5 8/">
Modify bit, as shown in Figure