A workaround when the Web site does not allow uploading ASP cer CDX HTR files! _ Security Related
Source: Internet
Author: User
Some days ago to lcx Big Brother to ask about the problem of web upload, said that the use of STM to upload, but also to execute the program, puzzled, gave me a piece of code:
See the code given by brother LCX
Say save for STM or shtml look, run as follows:
Http_accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/x-shockwave-flash, application/ Vnd.ms-powerpoint, Application/vnd.ms-excel, Application/msword, */* http_accept_language:zh-cn HTTP_CONNECTION: Keep-alive Http_host:localhost http_user_agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon. NET CLR 1.1.4322) http_cookie:nbblastactivity=1100263629; bblastvisit=1100264583; bblastactivity=1100265530; bbuserid=1; bbpassword=0f8514d1ed2eaa91fb9a87a568f6c96f; ASPSESSIONIDAQTSDRQQ=JOGDCEBDCNKFMLGDNFHPDHMJ Http_accept_encoding:gzip, deflate
Current file name: F:\Web\1.stm
Name and version of Web server: microsoft-iis/5.0
Host name: localhost
PORT: 80
Customer or Customer agent IP address: 127.0.0.1
Customer or Customer Agent host name: 127.0.0.1
Path_info value, but with a virtual path that expands to a directory specification: F:\Web\1.stm
The client gives additional path information:/1.stm
Image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/x-shockwave-flash, Application/vnd.ms-powerpoint, Application/vnd.ms-excel, Application/msword, */*
Always puzzled!
I saw a word at the Phantom Brigade today.
Reference
When the Web site does not allow uploading of ASP CER cdx HTR files, upload an STM file, which reads:
<!--#include file= "conn.asp"-->
Direct request this STM file, conn.asp on the glance, the database path also got!
and read the introduction of the article shtml, suddenly dawned, finally understand!
It turns out to be what it says,
[color=green]<!--#include file= "conn.asp"-->
is an SSI instruction that copies the contents of the "info.htm" to the current page and, when visitors come to browse, sees the contents of the info.htm in the same way as other HTML documents. [/color]
I succeeded in the local trial! A test.stm file was built in my IIS directory, which reads:
<!--#include file= "ok.asp"-->
Another one of my Trojan files in the same directory ok.asp
Request Test.stm in the browser, there is nothing to reflect, a blank.
But a view of the source code, crazy Halo, the original is my ASP file content!
So we can use this to get the conn file of the Web to be hacked to get the database path,
But one prerequisite is that the server's extensions to STM or shtml are not deleted!
Thanks again lcx elder brother's instruction!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
