Any file download vulnerability aspx site

1) Leverage SQL Server penetration
For ASPX sites, the general background is a SQL Server database, so the simplest way to exploit this vulnerability is to get the database password directly, log in directly to the database, and complete the infiltration with SQL Server.

Http://www.test.org/DownLoadFileLow.aspx?FileName=Accompanying_Persons_Tour_Program.pdf

First determine the Web site root directory to download the Web. config file, and the ASPX site saves configuration information with the Web. config file under the root directory
Try to determine the root directory:
Http://www.test.org/DownLoadFileLow.aspx?FileName=../web.config
Error message:

The error message that determines the absolute path of the site (used in subsequent differential backups)

Http://www.test.org/DownLoadFileLow.aspx?FileName=../../web.config

Open the configuration file to locate the connection database entry:

Determine if SQL Server can connect remotely

Can connect remotely

To connect to a server by using SQL Server

Login success:

The absolute path to the site has been obtained and the shell can be obtained directly using a differential backup.

Use a chopper to connect a word

Connection Successful

Complete penetration.

2) Download DLL file
The ASPX site typically compiles the background source code, saves it to the DLL file, and places it under the Bin folder of the root of the Web site, so you can download the dll file from the download point and get the site source code.
A download point:
Www.test.com.cn/DownLoad.aspx?fileName=%C4%EA%B6%C8%C9%F3%BA%CB%B1%ED.doc

Two backtracking determine the root directory of a Web site

The discovery database connection failed, cannot use the above method, therefore, attempts by the download source code, penetrates.
First download the download.aspx file, mainly to see if the ASPX site will put the source code into the DLL file, so that you can directly download the DLL to get the entire station (inaccurate) source code.

Open after download: http://www.test.com.cn/DownLoad.aspx?fileName=../../DownLoad.aspx

Try downloading the corresponding DownLoad.aspx.cs file here
Http://www.test.com.cn/DownLoad.aspx?fileName=../../DownLoad.aspx.cs

Failure, indicating that the source code of the site into the DLL file, and download.aspx corresponding source code is xkcms.webForm.DownLoad, now mainly to guess the DLL file name, by this command space
Xkcms.webForm.DownLoad can know that download is not, only one guess.

Http://www.test.com.cn/DownLoad.aspx?fileName=../../bin/xkcms.dll

Http://www.test.com.cn/DownLoad.aspx?fileName=../../bin/webForm.dll

Guessing succeeds, the DLL is compiled, using the. NET Reflector tool directly to open the compiled DLL file.
Get the website source code as follows:

First look at the download.aspx file corresponding to the implementation code:

As you can see, there is no direct download request file for the filename parameter, resulting in any file download vulnerability.

Of course, the most concern is whether the site has other vulnerabilities, the favorite is of course the upload vulnerability.
Find the site's upload location

The upload page does not filter the upload file, which can be uploaded directly, test:
To access the upload page:

Select the aspx suffix file

Then go to the path to save the uploaded file to see if the upload was successful,

Visible upload file success, directly upload the file content, change to ASPX code, you can get Webshell.
Of course this is a special case, pay attention to safe sites are not so bad, but generally get the source code will always find loopholes, as long as there is time ... I'm not going to give you an example.

Any file download vulnerability aspx site