Download ASP source code using the stm feature

If the shell cannot be uploaded, you can upload an stm file with the following content:
<! -# Include file = "conn. asp"->
Directly accessing this stm file will find a blank file, but right-click to view the source code, you will find that conn. asp is at a glance, and the database path will be ready!
After reading the introduction of shtml, I suddenly realized that I finally understood it!
As mentioned above,
<! -# Include file = "conn. asp"->
The contents of the statement.
I tried it locally! A test. stm file is created under the my iis directory with the following content:
<! -# Include file = "OK. asp"->
Another file named OK. asp is put under the same directory.
The request for test. stm in the browser is blank.
But when I checked the source code, I was so dizzy that it turned out to be the content of my asp file!
In this way, we can use this to obtain the web conn file of the target machine to obtain the database path,
But one premise is that the server does not delete the extension of stm or shtml.
========================================================== ================
Currently, files such as asp, asa, and cer cannot be uploaded on many websites, and the classic upload vulnerability does not exist. However, many websites can still upload other files, such as shtm or shtml files, I found a method where you can create a local shtml file and enter <! -# Include file = "conn. asp"->. Conn. asp is the asp file you want to read. Of course, it is the file connecting to the database. Haha, then upload it, and finally request this shtml file in your browser ,? Why is it blank ?, Haha, check the code of this webpage, that is, the code of conn. asp. I don't need to tell you what to do.

From: WebShell's Blog