Throwing away NC introduces a new method for uploading shell files.

Www.2cto.com.

Today, I posted a message asking for help in the zone, saying that the backend address, user name, and password are available and shell is not available. Soon wbxym and ljb17 will upload the shell in two ways. The wbxym method is simple: Local upload. Modify the action address to upload the page and add *. asp; or add a. After the path. I will not do more about it. The ljb17 method is to capture packets and upload data using nc.
There are two ways to add the path here. The first method is to add *. asp;
The second method is truncation. Add *. asp space after the path, change 20 to 00 in hexadecimal notation, and then upload the packet capture. Make sure to modify the package size if the file size changes.
Today, I will introduce a new method, so we don't need to do any extra work. Let's upload the shell directly.
The trick is to use the opera Browser to upload files.
Follow my steps to upload.
First of all, install this non-IE kernel browser from Norway, which is very beautiful.
There is a place to upload product images on a low-profile website. Http://www.bkjia.com/admin/Uppic. asp? Formname = myform & editname = p_pic_ B & shopuppath = uppic & filelx = jpg
We open it in opera. It is a very handy upload page, and there is no permission verification, and there is no need to enter the background.

 

There are two ways to modify the path.
First, click "Check element" on the page ",

Dragonfly will be started, and then click the "Expand DOM tree" in the lower left corner to expand all the code.

Then find the place where we want to modify the path, double-click its value, and the change box will appear.

After modification, click Next to it to save the modification.
Click Close in the upper-right corner to disable frangonfly.
Then, modify the file suffixed with the city gif file by using the shell. On the webpage, select the file and Click Upload. Then, the file will be successfully uploaded and the shell will be obtained through IIS parsing.
The second method is a simpler method, which is similar to local upload.
After opening the upload page, right-click the page and select "source code"

Open the source code, directly modify the path, and then click "application change"

The subsequent process is the same as above. You can select a file to upload it.
There is no need to save the page, no package, no NC, which is much simpler than the local upload and NC upload mentioned above.
For opera, another question is also mentioned here. How can I get the address of the uploaded file?
Because this upload page has a feature, the page will be closed after the upload. If it is an ie kernel browser such as TT or sogou, there is an option to confirm that the page is closed, click Cancel when you turn it off, and view the source code to obtain the address. But it does not exist in opera.
We know that closing a page is done by javascript code, so we can fix the js Code. Maybe some kids shoes will say, so we just need to edit the source code and remove the js Code?
But here, we just flipped through the Uppic. asp code shows that it does not close the window Code. The Code for closing the window is based on its action page Uppicpro. asp, it is no longer possible to modify the code.
But the js code is executed on the client. Can we disable it in the browser?
Come on
Upload page, right-click, select "Edit site Preferences", switch to the "script" tab, and remove the hooks before "allow use of jacascript"

Click OK and upload. The page is no longer closed, so we can get the address.

You can see the "window. close" next to it, that is, he wants to close the page.
Test whether the upload is OK.

The answer is: perfect.