### 简要描述:
也是要结合iis6的解析漏洞,不知道这两处跟之前提交的会不会重复
### 详细说明:
由于官网不是iis6的环境
我本地进行测试
第一处
```
http://127.0.0.1/Plugins/ckfinder/ckfinder.html
```
在左边文件夹Files下新建字幕了1.asp 然后点击1.asp目录然后上传图片木马3.gif
[<img src="https://images.seebug.org/upload/201405/101117459cdec5d1bf56b0b37fcba7e8ccae8c15.png" alt="510.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/101117459cdec5d1bf56b0b37fcba7e8ccae8c15.png)
然后右键查看文件 就可以看到文件地址了
[<img src="https://images.seebug.org/upload/201405/10112020ff43d483a4b1e4a70c0c8b2ae4c82e03.png" alt="511.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10112020ff43d483a4b1e4a70c0c8b2ae4c82e03.png)
文件地址
```
http://127.0.0.1/UploadFiles/files/1.asp/3.GIF
```
第二处
```
http://127.0.0.1/plugins/imageupload.aspx
```
```
protected void btnUpload_Click(object sender, EventArgs e)
{
string str = "";
string str2 = Path.GetExtension(this.fup_Image.FileName).ToLower();
if (!this.CheckFilePostfix(str2.Replace(".", ""))) //上传文件类型白名单可以自己设置
{
this.ReturnManage("上传的附件不是符合扩展名" + base.Request["Ext"] + "的文件");
}
else
{
string path = base.Server.MapPath("~/UploadFiles/Images/S" + base.Request.QueryString["SID"]); //可创建文件夹自己可控制
if (!Directory.Exists(path))
{
Directory.CreateDirectory(path);
}
string str4 = DateTime.Now.ToString("yyyyMM");
string str5 = DataSecurity.MakeFileRndName();
str = str4 + str5 + str2;
string filename = path + @"\" + str;
this.fup_Image.PostedFile.SaveAs(filename);
(this.Page.FindControl("span_Error") as HtmlGenericControl).Style["display"] = "block";
string s = string.Format("<script>parent.document.getElementById('hdPath_'+ {0}).value='/UploadFiles/Images/{1}/{2}';parent.document.getElementById('img_'+ {0}).src='/UploadFiles/Images/{1}/{2}';</script>", base.Request.QueryString["QID"], "S" + base.Request.QueryString["SID"], str);
base.Response.Write(s);
}
}
```
访问
```
http://127.0.0.1/plugins/imageupload.aspx?SID=2.ASP&Ext=jpg
```
上传jpg格式木马
[<img src="https://images.seebug.org/upload/201405/101125136f7615c58fe7d1cc35980d99e260b3ed.png" alt="512.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/101125136f7615c58fe7d1cc35980d99e260b3ed.png)
右键查看源代码就有文件路径了
[<img src="https://images.seebug.org/upload/201405/10112623c68e9726f978475317672bfd288e2adf.png" alt="513.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10112623c68e9726f978475317672bfd288e2adf.png)
### 漏洞证明:
漏洞证明如上
暂无评论