某医学在线考试系统代码审计

<%@ Application Codebehind="Global.asax.cs" Inherits="YQExam.Web.Global" Language="C#" %> 

Examples:de4dot.exe -r c:myfiles -ro c:myoutputde4dot.exe file1 file2 file3de4dot.exe file1 -f file2 -o file2.out -f file3 -o file3.outde4dot.exe file1 --strtyp delegate --strtok 06000123

// 批量反混淆 c:input是混淆的dll文件夹// 输出一个反混淆的dll文件夹c:outputde4dot.exe -r c:input -ru -ro c:output

我想访问到图中的代码逻辑那么请求的url就为http://xxxx/Manage/Ajax/User.ashx

ASP.NET WebForm开发模式 参考：https://mp.weixin.qq.com/s/PztEiJh67yJ9uNDYqZQCjAhttps://mp.weixin.qq.com/s/0xYkOVKuwwAaEqrba7xxZA

// 内部的一些代码逻辑// 一些判断if (!ConfigBll.GetSelfVerbs().Contains(request.RequestType)) // 只允许post、getif (request.UrlReferrer != null && !request.Url.Host.Equals(request.UrlReferrer.Host) && !ConfigBll.GetSelfReferer().Contains  // Referrer和Host要相等

// 关键字过滤foreach (object obj in request.QueryString)      {        string name = (string)obj;        if (FilterSqlString.ExistsSuspicious(request.QueryString[name]))        {          flag = false;          break;        }      }

// 存在漏洞的逻辑部分private void AuthorValid(object sender, EventArgs e)    {      bool flag = true;      HttpContext httpContext = HttpContext.Current;      HttpRequest request = httpContext.Request;      bool flag2 = true;      string absolutePath = request.Url.AbsolutePath;      if (absolutePath.EndsWith(".aspx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith(".ascx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith(".ashx", StringComparison.CurrentCultureIgnoreCase))      {        if (absolutePath.EndsWith("/Default.aspx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith("/Register.aspx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith("/MediaFile.aspx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith("/Login.aspx", StringComparison.CurrentCultureIgnoreCase))        {          return;        }        ...

if (absolutePath.EndsWith(".aspx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith(".ascx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith(".ashx", StringComparison.CurrentCultureIgnoreCase))// 如果 absolutePath 以 ".aspx"、".ascx" 或者 ".ashx" 结尾（忽略大小写），那么条件表达式的值将为 true。就会进入权限判断，那结尾加点特殊字符就行了

public static void DownloadFile(string strSrcFile, string strShowName, HttpContext context)    {      if (!File.Exists(context.Server.MapPath(strSrcFile)))      {        return;      }      FileInfo fileInfo = new FileInfo(context.Server.MapPath(strSrcFile));      if (!fileInfo.Name.Equals(strShowName, StringComparison.CurrentCultureIgnoreCase))      {        string text = strSrcFile.Replace(fileInfo.Name, strShowName);        File.Copy(context.Server.MapPath(strSrcFile), context.Server.MapPath(text), true);        if (File.Exists(context.Server.MapPath(text)))        {          context.Response.Redirect(text);          return;        }      }      else      {        context.Response.Redirect(strSrcFile);      }    }