There are 2 holes in DvBBS under v7.0.0 SP2, so we may use them to upload arbitrary file to the server.
The holes existed in upfile.asp and saveannouce_upload.asp, the two files were used to upload faces and files to server.
We must construct a customized HTTP POST package to cheat the server. There are many tools in the internet to help us hack it.