Copyright to the vulnerability discoverer focn all, reproduced please keep the article intact, and indicate the source of! This article only do the study with, to any person for any illegal purpose himself does not bear any responsibility!
Author: black radish System: ray Chi press release management system Version: any version Vulnerability Description: 1 in the admin folder under uploadPic. inc. asp, no access restrictions, any user can To access to this file. Any user can use this file to upload the file to the server 2 uploadPic. inc. asp although the uploaded file's extension is limited but can be bypassed. Please look at the code!
if file. FileSize>0 then "if FileSize > 0 Description there is a file data 'Generates the picture name if actionType= "mod" then remFileName = Right(picName,len(picName)-InstrRev(picName,"/")) else if editRemNum<>"" then remNum = editRemNum else Randomize remNum = Int((9 9 9 - 1 + 1) * Rnd + 1)&day(date)&month(date)&year(date)&hour(time)&minute(time)&second(time) end if remFileName = remNum&"_"&(editImageNum+1)&". gif" end if
file. SaveAs Server. mappath(formPath&remFileName) "save the file
%> The key is if actionType= "mod" then remFileName = Right(picName,len(picName)-InstrRev(picName,"/")) As long as their structure actionType= "mod" you can bypass the following file name detection upload ASP file Constructed as follows UPL http://localhost/leichinews/admin/upload ... ype=mod&picName=test. asp Then in the Upload file which fill you want to upload the picture format of the ASP Trojan Can uppic directory Upload a file named test. asp file uppic/test. asp