A simple analysis of an upload vulnerability in the file+patch(Greiner Windows upload program v1. 0)-bug warning-the black bar safety net

2009-09-19T00:00:00
ID MYHACK58:62200924707
Type myhack58
Reporter 佚名
Modified 2009-09-19T00:00:00

Description

That would be boring brain fever turned out to go get a XX Station(don't think crooked) they would have been the dish I find Ah find Ah, finally found an upload vulnerability

Impatient to run the Toolbox to find put got moldy pony uh yeah, just Upload a pony Oh after uploading there is a file type illegal

Move YOUR MOUSE to the OK button on in the status bar is displayed under a 2 0 0 9 3 1 1 2 2 1 0 2 7 0 0 3 8 6 3. asp see file code also has the following figure:

However, there is no path this easy to handle that Large of cattle experience to open the home page just to find picture look at the path match together visit OK so

Simple to get WEBSHELL well(even without sabotage) into WEBSHELL after that a few file upload download to write write articles

The following code is the source file:

=====================================================================

<script language="Javascript"> function minipic(smileface) { window. opener. document. myform. pic. value=smileface; window. close() }

</script> <% set upload=new upload_5xSoft set file=upload. file("file1") formPath="../brought you/" if file. filesize>1 then if file. filesize>1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 then response. Write("uploaded image is too large,please re-upload!") else fileExt=lcase(right(file. filename,3)) end if if fileExt="asp" then 'damn stupid to write this sentence of judgment here Response. Write"file type is illegal" end if 'here is the end is simply useless end if randomize ranNum=int(9 0 0 0 0 0 0*rnd)+1 0 0 0 0 filename=year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."& amp;fileExt if file. FileSize>0 then 'here only to determine whether the file is greater than 0 You can upload. file. SaveAs Server. mappath(formPath&FileName) end if response. write "<a href=Javascript:minipic('"&filename&"');>OK</a>" %> </td> </tr> </table> </body>

=====================================================================

A very simple analysis to determine the ASP of the type of that control block are useless just print out the phrase,“the file type is illegal”

True determines whether the uploaded file only if the file. FileSize>0 then this sentence only of the other code to determine almost are superfluous

Below attach my modify method to change the bad to see the Code of the friend will have after all the coupling is also a Diamondback modified method is actually a lot

Follow a principle of the judgment of the ASP the file type The code and execute the file upload code were placed in the IF the back and ELSE the back can be

=====================================================================

<body bgcolor="<%=bgcolor%>" leftmargin="0" topmargin="0"> <table width="1 0 0%" height="1 0 0%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center"> <script language="Javascript"> function minipic(smileface) { window. opener. document. myform. pic. value=smileface; window. close() }

</script> <% set upload=new upload_5xSoft set file=upload. file("file1") formPath="../brought you/" if file. filesize>1 then 'the image size is greater than 1,otherwise not upload if file. filesize>1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 then 'pictures is greater than 100XXX not upload response. Write("uploaded image is too large,please re-upload!") else fileExt=lcase(right(file. filename,3)) 'take to upload a file of suffix name if fileExt="asp" then 'determine the uploaded file type is ASP Response. Write"can not upload an ASP type of file" 'upload for ASP type hints can not be uploaded else 'otherwise just upload randomize ranNum=int(9 0 0 0 0 0 0*rnd)+1 0 0 0 0 filename=year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."& amp;fileExt if file. FileSize>0 then 'upload file size is greater than 1 file. SaveAs Server. mappath(formPath&FileName) response. write "<a href=Javascript:minipic('"&filename&"');>OK</a>" end if 'pictures is greater than 1. upload is closed end if 'determine the uploaded file type is ASP closed end if 'pictures is greater than 100XXX not upload closed end if 'image size is greater than 1, The closed %> </td> </tr> </table> </body>

=====================================================================

It's that simple to get understand friend see comments you almost understand? because the IF ELSE control structure is nested more who will Halo

Just shove off and go to bed compilation tutorial download over the air and can learn the next in the compilation of the Supplement yourself crack Foundation Oh