A wine industry network member registration upload vulnerability-vulnerability warning-the black bar safety net

2011-02-04T00:00:00
ID MYHACK58:62201128984
Type myhack58
Reporter 佚名
Modified 2011-02-04T00:00:00

Description

Publishing author: xiaokis

Vulnerability type: file upload Vulnerability description:

File: sub_upload. asp

0 1 <!--# include file="UPLOAD. INC"-->

0 2 <%if session("admin_name")="" and Session("ME_name")="" then%>

0 3 <style type="text/css">

0 4 <style type="text/css">

0 5 <!--

0 6 body,td,th {

0 7 font-size: 12px;

0 8 }

0 9 -->

1 0 </style>

1 1 <link href="css/0 1. css" rel="stylesheet" type="text/css">

1 2 <style type="text/css">

1 3 <!--

1 4 body {

1 5 background-color: #3 3 3 3 3 3;

1 6 }

1 7 -->

1 8 </style>

1 9 I'm sorry, you are not a member, does not carry out this operation!

2 0 <%else%>

2 1 <%

2 2 dim arr(3)

2 3 dim upload,file,formName,formPath,iCount,filename,fileExt,i

2 4 set upload=new upload_5xSoft "the establishment of the upload object

2 5

2 6 formPath="" 'image storage path: product directory under the uploadimages folder "in the directory after the(/)

2 7

2 8 "listed all the uploaded files

2 9 for each formName in upload. file

3 0 set file=upload. file(formName)

3 1 if the file. filesize>0 then

3 2 if file. filesize>1 0 0 0 0 0 0 0 then

3 3 response. write "<font size=2>image size ultra-small limit[<a href=#

3 4

3 5 onclick=history. go(-1)>re-upload</a>]</font>"

3 6 response. end

3 7 end if

3 8 fileExt=lcase(right(file. filename,4))

3 9 if fileExt<>". jpg" then

4 0 response. write "<font size=2>File format limit[<a href=# onclick=history. go(-1)>please

4 1

4 2 transmission</a>]</font>"

4 3 The response. end

4 4 end if

4 5 end if

4 6

4 of 7 filename=year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)

4 8

4 9 &file. FileName

5 0

5 1 if the file. FileSize>0 then "if FileSize > 0 Description there is a file data

5 2 file. SaveAs Server. mappath(formpath&filename) "save the file

5 3 'response. write file. FilePath&file. FileName&"("&file. FileSize&") =>

5 4

5 5 "&amp; formPath&File. FileName&"upload successful"

5 6 The response. write "upload successful <a href=# onclick=history. go(-1)>return</a>"

5 7

5 8 end if

5 9 set file=nothing

6 0 next

6 1 set upload=nothing

6 2 Response. Write "<script>parent. add. picUrl. value='"&FileName&"'</script>"

6 3 %>

6 4 <%end if%>

File upload is a custom name, so the use of IIS to resolve the vulnerability.

Use method: first registered user, then fill in the Yellow Pages, upload x. asp;. jpg 上传 页面 upImgFile/upload.htm Submission page: upImgFile/sub_upload. asp File upload after there is a directory under: upImgFile

Vulnerability to prove: http://www.xxx.com/upImgFile/2011129204147jiami.asp;. jpg

Solution: temporary limit the Upload Directory of the script execution or enhanced file filtering.