Graduation thesis system upload vulnerability-vulnerability warning-the black bar safety net

2012-11-12T00:00:00
ID MYHACK58:62201235505
Type myhack58
Reporter 佚名
Modified 2012-11-12T00:00:00

Description

Vulnerability in fileload directory of the FileUpload. asp file, with no fear of the formation of the upload

Look at the code

| 0 1 | var fu = new FileUpload("uploadForm","idFile", { Limit: 3, ExtIn: ["rar","doc","xls"], RanName: true, ---|---

0 2 | onIniFile: function(file){ file. value ? file. style. display ="none" : this. Folder. removeChild(file); }, ---|---

0 3 | onEmpty: function(){ alert("please select a file"); }, ---|---

0 4 | onLimite: function(){ alert("exceeds upload limit"); }, ---|---

0 5 | onSame: function(){ alert("already has the same file"); }, ---|---

0 6 | onNotExtIn: function(){ alert("only allowed to upload" + this. ExtIn. join ("and") +"file"); }, ---|---

0 7 | onFail: function(file){ this. Folder. removeChild(file); }, ---|---

0 8 | onIni: function(){ ---|---

0 9 | //Display the file list ---|---

1 0 | var arrRows = []; ---|---

1 1 | if(this. Files. length){ ---|---

1 2 | var oThis = this; ---|---

1 3 | Each(this. Files, function(o){ ---|---

1 4 | var a = document. createElement("a"); a. innerHTML ="cancel"; a. href ="javascript:void(0);"; ---|---

1 5 | a. onclick = function(){ oThis. Delete(o); return false; }; ---|---

1 6 | arrRows. the push([o. value, a]); ---|---

1 7 | }); ---|---

1 8 | } else { arrRows. push(["<font color='gray'>no Add-File</font>"," "]); } ---|---

1 9 | AddList(arrRows); ---|---

2 0 | //Settings button ---|---

2 1 | $("idBtnupload"). disabled = $("idBtndel"). disabled = this. Files. length <= 0; ---|---

2 2 | } ---|---

2 3 | }); ---|---

2 4 | ---|---

2 5 | $("idBtnupload"). onclick = function(){ ---|---

2 6 | //display the file list ---|---

2 7 | var arrRows = []; ---|---

2 8 | Each(fu. Files, function(o){ arrRows. the push([o. value," "]); }); ---|---

2 9 | AddList(arrRows); ---|---

3 0 | ---|---

3 1 | fu. Folder. style. display ="none"; ---|---

3 2 | $("idProcess"). style. display =""; ---|---

3 3 | $("idMsg"). innerHTML ="uploading file to server, please wait......& lt;br />it is possible because of network problems, the program for a long time no response, please click the“<a href='?'& gt;<font color='red'>cancel</font></a>”re-upload file"; ---|---

3 4 | ---|---

3 5 | fu. Form. submit(); ---|---

3 6 | } ---|---

3 7 | ---|---

3 8 | //used to add the file list function ---|---

3 9 | function AddList(rows){ ---|---

4 0 | //according to the array to add to the list ---|---

4 1 | var FileList = $("idFileList"), oFragment = document. createDocumentFragment(); ---|---

4 2 | //with document fragments saved list ---|---

4 3 | Each(rows, function(cells){ ---|---

4 4 | var row = document. createElement("tr"); ---|---

4 of 5 | Each(cells, function(o){ ---|---

4 6 | var cell = document. createElement("td"); ---|---

4 7 | if(typeof o =="string"){ cell. innerHTML = o; }else{ cell. appendChild(o); } ---|---

4 8 | row. appendChild(cell); ---|---

4 9 | }); ---|---

5 0 | oFragment. appendChild(row); ---|---

5 1 | }) ---|---

5 2 | //ie the table does not support innerHTML so this empty table ---|---

5 3 | while(FileList. hasChildNodes()){ FileList. removeChild(FileList. firstChild); } ---|---

5 4 | FileList. appendChild(oFragment); ---|---

5 5 | } ---|---

5 6 | ---|---

5 7 | ---|---

5 8 | $("idLimit"). innerHTML = fu. Limit; ---|---

5 9 | ---|---

6 0 | $("idExt"). innerHTML = fu. ExtIn. join ("and"); ---|---

6 1 | ---|---

6 2 | The $("idBtndel"). onclick = function(){ fu. Clear(); } ---|---

6 3 | ---|---

6 4 | //in the background through the window. the parent access home page function ---|---

6 5 | function Finish(msg){ alert(msg); location. href = location. href; } ---|---

6 6 | ---|---

6 7 | </script> ---|---

6 8 | <span class="STYLE1"> <strong> note:</strong></span></p> ---|---

6 9 | <p class="STYLE1"> ·please select<strong id="idExt">rar, doc, xls</strong>】file formats, other file formats please package and then upload.& lt;/p> ---|---

7 0 | <p class="STYLE1"> ·the file name as detailed as possible to facilitate the download.& lt;/p> ---|---

7 1 | <p class="STYLE1"> ·the file is not too large. </p> ---|---

7 2 | </body> ---|---

7 3 | </html> ---|---

[1] [2] next