High version square academic system to upload suffix filter is not strict result can directly Upload a Webshell-vulnerability warning-the black bar safety net

2013-08-25T00:00:00
ID MYHACK58:62201340294
Type myhack58
Reporter 佚名
Modified 2013-08-25T00:00:00

Description

In the older version there is a use of the plug-in file upload vulnerability,but in the new version have not this plugin. This vulnerability is due to the filter is not strict caused by,can directly Upload a Webshell to mention the rights,because the code in the DLL,the country most of the universities have this vulnerability,affected a large range,9 0% or more the school can use this method to provide the right

Upload function is only to determine whether to include". asp" ". php"". exe"string so you can directly upload such as the CER format of the Webshell. right

jwggfbb. cs

private void btn_sc_Click(object sender, EventArgs e)

{

if (Strings. InStr(this. loFile. get_PostedFile(). get_FileName(), ". asp", 0) > 0)

{

this. RegisterStartupScript("Startup", "<script type="text/javascript" language="javascript">// <! [CDATA[

alert('can not upload an asp file to it!!!!');

// ]]></script>");

}

else if (Strings. InStr(this. loFile. get_PostedFile(). get_FileName(), ". php", 0) > 0)

{

this. RegisterStartupScript("Startup", "<script type="text/javascript" language="javascript">// <! [CDATA[

alert('cannot upload a php file it!!!!');

// ]]></script>");

}

else if (Strings. InStr(this. loFile. get_PostedFile(). get_FileName(), ". exe", 0) > 0)

{

this. RegisterStartupScript("Startup", "<script type="text/javascript" language="javascript">// <! [CDATA[

alert(can't upload exe files,please compress and upload it!!!!');

// ]]></script>");

}

else

{

this. tcf = false;

this. The Button1_Click();

if (! this. tcf)

{

if (StringType. StrCmp(this. scms, "1", false) == 0)

{

this. data_dir. set_Text(ConfigurationSettings. get_AppSettings(). get_Item("HTTP1") + "/wbwj/" + this. lstrFileName);

}

if (StringType. StrCmp(this. scms, "2", false) == 0)

{

this. data_dir. set_Text("wbwj/" + this. lstrFileName);

}

}

}

}

scglwj. cs

private void Button2_Click(object sender, EventArgs e)

{

if (Strings. InStr(this. loFile1. get_PostedFile(). get_FileName(), ". asp", 0) > 0)

{

this. get_Response(). Write("<script type="text/javascript" language="javascript">// <! [CDATA[

alert('can not upload an asp file to it!!!!');

// ]]></script>");

}

else if (Strings. InStr(this. loFile1. get_PostedFile(). get_FileName(), ". php", 0) > 0)

{

this. get_Response(). Write("<script type="text/javascript" language="javascript">// <! [CDATA[

alert('cannot upload a php file it!!!!');

// ]]></script>");

}

else

{

this. The Button1_Click();

string mysql = "insert into jwggfbb (GGBT,GGZW,FBDW,FBSJ,YXQX,mxddx,mxxdx,fbnr,scip) values ('" + this. ggbt. get_Text() + "','" + ConfigurationSettings. get_AppSettings(). get_Item("HTTP1") + "UpLoad/" + this. lstrFileName + "','" + this. fbdw. get_Text() + "',to_char(sysdate,'YYYY-MM-DD hh:mi:ss'),'" + this. yxqx. get_Text() + "',",",'wjgl','" + this. get_Request(). get_UserHostAddress() + "')";

OracleConnection objConnection = new OracleConnection(ConfigurationSettings. get_AppSettings(). get_Item("MyConn") + this. zhj. jiemi(ConfigurationSettings. get_AppSettings(). get_Item("MyPwd"), this. zhj. str_jm));

if (Module1_sjf. checksql(mysql))

{

OracleCommand objCommand = new OracleCommand(mysql, objConnection);

objConnection. Open();

objCommand. ExecuteNonQuery();

objConnection. Dispose();

this. DataGrid1. set_EditItemIndex(-1);

this. zhj. BindtoGrid("select * from jwggfbb where fbnr='wjgl' order by fbsj,yxqx", this. DataGrid1);

[1] [2] next