其实无论是组件还是非组件上传,都有这个漏洞,以下代码请需要得朋友仔细阅读,只要读懂代码就能融会贯通。
这里以UPLOAD组件上传为例
以下3个关键函数:
- function killext(byval s1)
- dim allowext
- allowext=".JPG,.JPEG,.GIF,.BMP,.PNG,.SWF,.RM,.MP3,.WAV,.MID,.MIDI,.RA,.AVI,.MPG,.MPEG,.ASF,.ASX,.WMA,.MOV,.RAR,.ZIP,.EXE,.DOC,.XLS,.CHM,.HLP,.PDF"
- s1=ucase(s1)
- if len(s1)=0 then
- killext=""
- else
- if not chk(allowext,s1,",") then
- killext=".shit"
- else
- killext=s1
- end if
- end if
- end function
-
- function chk(byval s1,byval s2,byval fuhao)
- dim i,a
- chk=false
- a=split(s1,fuhao)
- for i = 0 to ubound(a)
- if trim(a(i))=trim(s2) then
- chk=true
- exit for
- end if
- next
- end function
-
- function gname(byval n1)
- dim t,r
- t=now()
- randomize(timer)
- r=int((rnd+1-1)*9999)
- select case n1
- case 1
- gname=year(t)&right("00"&month(t),2)&right("00"&day(t),2)
- case 2
- gname=right("00"&hour(t),2)&right("00"&minute(t),2)&right("00"&second(t),2)&right("0000"&r,4)
- end select
- end function
调用方法:
- dim oup,ofile,ext,myfile
-
- Set oup = Server.CreateObject("Persits.Upload")
- oup.SetMaxSize 10000000, True
- call oup.Save()
- set ofile = oup.files(1)
- ext=killext(ofile.ext)
-
- myfile="/" & ganme(1) & "/" & gname(2) & ext
-
- call ofile.saveas(server.mappath(myfile))
附加说明:
黑客如果用 nc 上传非法文件,最终得到的文件只是
如 200511051234559103.shit
之类的“狗屎”文件!