A bloody case caused by ASP

Author: xiaohao & yunzhongying
Organization: Security leaf Technical Team

Quote:
Var
Var B
Var tx
Var clean
A = Request ("re ")
Clean = Request ("clean ")
Var jian = "test.txt"

If (clean = 1 ){
Tx = "& a ="
Var fs2
Var fs2 = Server. CreateObject ("Scripting. FileSystemObject ")
Var newdt = fs2.OpenTextFile (Server. MapPath (jian), 2, true)
Newdt. WriteLine ("& a = ")
Newdt. close ()
}

If (clean = 0 | clean = 1 ){
Tx = ""
Var fso = Server. Createobject ("Scripting. FileSystemObject ")
Var file = fso. OpenTextFile (Server. Mappath (jian ))
While (! File. AtEndOfStream ){
Tx = file. ReadLine ()
Response. write (tx)
}
Response. write ("&")
File. close ()
}

If (clean = 2 ){
Tx = ""
Var fso = Server. Createobject ("Scripting. FileSystemObject ")
Var file = fso. OpenTextFile (Server. Mappath (jian ))

Var fs2
Var fs2 = Server. CreateObject ("Scripting. FileSystemObject ")
Var newdt = fs2.OpenTextFile (Server. MapPath (jian), 8, true)

While (! File. AtEndOfStream ){
Tx = file. ReadLine ()
Response. write (tx )}

Response. write (a + "&")
Newdt. WriteLine ()

File. close ()
Newdt. close ()
}

This code was found by the China East black guest Alliance, which is worth looking.
Analyze the role of this Code

Quote: var clean
A = Request ("re ")
Clean = Request ("clean ")
Var jian = "test.txt"

 

If (clean = 0 | clean = 1 ){
Tx = ""
Var fso = Server. Createobject ("Scripting. FileSystemObject ")
Var file = fso. OpenTextFile (Server. Mappath (jian ))
While (! File. AtEndOfStream ){
Tx = file. ReadLine ()
Response. write (tx)
}
Response. write ("&")
File. close ()
}

 

If (clean = 2 ){
Tx = ""
Var fso = Server. Createobject ("Scripting. FileSystemObject ")
Var file = fso. OpenTextFile (Server. Mappath (jian ))

It can be seen that when the CLEAN parameter is 1, the file TEST. TXT will write a string of characters & a = &
When the parameter condition reaches 2, the user-defined parameter can be written, for example, send. asp & clean = 2 & re = test by xxx.
Write it in the current directory.

& A =
Test by xxx &

The mouse said that if the code can use the RESQUEST value, it can be used. I don't know what the technology is, so I won't install B here.
Tested, this code file is not found by any user, and its official

Because it is not enough to talk about the vulnerability, it uses the code!