An ESCMS-based Upload Vulnerability

Code by Link

Web site:Www. trfweb.Cn

Blog:Www.link0day.cn

Reprinted, please specify thx

The reason is that it is because... Let's look at the code first:

In admin/downup. asp:

<! -- # Include file = "check. asp" -->
<! -- # Include file = "Up3.inc" -->
<Html>
<Head>
<Title> upload </title>
<Link href = "text.css" rel = "stylesheet" type = "text/css">
</Head>
<Body>
<Table width = 400 border = 0 align = "center" cellpadding = "6" cellspacing = "1" bgcolor = "# A2A2A2">
<Tr> <td width = 100% height = 100% align = "center" bgcolor = "# F2F2F2" class = tablebody1>
<%
Dim upload, file, formName, formPath, filename, fileExt
Dim ranNum
Call UpFile ()
=========== Upload without components (upload_0) =============================
Sub UpFile ()
Set upload = new UpFile_Class: creates an upload object.
Upload. GetData (1500*1024) obtains the uploaded data, which is 1500 kb.

If upload. err> 0 then
Select case upload. err
Case 1
Response. Write "select the file you want to upload first [<a href = # onclick = history. go (-1)> upload again </a>]"
Case 2
Response. Write "the size exceeds the limit of 1500 K [<a href = # onclick = history. go (-1)> please upload again </a>]"
End select
Exit sub
Else
FormPath = upload. form ("filepath") file storage directory, which must be readable and writable by the program
If formPath = "" then
FormPath = "Upfile"
End if
Add (/) after the Directory (/)
If right (formPath, 1) <> "/" then
FormPath = formPath &"/"
End if
For each formName in upload. file: Lists All uploaded files.
Set file = upload. file (formName) to generate a file object
If file. filesize <100 then
Response. write "select the image you want to upload first! [<A href = # onclick = history. go (-1)> upload again </a>]"
Response. end
End if

FileExt = lcase (file. FileExt)
If CheckFileExt (fileEXT) = false then
The response. write File Format is incorrect! [<A href = # onclick = history. go (-1)> upload again </a>]"
Response. end
End if

Randomize
RanNum = int (90000 * rnd) + 10000
Filename = formPath & year (now) & month (now) & day (now) & hour (now) & minute (now) & second (now) & ranNum &". "& fileExt
If file. FileSize> 0 then if FileSize> 0, file data exists.
Result = file. SaveToFile (Server. mappath (filename) save the file
If result = "OK" then
Response. write "File: <font color = # ff0000>" & file. FilePath & File. FileName & "</font> uploaded successfully! <Br>"
Response. write "Save path: <input type =" text "" style = "" border-style: solid; border-width: 1 "" value = "& filename &"> <br> [<a href = # onclick = "" Addpic ("& filename &") ""> click here to add the image path to the text box </a>]"
Response. Write "Addpic (" & filename &")"
%>
<Script language = "JavaScript">
<! --
Var flag = false;
Function Addpic (imagePath ){
Window. opener. AddPro. Down_Url.focus ();
Extends extends opener.doc ument. AddPro. Down_Url.value = imagePath;
Window. opener = null;
Window. close ();
}
Window. alert ("uploaded successfully ")
Addpic (<% = filename %>)
// -->
</Script>
<%

Else
Response. write File. FilePath & file. FileName & "Upload Failed," & result & "<br>"
End if
End if
Set file = nothing
Next
Set upload = nothing
End if
End sub

Determine whether the file type is qualified
Private Function CheckFileExt (fileEXT)
Dim Forumupload
Forumupload = "gif, jpg, bmp, jpeg, rar, zip, txt"
Forumupload = split (Forumupload ,",")
For I = 0 to ubound (Forumupload)
If lcase (fileEXT) = lcase (trim (Forumupload (I) then
CheckFileExt = true
Exit Function
Else
CheckFileExt = false
End if
Next
End Function
%>
</Td>
</Tr> </table>
<Table width = "400" border = "0" align = "center" cellpadding = "0" cellspacing = "0">
<Tr>
<Td height = "120" align = "center"> border = 0 width = 100 height = 100 onload = javascript: drawImage (this);> </td>
</Table>
</Body>
</Html>

Core code: formPath = upload. form ("filepath ") the path is directly transmitted to the uploaded image without any filtering. The uploaded image will be uploaded to that directory. If the web directory permission is large enough to create a directory (most of them can be an extremely abnormal administrator)

Then we can construct a directory like *. asp, and then the image will naturally be uploaded to the directory ..

What? There is only one method? No, no. We can still upload the file even if it is filtered out.

Try to start your nc familiar nc submission and cruelly cut it off. Then you get the shell .. Truncation symbol reproduction ~!

In this way, you can upload asp files regardless of the path ..

Don't be too excited .. Remember that this file is in the admin directory .. Yes. Permission. Limited to shell

Let's take a look at check. asp:

<%
If session ("ES_admin") = "" then
Call Err_Show ()
Response. End ()
End if
Error Page by foosun
Sub Err_Show ()
Dim Err_ShowChar
Err_ShowChar = "Http://www.w3.org/1999/xhtml ""> "& chr (10)
Err_ShowChar = Err_ShowChar & "Err_ShowChar = Err_ShowChar & "<meta http-equiv =" "Content-Type" "content =" "text/html; charset = gb2312" "/>" & chr (10)
Err_ShowChar = Err_ShowChar & "<title> untitled document </title>" & chr (10)
Err_ShowChar = Err_ShowChar & "Err_ShowChar = Err_ShowChar & "<link href =" "Images/admin.css" "rel =" "stylesheet" "type =" "text/css"> "& chr (10)
Err_ShowChar = Err_ShowChar & "<body topmargin =" "80"> <p> "& chr (10)
Err_ShowChar = Err_ShowChar & "<table width =" 80% "" align = "" center "" cellpadding = "" 10 "> <tr> <td>" & chr (10)
Err_ShowChar = Err_ShowChar & "<li> You do not have permission to operate on this page !! </Li> "& chr (10)
Err_ShowChar = Err_ShowChar & "<li> contact the system administrator, <a target = "" _ top "" href = "" admin_login.asp ""> click back to log on </a> </li> "& chr (10)
Err_ShowChar = Err_ShowChar & "<li> Powered by eFsys. Cn </li>" & chr (10)
Err_ShowChar = Err_ShowChar & "</td> <tr> </table>" & chr (10)
Err_ShowChar = Err_ShowChar & "</body>" & chr (10)
Err_ShowChar = Err_ShowChar & "Response. Write Err_ShowChar
Response. end
End Sub
%>

The familiar sessions are not filtered out .. Well, we have two solutions.

However, the application scope is not large ~ (Very suspicious .)

Okay, the article is over.