ASP system upload Principle Analysis

Source: Internet
Author: User

ASP system upload Principle Analysis

UploadVulnerabilities, Which is more lethal than InjectionVulnerabilities. It canASPTrojans in JSP, CGI, PHP, and other formats are uploaded to the website directory, and the minimum permission is webshell. If the Administrator is not aware of security, you can also use a transfer permission escalation tool to engage yourself as an administrator.VulnerabilitiesThe search is still started from the source file. There are two targets, one is filepath (file path), and the other is filename (file name ).

1. filepath

When it comes to filepath, some friends may be unfamiliar with it, but we need to mention the mobile network 6.0 upload.VulnerabilitiesYou must be familiar with it! Its uploadVulnerabilitiesIt is caused by poor filtering of filepath. Although the dynamic network does not existVulnerabilitiesHowever, there are still a lot of people using this upload source code program. For example, I am using this "Marriott download program" and the upfile in its ads (advertisement) section. ASP (upload), filepath filtering is lax.VulnerabilitiesTo analyze some of the source code:

<%

Dim upload, file, formname, formpath, icount, filename, fileext '// defines the upload variable

Set upload = new upload_5xsoft '// create the test code of the object to be uploaded to JM

Formpath = upload. Form ("filepath") '// The first step is to obtain the file path. This is the key.

If right (formpath, 1) <> "/" thenformpath = formpath &"/"

For each formname in upload. File '// use for to read the uploaded file

Set file = upload. File (formname) '// generate a file object jmdcw

........................ '// Omit Part of the Code

Fileext = lcase (right (file. filename, 4) '// extract the last four digits from the file name and convert it to lowercase characters.

If fileext <> ". GIF "and fileext <> ". jpg "andfileext <> ". zip "and fileext <> ". RAR "andfileext <> ". SWF "then' // file extension judgment

Response. the write "<font size = 2> file format is incorrect [<ahref = # onclick = history. go (-1)> re-upload </a>] </font>"

Response. End

End if

Randomize

Rannum = int (90000 * RND) + 10000

Filename = formpath & year (now) & month (now) & Day (now) & hour (now) & minute (now) & Second (now) & rannum & fileext '// Step 2. the filename consists of the submitted file path, the random file name, year, month, and day, And the converted extension.

If file. filesize> 0 then

File. saveas server. mappath (filename) '// Save the jmdcw File

End if

Set file = nothing

Next

%>

In this source code, the two key sentences are as follows:

1. formpath = upload. Form ("filepath ")

2. filename = formpath & year (now) & month (now) & Day (now) & hour (now) & minute (now) & Second (now) & rannum & fileext

Ad insertion. Variables and constants: variables are the values that can change at any time during the program's operation. constants are the opposite, it refers to the value that remains unchanged during the running of the program.

Next let's take a look.VulnerabilitiesIs formed. In the first code, obtain the file storage path from the variable filepath, and then in the second sentence, use the PATH variable formpath to add randomly generated numbers and the determined extension to form a new variable. The filename variable is the path and name of the uploaded file. This is a little general, and the following is an example. For example, if you choose to upload a. JPG file, during the upload process, another filepath variable is uploaded along with the file. Assume that the value is "image". When these values are uploaded to the upfile. in ASP, the filename is changed to "image/200512316321944973.jpg". After the upload succeeds, the 111.jpg is saved in the image folder, and the file name is changed to "2017200512316321944973.jpg ". This process seems impeccable, but it is still a breakthrough method developed by the cow. What is the solution? The breakthrough point is on the variable. If you change the filepath value to "image/AA. ASP □”, and the subsequent "□” indicates the binary 00 (null). In this way, the variable is submitted into upfile. after ASP, the filename value becomes
"Image/AA. ASP □/ 200512316321944974.jpg ". When the server reads this variable," □” is a binary 00 and the variable statement is deemed to have ended, therefore, the characters after "□" are ignored, and the filename becomes" image/AA. ASP ", the program uses file. if saveas is saved, the file is saved as AA. ASP file, look!VulnerabilitiesYes.

For thisVulnerabilitiesYou can use the upload tool of Guilin veterans or capture packets with Winsock. Then, use NotePad to save and submit data, add and modify relevant content, and then use winhex to change the space to binary, finally, use the NC submission method. For more information about the above two methods, see related articles (hedgehog 2005 ).

Ii. filename

I have introduced the loose filtering of filepath.VulnerabilitiesNext, let's take a look at the problem caused by lax filtering of filename (Upload File name ).VulnerabilitiesThe filtering of uploaded file names is not strict. Here are two types:

1. Easy to write

"Reproduce the past" in the 2005.10 PeriodVulnerabilities-Qinzhu music program negligenceVulnerabilitiesIs easy to uploadVulnerabilitiesThe following example shows some source code in upfile_article.asp:

<%

Const upfiletype = "RAR | GIF | JPG | BMP | SWF | mid | MP3" '// supported file types: jmdcw

Const saveupfilespath = ".../../uploadfiles" '// directory for storing uploaded files. Note: The above two constants define the 'hedgehog test code in the config. asp file.

Dim upload, ofile, formname, savepath, filename, fileext // variable definition

........................

Founderr = false' // specifies whether to upload a variable. The Initialization is false, indicating that the object can be uploaded.

Enableupload = false' // This is a variable that indicates whether the file extension is valid. If the initialization is false, it indicates that the file extension is invalid.

Savepath = saveupfilespath '// directory for storing uploaded files

........................

Sub upload_0 () '// No component upload in the environment

Set upload = new upfile_class '// create an upload object

........................

For each formname in upload. File '// use for loop to read uploaded files. Jmdcw

Set ofile = upload. File (formname) '// generate a file object

........................

Fileext = lcase (ofile. fileext) '// convert the extension to lowercase characters

Arrupfiletype = Split (upfiletype, "|") '// read the allowed upload extension defined in the background

For I = 0 to ubound (arrupfiletype) '// you can use the for loop to read the arrupfiletype array.

If fileext = trim (arrupfiletype (I) then' // If fileext is an extension that allows upload

Enableupload = true '// enableupload is true, indicating that the file is legal.

Exit

End if

Next

If fileext = "asp" or fileext = "asa" orfileext = "aspx" then' // check whether fileext has the extension ASP, ASA, and Aspx.

Enableupload = false' // if it belongs to one of the three items, enableupload is defined as false, and the upload file extension is invalid. JM

End if

If enableupload = false then' // the third level, which is used for verification. If the variables passed to this enableupload are false, the file extension is invalid.

MSG = "this file type cannot be uploaded! \ N only supports the following file types: "& upfiletype

Founderr = true '// Note: because the file name is invalid, the founderr value is changed from initial false to true.

End if

Strjs = "<script language = JavaScript>" & vbcrlf

If founderr <> true then' // indicates the upload function. If founderr is not equal to true, the object can be uploaded.

Randomize

Rannum = int (900 * RND) + 100

Filename = savepath & year (now) & month (now) & Day (now) & hour (now) & minute (now) & Second (now) & rannum &". "& fileext '// defines the filename. Its value is a fixed path name, a name generated by year, month, and day, and a random value, and the fileext extension passed over.

Ofile. savetofile server. mappath (filename) '// Save the CW's file

MSG = "File Uploaded! "

........................

Next

Set upload = nothing

End sub

%>

In this source code, two for loops and two logical variables are used. The first for loop "for each formname in upload. file is used to obtain all uploaded file names. The second for loop "for I = 0 to ubound (arrupfiletype)" is used to detect file extensions. The two logical variables are enableupload and founderr. enableupload indicates the validity of the file extension. True indicates that the file extension is valid. founderr indicates whether the file can be uploaded. False indicates that the file can be uploaded. Is it strange? False is used! If we upload a file, the code is impeccable, but what if we want to upload two files? Because there is no component to upload in the environment, you can upload multiple files. OK! Let's take a look at the process of uploading multiple files:

First, construct a local HTM file with two upload boxes. The HTM code is as follows:

<Form action ="

<Input name = "filename1" type = "file" class = "tx1" size = "40">

<Input name = "FILENAME" type = "file" class = "tx1" size = "40">

<Input type = "Submit" name = "Submit" value = "Upload">

</Form>

Run the htmjob and select a jpg image in the first box. The file name is 2017111.jpg. In the second box, select a CER file named "222. Cer" and click "Upload" to submit the two files to the program. Next, observe the upload process of the two files in upfile_adpic.asp (pay attention to the changes in logical variables ).

1. Before entering the first for (Read File name), the program first defines the variable founderr as a token. In the first step of verification, JPG is of the allowed upload type, and the variable enableupload = true.

2. Go to the second level to check whether the data transfer is of the three types. Because the data transfer is not of the three types, the enableupload variable is still true.

3. Go to Level 3. If enableupload is set to false, founderr is set to true. If enableupload is set to true, founderr is set to false before the first for loop.

4. Finally, enter the fourth level. The verification of this level is: If founderr is <> true, it can pass. Check that the value of founderr passed from the third level is false and can be uploaded. In this case, after 111.jpg is uploaded, the value of enableupload is set to true and that of founderr is set to false.

5. Then the program reads 222.cerfrom the second file and enters the first level to verify whether the upload type is allowed. If CER falls within this range, enableupload is defined as true, while CER does not, so keep the original value. What is the original value of enableupload? When the value of the variable uploaded in 111.jpg is "enableupload is set to true", the enableupload value of the CER file is true.

6. After the second off, CER does not fall within the limit. If statements are skipped, the value of enableupload remains true.

7. The third-level verification is skipped because enableupload = true. Go directly to the fourth level. Then, let's look back at the founderr value. founderr has never appeared since the CER was used for upload verification. What is the value of founderr? Haha, it is still the uploaded value of 111.jpg, and the verification of the fourth level is that as long as founderr is not true, It can be uploaded. Therefore, this CER file passes the layers of checkpoints and enters the server.

In addition to Cer format, you can also upload ASP □( □here represents space, the same as below), Asp. format file, the method is very simple, is to add the ASP name in the upload box to a space or decimal point, because it is ASP □, ASP. the bypass method is the same as that of CER, and ASP □or ASP. because of the naming rules of Windows files, spaces and decimal points are removed, and ASP format is saved.

2. Dynamic Business 2005

Said about easy uploadVulnerabilitiesNext we will introduce how to upload dynamic Business 2005.VulnerabilitiesToday, it's a coincidence that the Internet is moving, the Internet is moving, and the motion is all driving, haha! It is caused by uploading multiple files.VulnerabilitiesAnd dynamic upload occurs because the file name filtering is lax.Vulnerabilities. (Hedgehog 2005) the following is part of the source code in upfile. asp:

<%

Private sub savefile_0 () '// No component upload

........................

Set file = uploadobj. File (formname) '// get the Upload File Name CW 'sfiles

Fileext = fixname (file. fileext) '// The first step is to use the fixname function to filter the file extension.

If checkfileext (fileext) = false then' // use checkfileext to check the filename extension after filtering.

Errcodes = 5

Exit sub '// exit upload

End if

Filename = formatname (fileext) '// if the conditions are met, use the formatname function to generate a file name by date.

........................

If file. filesize> 0 then

File. savetofile server. mappath (filepath & filename) '// The path and name of the saved file are filepath + filename.

........................

End sub

%>

Next, let's take a look at some parameters involved in the upload process.

A. fixname () function:

Private function fixname (byval upfileext) '// filter function in step 1 to filter out special extensions.

If isempty (upfileext) Then exit function '// exit interaction if the extension is empty.

Fixname = lcase (upfileext) '// convert the extension to lowercase characters.

Fixname = Replace (fixname, CHR (0), "") '// filter NULL 00 characters in binary format

Fixname = Replace (fixname, ".", "") '// leave single quotes blank. Jmdcw

Fixname = Replace (fixname ,"'","")

Fixname = Replace (fixname, "asp ","")

Fixname = Replace (fixname, "asa ","")

Fixname = Replace (fixname, "aspx ","")

Fixname = Replace (fixname, "CER ","")

Fixname = Replace (fixname, "CDX ","")

Fixname = Replace (fixname, "HTR ","")

Fixname = Replace (fixname, "shtml ","")

End Function

We can see that the application ASP. all DLL ing types are filtered. In addition, the decimal point, single quotation marks are also filtered, and even CHR (0) is filtered. What is CHR (0? It is a hexadecimal value of 0x00, indicating that the binary value is 00000000, that is, the file is uploaded in filepath.VulnerabilitiesIs an empty character.

B. checkfileext () function:

Private function checkfileext (fileext) '// The Judgment function in step 2 to determine whether the file type meets the requirements

Dim forumupload, I

Checkfileext = false' // defines that the initial value of checkfileext is false,

If fileext = "" Or isempty (fileext) then' // exit if it is null for the first time.

Checkfileext = false

Exit Function

End if

If fileext = "asp" or fileext = "asa" or fileext = "aspx" or fileext = "shtml" then' // The second time. If it belongs to these four types, exit interaction.

Checkfileext = false

Exit Function

End if

Forumupload = Split (inceptfile, ",") '// third time, extract the background upload Extension from inceptfile

For I = 0 to ubound (forumupload) '// use the For Loop Test

If fileext = trim (forumupload (I) then '// if it matches any upload extension in the background, checkfileext = true.

Checkfileext = true

Exit Function

Else

Checkfileext = false

End if

Next

End Function

This function is used to determine the extension after being filtered by the fixname () function. There are three checks. The first check is to determine whether the passed extension is null. If it is null, the upload is exited, the second is to determine whether the extension belongs to ASP, ASA, and other four transfer restrictions. The third is to use the extension to compare with the custom upload extension in the background, upload is allowed.

C. filepath value:

The filepath used is in upload. asp, and its value is as follows:

If info_name = "BBS" then

Filepath = "/BBS/upload /"

Else

Filepath = "/uploadpic /"

End if

Filepath is a constant.VulnerabilitiesIt won't work.

OK! Next, upload a file to view its verification process. For example, the uploaded file name is "111. CER, in the "fileext = fixname (file. fileext) "when filtering the extension, because CER belongs to the filtering range of the fixname () function, the extension CER becomes null. When the extension is passed to checkfileext (), when the "If fileext =" "Or isempty (fileext)" statement is executed, the interaction is exited because fileext is empty. The returned format is incorrect and the upload is rejected.

How to break through? The breakthrough point is in the fixname () function. As we can see above, the CER will be filtered to be empty during uploading, but if we change the file extension to ccerer, add "ccerer" and "CER" to the custom upload type in the background. In this way, after the files with the ccerer extension are filtered by the fixname () Step 1, the ccerer is changed to CER (the intermediate CER character is filtered out as null), passed this value to the checkfileext () function, through its first non-empty level, next, use the second restricted level and compare it to the background upload level. Because we have added two types: "ccerer" and "CER, the third checkfileext () Judgment,
Checkfileext = true: the file with the ccerer extension is uploaded to the server, and the uploaded extension is Cer.

Some may ask if the upload extension is aaspsp □or aaspsp. after being filtered by the fixname () function, files in the format are not changed to ASP □or ASP. and these two formats are not restricted. As long as you add these types in the background, you can not save the uploaded files as ASP format? In fact, I thought this too, but after careful research and analysis, I found that this road is not working. Why? The decimal point first. In fixname (), there is such a sentence: fixname = Replace (fixname, ".", ""), which filters out the decimal point as null. Look! The path to the decimal point is broken. Let's look at the space. Although no space is filtered in fixname (),
When checkfileext () reads the background upload type, it has the following sentence: "If fileext = trim (forumupload (I) then", where trim (), trim is used to delete spaces at the beginning and end of a string. Although the ASP □type can be written in the background, it will be filtered into ASP by TRIM () during reading, and the aaspsp □has changed to ASP □through layer-by-layer checkpoints, ASP □<> Asp, invalid certificate! Sorry, no access!

All in all, uploadVulnerabilitiesIs eye-catching. Upload using the above three examplesVulnerabilitiesI hope it will be helpful to all of you.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.