Home > Developer > ASP

ASP ultimate protection against uploading vulnerabilities

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Upload | Upload Vulnerability in fact, whether the component or not component upload, there is this loophole, the following code please need to read carefully, as long as the code can be read and understood.

Here take the AspUpload component upload as an example

The following 3 key functions:

Function Killext (ByVal s1) ' Kill illegal file suffix
Dim allowext
Allowext= ". Jpg. Jpeg. Gif. Bmp. Png. Swf,.rm,. MP3,. Wav. MID,. Midi. Ra.
Avi. Mpg. MPEG,. Asf. ASX,. Wma. MOV,. RAR,. Zip. Exe. DOC,. Xls. Chm. HLP,. PDF "
S1=ucase (S1)
If Len (S1) =0 Then
Killext= ""
Else
If not chk (ALLOWEXT,S1, ",") then
killext= ". Shit"
Else
Killext=s1
End If
End If
End Function

Function Chk (ByVal s1,byval S2,byval Fuhao) ' Check string contains
Dim i,a
Chk=false
A=split (S1,fuhao)
For i = 0 To UBound (a)
If Trim (A (i)) =trim (S2) Then
Chk=true
Exit For
End If
Next
End Function

Function Gname (ByVal n1) ' automatically generates directories and file names with dates, parameter 1 generates directories, parameter 2 generates filename (no suffix)
Dim t,r
T=now ()
Randomize (timer)
R=int ((rnd+1-1) *9999)
Select Case N1
Case 1
Gname=year (t) &right ("&month" (t), 2) &right ("&day" (t), 2)
Case 2
Gname=right ("&hour" (t), 2) &right ("&minute" (t), 2) &right ("&second" (t), 2) &right (" 0000 "&r,4)
End Select
End Function

Call Method:

Dim oup,ofile,ext,myfile

Set OUP = Server.CreateObject ("Persits.upload")
Oup. Setmaxsize 10000000, True
Call OUP. Save () ' Here is uploaded to server memory, and no actual file generated
Set ofile = Oup.files (1)
Ext=killext (Ofile.ext)

Myfile= "/" & Ganme (1) & "/" & Gname (2) & Ext

Call Ofile.saveas (Server.MapPath (myfile))



Additional Instructions:

If a hacker uploads an illegal file with NC, the resulting file is just

such as 200511051234559103.shit

The "crap" file!



This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More