ASP ultimate protection against uploading vulnerabilities

Source: Internet
Author: User
Upload | Upload Vulnerability in fact, whether the component or not component upload, there is this loophole, the following code please need to read carefully, as long as the code can be read and understood.

Here take the AspUpload component upload as an example

The following 3 key functions:

Function Killext (ByVal s1) ' Kill illegal file suffix
Dim allowext
Allowext= ". Jpg. Jpeg. Gif. Bmp. Png. Swf,.rm,. MP3,. Wav. MID,. Midi. Ra.
Avi. Mpg. MPEG,. Asf. ASX,. Wma. MOV,. RAR,. Zip. Exe. DOC,. Xls. Chm. HLP,. PDF "
S1=ucase (S1)
If Len (S1) =0 Then
Killext= ""
Else
If not chk (ALLOWEXT,S1, ",") then
killext= ". Shit"
Else
Killext=s1
End If
End If
End Function

Function Chk (ByVal s1,byval S2,byval Fuhao) ' Check string contains
Dim i,a
Chk=false
A=split (S1,fuhao)
For i = 0 To UBound (a)
If Trim (A (i)) =trim (S2) Then
Chk=true
Exit For
End If
Next
End Function

Function Gname (ByVal n1) ' automatically generates directories and file names with dates, parameter 1 generates directories, parameter 2 generates filename (no suffix)
Dim t,r
T=now ()
Randomize (timer)
R=int ((rnd+1-1) *9999)
Select Case N1
Case 1
Gname=year (t) &right ("&month" (t), 2) &right ("&day" (t), 2)
Case 2
Gname=right ("&hour" (t), 2) &right ("&minute" (t), 2) &right ("&second" (t), 2) &right (" 0000 "&r,4)
End Select
End Function

Call Method:

Dim oup,ofile,ext,myfile

Set OUP = Server.CreateObject ("Persits.upload")
Oup. Setmaxsize 10000000, True
Call OUP. Save () ' Here is uploaded to server memory, and no actual file generated
Set ofile = Oup.files (1)
Ext=killext (Ofile.ext)

Myfile= "/" & Ganme (1) & "/" & Gname (2) & Ext

Call Ofile.saveas (Server.MapPath (myfile))



Additional Instructions:

If a hacker uploads an illegal file with NC, the resulting file is just

such as 200511051234559103.shit

The "crap" file!



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.