I often hear about the asp upload vulnerability, that is, modifying the suffix of some Trojan Files (to the suffix of image files) for uploading.
Use the following functions to identify the problem:
<%
'*************************************** ***************************
The 'checkfiletype function is used to check whether the file is an image file.
'Filename is the path of the local file.
'If one of the JPEG, GIF, BMP, and PNG files is used, the function returns true; otherwise, the system returns false.
'*************************************** ***************************
Const adtypebinary = 1
Dim JPG (1): JPG (0) = cbyte (& HFF): JPG (1) = cbyte (& hd8)
Dim BMP (1): BMP (0) = cbyte (& h42): BMP (1) = cbyte (& h4d)
Dim PNG (3): PNG (0) = cbyte (& H89): PNG (1) = cbyte (& h50): PNG (2) = cbyte (& h4e ): PNG (3) = cbyte (& h47)
Dim GIF (5): GIF (0) = cbyte (& h47): GIF (1) = cbyte (& h49): GIF (2) = cbyte (& h46 ): GIF (3) = cbyte (& h39): GIF (4) = cbyte (& H38): GIF (5) = cbyte (& H61)
Function checkfiletype (filename)
On Error resume next
Checkfiletype = false
Dim fstream, fileext, stamp, I
Fileext = mid (filename, limit Rev (filename, ".") + 1)
Set fstream = server. Createobject ("ADODB. Stream ")
Fstream. Open
Fstream. type = adtypebinary
Fstream. loadfromfile filename
Fstream. Position = 0
Select case fileext
Case "jpg", "Jpeg"
Stamp = fstream. Read (2)
For I = 0 to 1
If ASCB (midb (stamp, I + 1, 1) = JPG (I) Then checkfiletype = true else checkfiletype = false
Next
Case "GIF"
Stamp = fstream. Read (6)
For I = 0 to 5
If ASCB (midb (stamp, I + 1, 1) = GIF (I) Then checkfiletype = true else checkfiletype = false
Next
Case "PNG"
Stamp = fstream. Read (4)
For I = 0 to 3
If ASCB (midb (stamp, I + 1, 1) = PNG (I) Then checkfiletype = true else checkfiletype = false
Next
Case "BMP"
Stamp = fstream. Read (2)
For I = 0 to 1
If ASCB (midb (stamp, I + 1, 1) = BMP (I) Then checkfiletype = true else checkfiletype = false
Next
End select
Fstream. Close
Set fseteam = nothing
If err. Number <> 0 then checkfiletype = false
End Function
%>
So in the Application
Checkfiletype (server. mappath ("cnbruce.jpg "))
Or
Checkfiletype ("F:/web/164/images/cnbruce.jpg "))
It is the image file type used to verify the local physical address. The value true or false is returned.
Therefore, this situation is applied to image uploading. The current method is to allow the upload of the "pseudo image" file first, and then use the above User-Defined Function to determine whether the file complies with the image specifications, if the trojan is disguised as an image file, FSO is deleted, for example:
| File. saveas server. mappath (filename) 'save the file If not checkfiletype (server. mappath (filename) then Response. Write "incorrect image format" Set FSO = Createobject ("scripting. FileSystemObject ") Set ficn = FSO. GetFile (server. mappath (filename )) Ficn. Delete Set ficn = nothing Set FSO = nothing Response. End End if |
Then, the file is uploaded first, and then the User-Defined Function is immediately used to determine the file's image type. FSO deletes the file.
Asp upload vulnerability also uses "\ 0" to operate filepath
Http://www.cnbruce.com/blog/showlog.asp? Cat_id = 32 & log_id = 635
The following functions can be used in this case:
| Function truestr (filetrue) Str_len = Len (filetrue) Pos = instr (filetrue, CHR (0 )) If Pos = 0 or Pos = str_len then Truestr = true Else Truestr = false End if End Function |
Then you can determine and upload the file again.
| If truestr (filename) = false then Response. Write "invalid file" Response. End End if File. saveas server. mappath (filename) |
<% @ Language = "VBScript" codePage = "936" %>
<! -- # Include file = "Upload. Inc" -->
<HTML>
<Head>
<Title> File Upload </title>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
</Head>
<Body>
<%
On Error resume next
Dim upload, f_folder, file, formpath, icount, filename, fileext, filesizemin, filesizemax
'*************************************** ***************************
The 'checkfiletype function is used to check whether the file is an image file.
'Filename is the path of the local file.
'If one of the JPEG, GIF, BMP, and PNG files is used, the function returns true; otherwise, the system returns false.
'*************************************** ***************************
Const adtypebinary = 1
Dim JPG (1): JPG (0) = cbyte (& HFF): JPG (1) = cbyte (& hd8)
Dim BMP (1): BMP (0) = cbyte (& h42): BMP (1) = cbyte (& h4d)
Dim PNG (3): PNG (0) = cbyte (& H89): PNG (1) = cbyte (& h50): PNG (2) = cbyte (& h4e ): PNG (3) = cbyte (& h47)
Dim GIF (5): GIF (0) = cbyte (& h47): GIF (1) = cbyte (& h49): GIF (2) = cbyte (& h46 ): GIF (3) = cbyte (& h39): GIF (4) = cbyte (& H38): GIF (5) = cbyte (& H61)
Function checkfiletype (filename)
Checkfiletype = false
Dim fstream, fileext, stamp, I
Fileext = mid (filename, limit Rev (filename, ".") + 1)
Set fstream = server. Createobject ("ADODB. Stream ")
Fstream. Open
Fstream. type = adtypebinary
Fstream. loadfromfile filename
Fstream. Position = 0
Select case fileext
Case "jpg", "Jpeg"
Stamp = fstream. Read (2)
For I = 0 to 1
If ASCB (midb (stamp, I + 1, 1) = JPG (I) Then checkfiletype = true else checkfiletype = false
Next
Case "GIF"
Stamp = fstream. Read (6)
For I = 0 to 5
If ASCB (midb (stamp, I + 1, 1) = GIF (I) Then checkfiletype = true else checkfiletype = false
Next
Case "PNG"
Stamp = fstream. Read (4)
For I = 0 to 3
If ASCB (midb (stamp, I + 1, 1) = PNG (I) Then checkfiletype = true else checkfiletype = false
Next
Case "BMP"
Stamp = fstream. Read (2)
For I = 0 to 1
If ASCB (midb (stamp, I + 1, 1) = BMP (I) Then checkfiletype = true else checkfiletype = false
Next
End select
Fstream. Close
Set fseteam = nothing
If err. Number <> 0 then checkfiletype = false
End Function
Function truestr (filetrue)
Str_len = Len (filetrue)
Pos = instr (filetrue, CHR (0 ))
If Pos = 0 or Pos = str_len then
Truestr = true
Else
Truestr = false
End if
End Function
Filesizemin = 100
Filesizemax = 200*1024
Set upload = new upload_5xsoft 'create an upload object
F_folder = upload. Form ("upfilefolder ")
*** **************************************** ********
For each formname in upload. objfile
Set file = upload. File (formname)
If file. filesize> 0 then
**** **************************************** *******
If file. filesize <filesizemin then
Response. write "the file you uploaded is too small [<a href = # onclick = history. Go (-1)> re-upload </a>]"
Elseif file. filesize> filesizemax then
Response. write "the file size exceeds" & filesizemax & "Byte limit [<a href = # onclick = history. Go (-1)> re-upload </a>]"
End if
**** **************************************** ********
Fileext = ucase (right (file. filename, 4 ))
Uploadsuc = false
Forum_upload = "RAR | zip | SWF | JPG | PNG | GIF | Doc | TXT | CHM | PDF | ace | MP3 | WMA | WMV | MIDI | Avi | RM | Ra | rmvb | mov | xls"
Forumupload = Split (forum_upload, "| ")
For I = 0 to ubound (forumupload)
If fileext = "." & trim (forumupload (I) then
Uploadsuc = true
Exit
Else
Uploadsuc = false
End if
Next
If uploadsuc = false then
Response. write "the file format is incorrect [<a href = # onclick = history. Go (-1)> re-upload </a>]"
Response. End
End if
* ***************************************
Set UPF = server. Createobject ("scripting. FileSystemObject ")
If err <> 0 then
Err. Clear
Response. Write ("your server does not support FSO ")
Response. End
End if
F_type = Replace (fileext ,".","")
F_name = year (now) & "-" & month (now)
If UPF. folderexists (server. mappath (f_folder & "/" & f_type & "/" & f_name) = false then
If UPF. folderexists (server. mappath (f_folder & "/" & f_type) = false then
If UPF. folderexists (server. mappath (f_folder) = false then
UPF. createfolder server. mappath (f_folder)
UPF. createfolder server. mappath (f_folder & "/" & f_type)
UPF. createfolder server. mappath (f_folder & "/" & f_type & "/" & f_name)
Else
UPF. createfolder server. mappath (f_folder & "/" & f_type)
UPF. createfolder server. mappath (f_folder & "/" & f_type & "/" & f_name)
End if
Else
UPF. createfolder server. mappath (f_folder & "/" & f_type & "/" & f_name)
End if
End if
F_ftn = f_folder & "/" & f_type & "/" & f_name
Set UPF = nothing
** ***************************************
Randomize
Rannum = int (90000 * RND) + 10000
Filename = f_ftn & "/" & Day (now) & "-" & rannum & "-" & file. filename
If truestr (filename) = false then
Response. Write "invalid file"
Response. End
End if
If file. filesize> filesizemin and file. filesize <filesizemax then
File. saveas server. mappath (filename) 'save the file
If f_type = "jpg" or f_type = "GIF" or f_type = "PNG" then
If not checkfiletype (server. mappath (filename) then
Response. Write "incorrect image format [<a href = # onclick = history. Go (-1)> re-upload </a>]"
Set FSO = Createobject ("scripting. FileSystemObject ")
Set ficn = FSO. GetFile (server. mappath (filename ))
Ficn. Delete
Set ficn = nothing
Set FSO = nothing
Response. End
End if
Response. Write "<SCRIPT> parent.cn _ bruce.cn _ content. Value + ='' </SCRIPT>"
Elseif f_type = "Zip" or f_type = "RAR" or f_type = "Doc" or f_type = "TXT" then
Response. Write "<SCRIPT> parent.cn _ bruce.cn _ content. Value + = '" & filename & "' </SCRIPT>"
'Elseif
Else
Response. Write "<SCRIPT> parent.cn _ bruce.cn _ content. Value + = '" & filename & "' </SCRIPT>"
End if
Icount = icount + 1
End if
Set file = nothing
End if
Next
Set upload = nothing 'Delete this object
Response. Write (icount & "files uploaded successfully! <A href = # onclick = history. Go (-1)> continue upload </a> ")
%>
</Body>
</Html>
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
