ASP's Chr (0) File Upload vulnerability principle and solution Introduction _ Application Skills

When we use ASP to develop the file upload function, in order to prevent users to upload trojan, often limit the upload of some files, commonly used method is to determine whether the extension of the upload file is consistent with the rules, you can use the right string function to remove the file name of the uploaded files after four, so it is easy to judge, But there is a loophole in it, very dangerous, is Chr (0) loophole, details please continue to look down.

First, explain what is Chr (0)?

In ASP, ASCII code can be invoked with the Chr () function, where CHR (0) indicates that an end character is invoked, simply that when a string contains a Chr (0) character, only the characters preceding the CHR (0) are output, and the characters following Chr (0) are not output. For example, note:

Copy Code code as follows:

<%response.write "htmer.com" &CHR (0) & "Welcome"%>

The above code you run under IIS to see, is not only output "htmer.com" it? The next "Welcome" is gone, because when you read Chr (0) You think the statement is over.

Second, Chr (0) Vulnerability upload principle:

Suppose I have set up in the ASP program can only upload JPG files, here to see how I use Chr (0) Vulnerability upload ASP Trojan:

Here assume that there is an ASP Trojan file for htmer.asp, I renamed it htmer.asp. jpg, did you see a space in the middle? When we get the file name, this space is considered to be Chr (0) and when viewed with right ("htmer.asp. jpg", 4), it is indeed. jpg, but when actually reading htmer.asp. jpg and generating the file, the system reads Chr (0) Thought it was over, so the back of the. jpg output does not come, upload the filename is automatically generated htmer.asp, what does this mean? I think you should know.

Iii. methods to solve the Chr (0) vulnerability

The solution is to check the uploaded file name inside there is no Chr (0), in the ASP directly replaced by the Replace function chr (0) characters can be.