How to solve ASP Image Upload Vulnerability

I often hear about the asp upload vulnerability, that is, modifying the suffix of some Trojan Files (to the suffix of image files) for uploading.
Note: after the test by icech of the western enetwork, checkfiletype cannot determine the file disguised as gif89a.

Use the following functions to identify the problem:

<%
'*************************************** ***************************
The 'checkfiletype function is used to check whether the file is an image file.
'Filename is the path of the local file.
'If one of the JPEG, GIF, BMP, and PNG files is used, the function returns true; otherwise, the system returns false.
'*************************************** ***************************

Const adtypebinary = 1

Dim JPG (1): JPG (0) = cbyte (& HFF): JPG (1) = cbyte (& hd8)
Dim BMP (1): BMP (0) = cbyte (& h42): BMP (1) = cbyte (& h4d)
Dim PNG (3): PNG (0) = cbyte (& H89): PNG (1) = cbyte (& h50): PNG (2) = cbyte (& h4e ): PNG (3) = cbyte (& h47)
Dim GIF (5): GIF (0) = cbyte (& h47): GIF (1) = cbyte (& h49): GIF (2) = cbyte (& h46 ): GIF (3) = cbyte (& h39): GIF (4) = cbyte (& H38): GIF (5) = cbyte (& H61)

Function checkfiletype (filename)
On Error resume next
Checkfiletype = false
Filename = lcase (filename)
Dim fstream, fileext, stamp, I
Fileext = mid (filename, limit Rev (filename, ".") + 1)
Set fstream = server. Createobject ("ADODB. Stream ")
Fstream. Open
Fstream. type = adtypebinary
Fstream. loadfromfile filename
Fstream. Position = 0
Select case fileext
Case "jpg", "Jpeg"
Stamp = fstream. Read (2)
For I = 0 to 1
If ASCB (midb (stamp, I + 1, 1) = JPG (I) Then checkfiletype = true else checkfiletype = false
Next
Case "GIF"
Stamp = fstream. Read (6)
For I = 0 to 5
If ASCB (midb (stamp, I + 1, 1) = GIF (I) Then checkfiletype = true else checkfiletype = false
Next
Case "PNG"
Stamp = fstream. Read (4)
For I = 0 to 3
If ASCB (midb (stamp, I + 1, 1) = PNG (I) Then checkfiletype = true else checkfiletype = false
Next
Case "BMP"
Stamp = fstream. Read (2)
For I = 0 to 1
If ASCB (midb (stamp, I + 1, 1) = BMP (I) Then checkfiletype = true else checkfiletype = false
Next
End select
Fstream. Close
Set fseteam = nothing
If err. Number <> 0 then checkfiletype = false
End Function
%>

So in the Application
Checkfiletype (server. mappath ("cnbruce.jpg "))
Or
Checkfiletype ("F:/web/164/images/cnbruce.jpg "))

It is the image file type used to verify the local physical address. The value true or false is returned.

Therefore, this situation is applied to image uploading. The current method is to allow the upload of the "pseudo image" file first, and then use the above User-Defined Function to determine whether the file complies with the image specifications, if the trojan is disguised as an image file, FSO is deleted, for example:

File. saveas server. mappath (filename) 'save the file
If not checkfiletype (server. mappath (filename) then
Response. Write "incorrect image format"
Set FSO = Createobject ("scripting. FileSystemObject ")
Set ficn = FSO. GetFile (server. mappath (filename ))
Ficn. Delete
Set ficn = nothing
Set FSO = nothing
Response. End
End if

Asp upload vulnerability also uses "\ 0" to operate filepath
Http://www.cnbruce.com/blog/showlog.asp? Cat_id = 32 & log_id = 635

The following functions can be used in this case:

Function truestr (filetrue)
Str_len = Len (filetrue)
Pos = instr (filetrue, CHR (0 ))
If Pos = 0 or Pos = str_len then
Truestr = true
Else
Truestr = false
End if
End Function

Then you can determine and upload the file again.

If truestr (filename) = false then
Response. Write "invalid file"
Response. End
End if

File. saveas server. mappath (filename)