Simple Analysis of an upload vulnerability file + repair (changge windows upload program v1.0)

Just now I was bored, so I went to get a XX station (don't worry about it). I was looking for a dish. I finally found an upload vulnerability.

I was eager to find out the moldy pony in the toolbox. That's right. I uploaded a pony. After uploading it, the file type was invalid.

Move the mouse to the OK button and a file code shown in 20093112210270020.3.asp is displayed under the status bar, as shown in the following figure:

However, there is no path. This is a good experience for the big bull. Open the homepage and look for a picture to see if the path is used together for access. That's OK.

Simply get the WEBSHELL (without disrupting it) and download the uploaded files to write some articles.

The following code is the source file:

========================================================== ==================================

<Script language = "Javascript">
Function minipic (smileface)
{
Using Role opener.doc ument. myform. pic. value = smileface;
Window. close ()
}

</Script>
<%
Set upload = new upload_5xSoft
Set file = upload. file ("file1 ")
FormPath = "../PreviousFile/Article /"
If file. filesize> 1 then
If file. filesize> 100000000000000000000000000000000000000 then
Response. Write ("the uploaded image is too large. please upload it again! ")
Else
FileExt = lcase (right (file. filename, 3 ))
End if
If fileExt = "asp" then, write this sentence to judge it.
Response. Write "invalid file type"
End if it's over, it's useless.
End if
Randomize
RanNum = int (9000000 * rnd) + 10000
Filename = year (now) & month (now) & day (now) & hour (now) & minute (now) & second (now) & ranNum & "." & fileExt
If file. FileSize> 0 then, you can upload the object only if the file is greater than 0.
File. SaveAs Server. mappath (formPath & FileName)
End if
Response. write "<a href = javascript: minipic (" & filename & ");> OK </a>"
%>
</Td>
</Tr>
</Table>
</Body>

========================================================== ==================================

The simple analysis shows that the control block of the ASP type is useless, and only the "invalid file type" is printed"

If file. FileSize> 0 then is used to determine whether to upload a file, other code may be redundant.

The following is an example of a friend who is not good at code when I change my modification method. After all, I am also a small dish.

Follow one principle to put the code for determining the ASP file type and the Code for executing the file to be uploaded after IF and after ELSE respectively.

========================================================== ==================================

<Body bgcolor = "<% = bgcolor %>" leftmargin = "0" topmargin = "0">
<Table width = "100%" height = "100%" border = "0" cellpadding = "0" cellspacing = "0">
<Tr>
<Td align = "center">
<Script language = "Javascript">
Function minipic (smileface)
{
Using Role opener.doc ument. myform. pic. value = smileface;
Window. close ()
}

</Script>
<%
Set upload = new upload_5xSoft
Set file = upload. file ("file1 ")
FormPath = "../PreviousFile/Article /"
If file. filesize> 1 then the image size is greater than 1; otherwise, the image is not uploaded.
If file. filesize> 100000000000000000000000000000000000000 then image is greater than 100XXX
Response. Write ("the uploaded image is too large. please upload it again! ")
Else
FileExt = lcase (right (file. filename, 3) obtains the suffix of the file to be uploaded.
If fileExt = "asp" then: determines whether the uploaded file type is ASP.
Response. Write "files of ASP type not to be uploaded" uploading to ASP type prompts that files cannot be uploaded
Else or upload
Randomize
RanNum = int (9000000 * rnd) + 10000
Filename = year (now) & month (now) & day (now) & hour (now) & minute (now) & second (now) & ranNum & "." & fileExt
If file. FileSize> 0 then the size of the uploaded file is greater than 1
File. SaveAs Server. mappath (formPath & FileName)
Response. write "<a href = javascript: minipic (" & filename & ");> OK </a>"
End if the image is larger than 1 and the upload is closed
End if: determines whether the type of the uploaded file is ASP closed
End if the image is larger than 100XXX and is not closed
End if the image size is greater than 1
%>
</Td>
</Tr>
</Table>
</Body>

========================================================== ==================================

This is easy to handle. IF you don't understand it, you can see the comments. Ha, because if else controls the nested structure, everyone will be dizzy.

Pop-up sleeping to compile the tutorial. After downloading the tutorials, you can learn and compile the tutorials to supplement your own cracking basics.