By:小A
官方网址:http://www.reaft.com/
Cms下载地址:http://www.reaft.com/html/1/200.html
界面做的还不错,搜索了一下好像用的人很少,开始。
首先看目录下 UpLoad.html 文件上传,调用了的是 UpLoad.asp。
|
UpLoad.asp:
<!--#include file="UpLoad_Class.vbs.asp"-->
<!--#include file="request.asp" -->
<!--#include file="conn.asp" -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>文件上传</title>
<link href="styles/iframe.css" rel="stylesheet" type="text/css" />
<script src="scripts/admin.js"></script>
</head>
<body>
<div class="iframeBody">
<%
dim upload
set upload = new AnUpLoad
upload.Exe = "*"
upload.MaxSize = 4 * 1024 * 1024 '4M
upload.GetData()
if upload.ErrorID>0 then
response.Write upload.Description
else
postMess("images/operate_02.jpg")
dim savpath
savepath = "/upload/"&year(date())&"/"&month(date())&"/"
for each f in upload.files(-1)
dim file
set file = upload.files(f)
if not(file is nothing) then
if file.saveToFile(savepath,0,true) then
postMess("images/operate_01.jpg")
postValue = postValue&""&savepath&file.filename&"|"
response.write ("<script>window.parent.document.getElementById("""&postName&""").value="""&postValue&""";</script>")
end if
end if
set file = nothing
next
end if
set upload = nothing
%>
</div>
</body>
</html> |
然后在来看看:UpLoad_Class.vbs.asp。
|
UpLoad_Class.vbs.asp:
<!--#include file="admin.asp" -->
<%
'=========================================================
'类名: AnUpLoad(艾恩无组件上传类)
'=========================================================
C省略N行代码
Public Function GetWH()
'本函数代码参考网络
On Error Resume Next
mvarExtend = lcase(mvarExtend)
if instr("|jpg|jpeg|bmp|png|gif|asa|","|" & mvarExtend & "|")<=0 then exit function
Dim m_binItem
Set m_binItem =server.CreateObject("ADODB.Stream")
m_binItem.Mode = 3
m_binItem.Type = 1
m_binItem.Open
Dim Info
Set Info = server.CreateObject("ADODB.Recordset")
Info.Fields.Append "value", 205, -1
Info.Open
Info.AddNew
Info("value").AppendChunk (mvarValue)
m_binItem.Write (Info("value"))
Info("value").AppendChunk (Null)
Info.Update
Info.Close
Set Info = Nothing
select case lcase(mvarExtend)
case "jpg","jpeg"
m_binItem.Position=3
do while not m_binItem.EOS
do
intTemp = Ascb(m_binItem.Read(1))
loop while intTemp = 255 and not m_binItem.EOS
if intTemp < 192 or intTemp > 195 then
m_binItem.read(Bin2Val(m_binItem.Read(2))-2)
else
Exit do
end if
do
intTemp = Ascb(m_binItem.Read(1))
loop while intTemp < 255 and not m_binItem.EOS
loop
m_binItem.Read(3)
mvarHeight = Bin2Val(m_binItem.Read(2))
mvarWidth = Bin2Val(m_binItem.Read(2))
case "gif"
if Lcase(strFext)<>"gif" then strFext="gif"
m_binItem.Position=6
mvarWidth = BinVal2(m_binItem.Read(2))
mvarHeight = BinVal2(m_binItem.Read(2))
case "png"
if Lcase(strFext)<>"png" then strFext="png"
m_binItem.Position=18
mvarWidth = Bin2Val(m_binItem.Read(2))
m_binItem.Read(2)
mvarHeight = Bin2Val(m_binItem.Read(2))
case "bmp"
if Lcase(strFext)<>"bmp" then strFext="bmp"
m_binItem.Position=18
mvarWidth = BinVal2(m_binItem.Read(4))
mvarHeight = BinVal2(m_binItem.Read(4))
case "asa"
if Lcase(strFext)<>"asa" then strFext="asa"
m_binItem.Position=18
mvarWidth = BinVal2(m_binItem.Read(2))
mvarHeight = BinVal2(m_binItem.Read(2))
end select
m_binItem.Close
If err then
mException=Err.Description
End If
End Function
|
看红色部分,其他就不解释了。
直接上传asa拿shell。
还有就是上传可能会提示登录,直接伪造session就可以通过了。(站长评论:什么、?伪造 Session???……我了个擦,这要是能伪造,那岂不、、、小A同学可能是看错了,当成了cookie ……)
验证代码在 admin.asp。
|
admin.asp:
<%
if session("username")="" and session("password")="" then
session("Errortxt")="登录超时,请重新登陆"
response.Redirect("login.asp")
response.end
end if
%> |
其他就不多说了!
重新编辑了一下,第一次发贴,格式不对,请见谅。
这个应该算是一个漏洞吧,不知道是不是作者故意加上的,在上传扩展名,检查那里,居然加了个asa,无意间发现的。
文章作者
Nuclear'Atk
上次更新
2011-08-17
许可协议
Nuclear'Atk(核攻击)网络安全实验室版权所有,转载请注明出处。