apollosun original
In fact, whether it is a component or a non-component upload, there is this vulnerability. Please read the following code carefully. As long as you understand the code, you can understand it.
Here, taking the ASPUPLOAD component upload as an example,
the following three key functions are:
function killext(byval s1) 'Kill out illegal file suffixes
dim allowext
allowext=".JPG,.JPEG,.GIF,.BMP,.PNG,.SWF,.RM,.MP3,.WAV,.MID,.MIDI,.RA,.
AVI,.MPG,.MPEG,.ASF,.ASX,.WMA,.MOV,.RAR,.ZIP,.EXE,.DOC,.XLS,.CHM,.HLP,.PDF"
s1=ucase(s1)
if len(s1)=0 then
killext=""
else
if not chk(allowext,s1,",") then
killext=".shit"
else
killext=s1
end if
end if
end function
function chk(byval s1,byval s2,byval fuhao) 'Check that the string contains
dimi,a
chk=false
a=split(s1,fuhao)
for i = 0 to ubound(a)
if trim(a(i))=trim(s2) then
chk=true
exit for
end if
next
end function
function gname(byval n1) 'Automatically generate directory and file names based on date, parameter 1 generates the directory, parameter 2 generates the file name (no suffix)
dim t,r
t=now()
randomize(timer)
r=int((rnd+1-1)*9999)
select case n1
case 1
gname=year(t)&right("00"&month(t),2)&right("00"&day(t),2)
case 2
gname=right("00"&hour(t),2)&right("00"&minute(t),2)&right("00"&second(t),2)&right("0000"&r,4)
end select
end function
calling method:
dim oup,ofile,ext,myfile
Set oup = Server.CreateObject("Persits.Upload")
oup.SetMaxSize 10000000, True
call oup.Save() 'This is uploaded to the server memory, and no actual file is generated.
set ofile = oup.files(1)
ext=killext(ofile.ext)
myfile="/" & ganme(1) & "/" & gname(2) & ext
call ofile.saveas(server.mappath(myfile))
Additional note:
If a hacker uses nc to upload illegal files, the final files they get are just
"shit" files such as
200511051234559103.shit
!