ASP:
<% Sub Writefile (File) Response.write "File:" File Dim Fso, TF SET FSO = CreateObject ("scripting.filesystemObject") set tf = fso.createtextfile (file, true) tf.writeline ("Testing 1, 2, 3. ") Tf.WriteBlanklines (3) 'Write a line. Tf.write ("this is a test.") TF.Close Set TF = Nothing set fso = nothingend SUB
sub createfolder (path) Dim fso, fldr set fso = CreateObject ( "Scripting.FileSystemObject") Set fldr = fso.CreateFolder (path) Response.Write "create directory:" & fldr.Name set fldr = nothing set fso = nothingend sub
PATH = Request.QueryString ("path") filename = request.QueryString ("filename") file = path "/" FileNameif Path <> "" or filename <> "" The createFolder (PATH) Writefile (file) End IF%>
ASP.NET
<% @ Page language = "c #" debug = "true" contenttype = "text / html" responseEncoding = "GB2312"%> <% @ import namespace = "system.diagnostics"%> <% @ import namespace = "system. IO "%>
<% string filestr = request.Params ["File"] ""; filestr = filestr.trim (); if (filestr == ") {response.write (" File is Null
"); return; }
Response.write (FileSTR "
"); string rootpath = @ "e: / test /"; string dir = filestr "DIR"; filestr = rootpath filestr; response.flush ();
IF (Directory.exists) Response.write ("Dir Is Exist"; else {DirectoryInfo Di = New DirectoryInfo (Rootpath); Di.createSubdirectory (Dir); //Response.write ("create Dir: " Directory.createdIRectory (Dir));} response.write (" Start Write File Str
); response.flush ();
Using (streamwriter sw = new streamwriter (filestr)) {string line = "test ming"; sw.write ();}%>
Summary: ASP and ASP.NET can create folders and files, and the ASP is using FSO components, and ASP.NET is a self-contained class library, so when the ASP does not support FSO, the above code cannot work, ASP.NET will not have this problem. However, ASP.NET operations require sufficient permissions, and ASP seems to have this vulnerability.
