The principle of uploading the file vulnerability in the mobile network forum and the code implementation of the attack
---- Zwell
--- http://www.54nb.com
It's relatively busy in recent hours, there is no time to contribute to the organization (really no strength, huh). Just a day before listening to the pig
The forum has a vulnerability to go uploaded any documents. I didn't understand it. But I saw it all in the NB Forum on this area.
Question, I have studied it, I found that this vulnerability does exist, and it is very serious, saying that it is DVBBS7.0 SP2 below with a small pig. Although some
People have known the attack method, but there are still some problems. I will explain this vulnerability in the network. (I don't know if it will be
, Because this vulnerability is too big).
Let's take a look at the relevant code of the mobile network forum upload file:
'=========== No component upload (UPLOAD_0) ====================
SUB UPLOAD_0 ()
SET UPLOAD = New Upfile_class' Establishing Upload Objects
UPLOAD.GETDATE (INT (forum_setting (56)) * 1024) 'Get upload data, not limited
ICOUNT = 0
IF upload.err> 0 THEN
SELECT CASE UPLOAD.ERR
Case 1
Response.write "Please select the file you want to upload []"
Case 2
Response.write "picture size exceeds the limit" & forum_setting (56) & "k []"
End SELECT
EXIT SUB
Else
FormPath = UPLOAD.FORM ("FilePath")
'' After the directory (/)
IF Right (FormPath, 1) <> "/" THEN FORMPATH = FormPath & "/"
For each formname in Upload.file '' lists all uploaded files
Set file = UPLOAD.FILE (FORMNAME) '"Generates a file object
IF file.filesize <100 THEN
Response.write "Please select the picture you want to upload [ Re-upload ]"
Response.end
END IF
FILEEXT = LCASE (file.fileext)
If CheckfileExt (FileExt) = false
Response.write "file format is incorrect []"
Response.end
END IF
randomize
Rannum = int (90000 * rND) 10000
FileName = FormPath & Year (now) & DAY (NOW) & HOUR (NOW) & Minute (NOW) & Second (NOW) & Rannum & "& FileExtif File.FileSize> 0 Then '' If FileSize> 0 Description Document Data
File.Savetofile Server.mappath (filename) '' Save File
'Response.write file.filepath & file.filename & "(" & file.filesize & ") =>" & flmpath & file.filename & "success!
