网站曾经被上传一个.asa文件,修改后缀名为.rar然后逃过了我的简单后缀名判断。
结果网站被挂马,幸亏麻烦不大,现在已经加上真实文件类型判断了,安全多了。
大气象
<%
@ Page Language
=
"
C#
"
AutoEventWireup
=
"
true
"
CodeFile
=
"
TrueFile.aspx.cs
"
Inherits
=
"
test_TrueFile
"
%>
<! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
< html xmlns ="http://www.w3.org/1999/xhtml" >
< head runat ="server" >
< title > 无标题页 </ title >
</ head >
< body >
< form id ="form1" runat ="server" >
< div >
< asp:FileUpload ID ="uploadFile" runat ="server" />
< asp:Button ID ="btnOk" runat ="server" Text ="判断" OnClick ="btnOk_Click" />
</ div >
</ form >
</ body >
</ html >
<! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
< html xmlns ="http://www.w3.org/1999/xhtml" >
< head runat ="server" >
< title > 无标题页 </ title >
</ head >
< body >
< form id ="form1" runat ="server" >
< div >
< asp:FileUpload ID ="uploadFile" runat ="server" />
< asp:Button ID ="btnOk" runat ="server" Text ="判断" OnClick ="btnOk_Click" />
</ div >
</ form >
</ body >
</ html >
大气象
using
System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
public partial class test_TrueFile : System.Web.UI.Page
{
protected void Page_Load( object sender, EventArgs e)
{
}
/// <summary>
/// C#检测真实文件类型函数
/// </summary>
/// <param name="hifile"></param>
/// <returns></returns>
private bool IsAllowedExtension(HttpPostedFile hifile)
{
bool ret = false ;
System.IO.FileStream fs = new System.IO.FileStream(hifile.FileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
System.IO.BinaryReader r = new System.IO.BinaryReader(fs);
string fileclass = "" ;
byte buffer;
try
{
buffer = r.ReadByte();
fileclass = buffer.ToString();
buffer = r.ReadByte();
fileclass += buffer.ToString();
}
catch
{
return false ;
}
r.Close();
fs.Close();
/* 文件扩展名说明
*4946/104116 txt
*7173 gif
*255216 jpg
*13780 png
*6677 bmp
*239187 txt,aspx,asp,sql
*208207 xls.doc.ppt
*6063 xml
*6033 htm,html
*4742 js
*8075 xlsx,zip,pptx,mmap,zip
*8297 rar
*01 accdb,mdb
*7790 exe,dll
*5666 psd
*255254 rdp
*10056 bt种子
*64101 bat
*4059 sgf
*/
// String[] fileType = { "255216", "7173", "6677", "13780", "8297", "5549", "870", "87111", "8075" };
// 纯图片
String[] fileType = {
" 7173 " , // gif
" 255216 " , // jpg
" 13780 " // png
};
for ( int i = 0 ; i < fileType.Length; i ++ )
{
if (fileclass == fileType[i])
{
ret = true ;
break ;
}
}
Response.Write(fileclass); // 可以在这里输出你不知道的文件类型的扩展名
return ret;
}
protected void btnOk_Click( object sender, EventArgs e)
{
if (IsAllowedExtension(uploadFile.PostedFile))
{
Response.Write( " ok " );
}
}
}
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
public partial class test_TrueFile : System.Web.UI.Page
{
protected void Page_Load( object sender, EventArgs e)
{
}
/// <summary>
/// C#检测真实文件类型函数
/// </summary>
/// <param name="hifile"></param>
/// <returns></returns>
private bool IsAllowedExtension(HttpPostedFile hifile)
{
bool ret = false ;
System.IO.FileStream fs = new System.IO.FileStream(hifile.FileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
System.IO.BinaryReader r = new System.IO.BinaryReader(fs);
string fileclass = "" ;
byte buffer;
try
{
buffer = r.ReadByte();
fileclass = buffer.ToString();
buffer = r.ReadByte();
fileclass += buffer.ToString();
}
catch
{
return false ;
}
r.Close();
fs.Close();
/* 文件扩展名说明
*4946/104116 txt
*7173 gif
*255216 jpg
*13780 png
*6677 bmp
*239187 txt,aspx,asp,sql
*208207 xls.doc.ppt
*6063 xml
*6033 htm,html
*4742 js
*8075 xlsx,zip,pptx,mmap,zip
*8297 rar
*01 accdb,mdb
*7790 exe,dll
*5666 psd
*255254 rdp
*10056 bt种子
*64101 bat
*4059 sgf
*/
// String[] fileType = { "255216", "7173", "6677", "13780", "8297", "5549", "870", "87111", "8075" };
// 纯图片
String[] fileType = {
" 7173 " , // gif
" 255216 " , // jpg
" 13780 " // png
};
for ( int i = 0 ; i < fileType.Length; i ++ )
{
if (fileclass == fileType[i])
{
ret = true ;
break ;
}
}
Response.Write(fileclass); // 可以在这里输出你不知道的文件类型的扩展名
return ret;
}
protected void btnOk_Click( object sender, EventArgs e)
{
if (IsAllowedExtension(uploadFile.PostedFile))
{
Response.Write( " ok " );
}
}
}