<body> <div class="iframeBody"> <% dim upload set upload = new AnUpLoad upload.Exe = "*" upload.MaxSize = 4 * 1024 * 1024 '4M upload.GetData() if upload.ErrorID>0 then response.Write upload.Description else postMess("images/operate_02.jpg") dim savpath savepath = "/upload/"&year(date())&"/"&month(date())&"/" for each f in upload.files(-1) dim file set file = upload.files(f) if not(file is nothing) then if file.saveToFile(savepath,0,true) then postMess("images/operate_01.jpg") postValue = postValue&""&savepath&file.filename&"|" response.write ("<script>window.parent.document.getElementById("""&postName&""").value="""&postValue&""";</script>") end if end if set file = nothing next end if set upload = nothing %> </div> </body> </html>
然后在来看看:UpLoad_Class.vbs.asp。
UpLoad_Class.vbs.asp:
<!--#include file="admin.asp" --> <% '========================================================= '类名: AnUpLoad(艾恩无组件上传类) '========================================================= C省略N行代码 Public Function GetWH() '本函数代码参考网络 On Error Resume Next mvarExtend = lcase(mvarExtend) if instr("|jpg|jpeg|bmp|png|gif|asa|","|" & mvarExtend & "|")<=0 then exit function Dim m_binItem Set m_binItem =server.CreateObject("ADODB.Stream") m_binItem.Mode = 3 m_binItem.Type = 1 m_binItem.Open Dim Info Set Info = server.CreateObject("ADODB.Recordset") Info.Fields.Append "value", 205, -1 Info.Open Info.AddNew Info("value").AppendChunk (mvarValue) m_binItem.Write (Info("value")) Info("value").AppendChunk (Null) Info.Update Info.Close Set Info = Nothing select case lcase(mvarExtend) case "jpg","jpeg" m_binItem.Position=3 do while not m_binItem.EOS do intTemp = Ascb(m_binItem.Read(1)) loop while intTemp = 255 and not m_binItem.EOS if intTemp < 192 or intTemp > 195 then m_binItem.read(Bin2Val(m_binItem.Read(2))-2) else Exit do end if do intTemp = Ascb(m_binItem.Read(1)) loop while intTemp < 255 and not m_binItem.EOS loop m_binItem.Read(3) mvarHeight = Bin2Val(m_binItem.Read(2)) mvarWidth = Bin2Val(m_binItem.Read(2)) case "gif" if Lcase(strFext)<>"gif" then strFext="gif" m_binItem.Position=6 mvarWidth = BinVal2(m_binItem.Read(2)) mvarHeight = BinVal2(m_binItem.Read(2)) case "png" if Lcase(strFext)<>"png" then strFext="png" m_binItem.Position=18 mvarWidth = Bin2Val(m_binItem.Read(2)) m_binItem.Read(2) mvarHeight = Bin2Val(m_binItem.Read(2)) case "bmp" if Lcase(strFext)<>"bmp" then strFext="bmp" m_binItem.Position=18 mvarWidth = BinVal2(m_binItem.Read(4)) mvarHeight = BinVal2(m_binItem.Read(4)) case "asa" if Lcase(strFext)<>"asa" then strFext="asa" m_binItem.Position=18 mvarWidth = BinVal2(m_binItem.Read(2)) mvarHeight = BinVal2(m_binItem.Read(2)) end select m_binItem.Close If err then mException=Err.Description End If End Function
看红色部分,其他就不解释了。
直接上传asa拿shell。
还有就是上传可能会提示登录,直接伪造session就可以通过了。 验证代码在 admin.asp。
admin.asp:
<% if session("username")="" and session("password")="" then session("Errortxt")="登录超时,请重新登陆" response.Redirect("login.asp") response.end end if %>
Post Comment.