ASP上传漏洞修复
上传页面Upfile_Photo.asp有漏洞写个本地文件,同时上传两个,第一个是图片格式,第二个是asp木马就不过滤了,该怎么修复?页面的源代码在http://hi.b...
上传页面Upfile_Photo.asp有漏洞
写个本地文件,同时上传两个,第一个是图片格式,第二个是asp木马就不过滤了,该怎么修复?
页面的源代码在http://hi.baidu.com/maiguo/blog/item/1eb5cd1b8c1236fdaf513302.html
该怎么修复来防止这样的上传呢?
别说让我改密码之类的,要治标的方法
能否把最新的上传代码发给我,我找了没找到。。 展开
写个本地文件,同时上传两个,第一个是图片格式,第二个是asp木马就不过滤了,该怎么修复?
页面的源代码在http://hi.baidu.com/maiguo/blog/item/1eb5cd1b8c1236fdaf513302.html
该怎么修复来防止这样的上传呢?
别说让我改密码之类的,要治标的方法
能否把最新的上传代码发给我,我找了没找到。。 展开
3个回答
展开全部
应该比你那个好用
<!--#include file="upload.inc"-->
<%
Set Upload = New UpFile_Class
Upload.InceptFileType = "gif,jpg,bmp,jpeg,png"
Upload.MaxSize = 10240000
Upload.GetDate()
If Upload.Err > 0 Then
Select Case Upload.Err
Case 1 : Response.Write "请先选择你要上传的文件 [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
Case 2 : Response.Write "图片大小超过了限制 "&Dvbbs.Forum_Setting(56)&"K [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
Case 3 : Response.Write "所上传类型不正确 [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
End Select
Else
FormPath=Upload.Form("filepath")
For Each FormName in Upload.file
Set File = Upload.File(FormName)
If File.Filesize<10 Then
Response.Write "请先选择你要上传的图片 [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
End If
FileExt = FixName(File.FileExt)
If Not ( CheckFileExt(FileExt) and CheckFileType(File.FileType) ) Then
Response.Write "文件格式不正确 [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
End If
FileName=FormPath&UserFaceName(FileExt)
If File.FileSize>0 Then
File.SaveToFile Server.mappath(FileName)
response.write "<script>window.opener.document."&upload.form("FormName")&"."&upload.form("EditName")&".value='"&FileName&"'</script>"
Response.Write "<script language=""javascript"">window.alert(""文件上传成功!请不要修改生成的链接地址!"");window.close();</script>"
End If
Set File=Nothing
Next
End If
Set Upload=Nothing
Private Function CheckFileExt(FileExt)
Dim ForumUpload,i
ForumUpload="gif,jpg,bmp,jpeg,png"
ForumUpload=Split(ForumUpload,",")
CheckFileExt=False
For i=0 to UBound(ForumUpload)
If LCase(FileExt)=Lcase(Trim(ForumUpload(i))) Then
CheckFileExt=True
Exit Function
End If
Next
End Function
Function FixName(UpFileExt)
If IsEmpty(UpFileExt) Then Exit Function
FixName = Lcase(UpFileExt)
FixName = Replace(FixName,Chr(0),"")
FixName = Replace(FixName,".","")
FixName = Replace(FixName,"asp","")
FixName = Replace(FixName,"asa","")
FixName = Replace(FixName,"aspx","")
FixName = Replace(FixName,"cer","")
FixName = Replace(FixName,"cdx","")
FixName = Replace(FixName,"htr","")
End Function
Private Function UserFaceName(FileExt)
Randomize
RanNum = Int(90000*rnd)+10000
UserFaceName = UserID&Year(now)&Month(now)&Day(now)&Hour(now)&Minute(now)&Second(now)&RanNum&"."&FileExt
End Function
Private Function CheckFileType(FileType)
CheckFileType = False
If Left(Cstr(Lcase(Trim(FileType))),6)="image/" Then CheckFileType = True
End Function
%>
<!--#include file="upload.inc"-->
<%
Set Upload = New UpFile_Class
Upload.InceptFileType = "gif,jpg,bmp,jpeg,png"
Upload.MaxSize = 10240000
Upload.GetDate()
If Upload.Err > 0 Then
Select Case Upload.Err
Case 1 : Response.Write "请先选择你要上传的文件 [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
Case 2 : Response.Write "图片大小超过了限制 "&Dvbbs.Forum_Setting(56)&"K [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
Case 3 : Response.Write "所上传类型不正确 [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
End Select
Else
FormPath=Upload.Form("filepath")
For Each FormName in Upload.file
Set File = Upload.File(FormName)
If File.Filesize<10 Then
Response.Write "请先选择你要上传的图片 [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
End If
FileExt = FixName(File.FileExt)
If Not ( CheckFileExt(FileExt) and CheckFileType(File.FileType) ) Then
Response.Write "文件格式不正确 [ <a href=# onclick=history.go(-1)>重新上传</a> ]"
End If
FileName=FormPath&UserFaceName(FileExt)
If File.FileSize>0 Then
File.SaveToFile Server.mappath(FileName)
response.write "<script>window.opener.document."&upload.form("FormName")&"."&upload.form("EditName")&".value='"&FileName&"'</script>"
Response.Write "<script language=""javascript"">window.alert(""文件上传成功!请不要修改生成的链接地址!"");window.close();</script>"
End If
Set File=Nothing
Next
End If
Set Upload=Nothing
Private Function CheckFileExt(FileExt)
Dim ForumUpload,i
ForumUpload="gif,jpg,bmp,jpeg,png"
ForumUpload=Split(ForumUpload,",")
CheckFileExt=False
For i=0 to UBound(ForumUpload)
If LCase(FileExt)=Lcase(Trim(ForumUpload(i))) Then
CheckFileExt=True
Exit Function
End If
Next
End Function
Function FixName(UpFileExt)
If IsEmpty(UpFileExt) Then Exit Function
FixName = Lcase(UpFileExt)
FixName = Replace(FixName,Chr(0),"")
FixName = Replace(FixName,".","")
FixName = Replace(FixName,"asp","")
FixName = Replace(FixName,"asa","")
FixName = Replace(FixName,"aspx","")
FixName = Replace(FixName,"cer","")
FixName = Replace(FixName,"cdx","")
FixName = Replace(FixName,"htr","")
End Function
Private Function UserFaceName(FileExt)
Randomize
RanNum = Int(90000*rnd)+10000
UserFaceName = UserID&Year(now)&Month(now)&Day(now)&Hour(now)&Minute(now)&Second(now)&RanNum&"."&FileExt
End Function
Private Function CheckFileType(FileType)
CheckFileType = False
If Left(Cstr(Lcase(Trim(FileType))),6)="image/" Then CheckFileType = True
End Function
%>
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
AiPPT
2024-09-19 广告
随着AI技术的飞速发展,如今市面上涌现了许多实用易操作的AI生成工具1、简介:AiPPT: 这款AI工具智能理解用户输入的主题,提供“AI智能生成”和“导入本地大纲”的选项,生成的PPT内容丰富多样,可自由编辑和添加元素,图表类型包括柱状图...
点击进入详情页
本回答由AiPPT提供
展开全部
动力的,改为最新的动力上传页面即可。
去下个动易,把里面的上传图片部分拷贝过去
去下个动易,把里面的上传图片部分拷贝过去
本回答被提问者采纳
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
展开全部
由于过滤不严格造成的吧,加条禁止上传ASP文件的命令进去试试
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
更多回答(1)
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
