经验首页 前端设计 程序设计 Java相关 移动开发 数据库/运维 软件/图像 大数据/云计算 其他经验
当前位置:技术经验 » 其他 » 网络安全 » 查看文章
IIS6.0使用冒号上传漏洞利用
来源:cnblogs  作者:痱子﹑  时间:2019/6/5 8:49:14  对本文有异议

利用条件:

1.iis版本为6.0 

2.上传文件名不会重命名

利用:

 上传一个jpg木马图片 名字为:cs.asp:.jpg 注意是: 默认windows是不允许文件字含:(冒号)的 所以需要抓包后改下!!

 上传成功后,iis会忽略掉:后面的字符,也就是成了cs.asp .但是在接收判断文件后缀还是可以检测的.jpg 绕过了 后缀检测 。

 

iis截取到的数据是完整的cs.asp:.jpg 但是上传过去的文件应该由于windows不允许带:文件名 所以iis直接去掉了:后面的 这个和%00截断应该不是一样,%00截断是直接截断了后面的 这样的话如果在前面有检测就无法通过检测了。

 

附上测试代码

  1. 1 <form action=”1.asp?s=ys method=post
  2. 2 enctype=”multipart/form-data name=”form1″>
  3. 3 file:<input name=”FormNameItem type=”file />
  4. 4 <button type=”submit”>提交</button>
  5. 5 </form>
  6. 6 <%
  7. 7 if len(Request(“s”))>0 then
  8. 8 Set oFileObj = New UpFileClass
  9. 9 oFileObj.GetData
  10. 10 For Each FormNameItem in oFileObj.File
  11. 11 FileName = oFileObj.File(FormNameItem).FileName
  12. 12 FileExtName = oFileObj.File(FormNameItem).FileExt
  13. 13 FileContent = oFileObj.File(FormNameItem).FileData
  14. 14 oFileObj.File(FormNameItem).SaveToFile server.MapPath(“\”) &
  15. 15 Response.Write server.MapPath(“\”) & \0.asp:.jpg OK!
  16. 16 23.Next
  17. 17 end if
  18. 18 Dim UpFileStream
  19. 19 Class UpFileClass
  20. 20 Dim Form,File,Err
  21. 21 Private Sub Class_Initialize
  22. 22 Err = -1
  23. 23 End Sub
  24. 24 Private Sub Class_Terminate
  25. 25 ’清除变量及对像 www.2cto.com
  26. 26 If Err < 0 Then
  27. 27 Form.RemoveAll
  28. 28 Set Form = Nothing
  29. 29 File.RemoveAll
  30. 30 Set File = Nothing
  31. 31 UpFileStream.Close 40.Set UpFileStream = Nothing
  32. 32 End If 42.End Sub
  33. 33 Public Property Get ErrNum()
  34. 34 ErrErrNum = Err 46.End Property
  35. 35 Public Sub GetData ()
  36. 36 ’定义变量
  37. 37 Dim RequestBinData,sSpace,bCrLf,sObj,iObjStart,iObjEnd,tStrea
  38. 38 Dim iFileSize,sFilePath,sFileType,sFormValue,sFileName
  39. 39 Dim iFindStart,iFindEnd
  40. 40 Dim iFormStart,iFormEnd,sFormName
  41. 41 ’代码开始56.If Request.TotalBytes < 1 Then ‘如果没有数据
  42. 42 Err = 1
  43. 43 Exit Sub
  44. 44 End If
  45. 45 Set Form = CreateObject (“Scripting.Dictionary”)
  46. 46 Form.CompareMode = 1
  47. 47 Set File = CreateObject (“Scripting.Dictionary”)
  48. 48 File.CompareMode = 1
  49. 49 Set tStream = CreateObject (“ADODB.Stream”)
  50. 50 Set UpFileStream = CreateObject (“ADODB.Stream”)
  51. 51 UpFileStream.Type = 1
  52. 52 UpFileStream.Mode = 3
  53. 53 UpFileStream.Open
  54. 54 dim ReadedBytes,ChunkBytes
  55. 55 ReadedBytes=0
  56. 56 ChunkBytes=1024*100 100K分块上传方案
  57. 57 Do While ReadedBytes < Request.TotalBytes
  58. 58 UpFileStream.Write Request.BinaryRead(ChunkBytes)
  59. 59 ReadedBytesReadedBytes = ReadedBytes + ChunkBytes
  60. 60 If ReadedBytes > Request.TotalBytes Then ReadedBytes = Reque
  61. 61 Loop
  62. 62 UpFileStream.Write (Request.BinaryRead(Request.TotalBytes))
  63. 63 UpFileStream.Position = 0
  64. 64 RequestBinData=UpFileStream.Read
  65. 65 iFormEnd = UpFileStream.Size
  66. 66 bCrLf = ChrB (13) & ChrB (10)
  67. 67 .’取得每个项目之间的分隔符84.sSpace=Mi
  68. 68 RequestBinData,bCrLf)-1) 85.iStart=LenB (sSpace)
  69. 69 iFormStart = iStart+2 87.’分解项目
  70. 70 Do
  71. 71 iObjEnd=InStrB(iFormStart,RequestBinData,bCrLf & bCrLf)+3
  72. 72 tStream.Type = 1
  73. 73 tStream.Mode = 3
  74. 74 tStream.Open 93.UpFileStream.Position = iFormStart
  75. 75 UpFileStream.CopyTo tStream,iObjEnd-iFormStart
  76. 76 tStream.Position = 0
  77. 77 tStream.Type = 2 97.tStream.CharSet = gb2312
  78. 78 sObj = tStream.ReadText
  79. 79 ’取得表单项目名称100.iFormStart = InStrB (iObjEnd,RequestBinData,sSpace)-1
  80. 80 iFindStart = InStr (22,sObj,”name=”"”,1)+6
  81. 81 iFindEnd = InStr (iFindStart,sObj,”"",1)
  82. 82 sFormName = Mid (sObj,iFindStart,iFindEnd-iFindStart)
  83. 83 ’如果是文件105.If InStr (45,sObj,”filename=”"”,1) > 0 Then 106.Set oFileObj = new FileObj_Class
  84. 84 ’取得文件属性
  85. 85 iFindStart = InStr (iFindEnd,sObj,”filename=”"”,1)+10
  86. 86 iFindEnd = InStr (iFindStart,sObj,”"",1)
  87. 87 sFileName = Mid (sObj,iFindStart,iFindEnd-iFindStart)
  88. 88 oFileObj.FileName = Mid (sFileName,InStrRev (sFileNam
  89. 89 oFileObj.FilePath = Left (sFileName,InStrRev (sFileName,
  90. 90 oFileObj.FileExt = Mid (sFileName,InStrRev (sFileName, “
  91. 91 iFindStart = InStr (iFindEnd,sObj,”Content-Type: “,1)+14
  92. 92 iFindEnd = InStr (iFindStart,sObj,vbCr)
  93. 93 oFileObj.FileType = Mid (sObj,iFindStart,iFindEnd-iFindSt
  94. 94 oFileObj.FileStart = iObjEnd
  95. 95 oFileObj.FileSize = iFormStart -iObjEnd -2
  96. 96 oFileObj.FormName = sFormName
  97. 97 File.add sFormName,oFileObj
  98. 98 else
  99. 99 ’如果是表单项目
  100. 100 tStream.Close
  101. 101 tStream.Type = 1
  102. 102 tStream.Mode = 3
  103. 103 tStream.Open
  104. 104 UpFileStream.Position = iObjEnd
  105. 105 UpFileStream.CopyTo tStream,iFormStart-iObjEnd-2
  106. 106 tStream.Position = 0
  107. 107 tStream.Type = 2
  108. 108 tStream.CharSet = “gb2312″
  109. 109 sFormValue = tStream.ReadText
  110. 110 If Form.Exists(sFormName)Then
  111. 111 Form (sFormName) = Form (sFormName) & “, ” & sForm
  112. 112 else
  113. 113 form.Add sFormName,sFormValue
  114. 114 End If
  115. 115 End If
  116. 116 tStream.Close
  117. 117 iFormStartiFormStart = iFormStart+iStart+2
  118. 118 ’如果到文件尾了就退出
  119. 119 Loop Until (iFormStart+2) >= iFormEnd
  120. 120 RequestBinData = “”
  121. 121 Set tStream = Nothing
  122. 122 Set KS=Nothing
  123. 123 End Sub
  124. 124 End Class
  125. 125 ’—————————————————————
  126. 126 ’文件属性类
  127. 127 Class FileObj_Class
  128. 128 Dim FormName,FileName,FilePath,FileSize,FileType,FileS
  129. 129 ’保存文件方法154.Public Function SaveToFile (Path)
  130. 130 ’On Error Resume Next
  131. 131 Dim oFileStream
  132. 132 Set oFileStream = CreateObject (“ADODB.Stream”)
  133. 133 oFileStream.Type = 1
  134. 134 oFileStream.Mode = 3
  135. 135 oFileStream.Open
  136. 136 UpFileStream.Position = FileStart
  137. 137 UpFileStream.CopyTo oFileStream,FileSize
  138. 138 oFileStream.SaveToFile Path,2
  139. 139 oFileStream.Close
  140. 140 Set oFileStream = Nothing
  141. 141 Set KS=Nothing
  142. 142 End Function
  143. 143 ’取得文件数据
  144. 144 Public Function FileData
  145. 145 UpFileStream.Position = FileStart
  146. 146 FileData = UpFileStream.Read (FileSize)
  147. 147 End Function
  148. 148 End Class
  149. 149 %>

 

原文链接:http://www.cnblogs.com/yuanzijian-ruiec/p/10976569.html

 友情链接:直通硅谷  点职佳  北美留学生论坛

本站QQ群:前端 618073944 | Java 606181507 | Python 626812652 | C/C++ 612253063 | 微信 634508462 | 苹果 692586424 | C#/.net 182808419 | PHP 305140648 | 运维 608723728

W3xue 的所有内容仅供测试,对任何法律问题及风险不承担任何责任。通过使用本站内容随之而来的风险与本站无关。
关于我们  |  意见建议  |  捐助我们  |  报错有奖  |  广告合作、友情链接(目前9元/月)请联系QQ:27243702 沸活量
皖ICP备17017327号-2 皖公网安备34020702000426号