解决ASP（图像）上传漏洞的方法

针对此情况使用下列函数进行辨别：51Testing软件测试网w M1z]8Y6P[

<%

'******************************************************************

'CheckFileType 函数用来检查文件是否为图片文件

'参数filename是本地文件的路径51Testing软件测试网+n*n YDD|N$S

'如果是文件jpeg,gif,bmp,png图片中的一种，函数返回true，否则返回false51Testing软件测试网7H1c&B@5spzNr

'******************************************************************

const adTypeBinary=1

dim jpg(1):jpg(0)=CByte(&HFF):jpg(1)=CByte(&HD8)

dim bmp(1):bmp(0)=CByte(&H42):bmp(1)=CByte(&H4D)

dim png(3):png(0)=CByte(&H89):png(1)=CByte(&H50):png(2)=CByte(&H4E):png(3)=CByte(&H47)51Testing软件测试网8rB3LS&G
DYV

dim gif(5):gif(0)=CByte(&H47):gif(1)=CByte(&H49):gif(2)=CByte(&H46):gif(3)=CByte(&H39):gif(4)=CByte(&H38):gif(5)=CByte(&H61)51Testing软件测试网 v{-rQh

function CheckFileType(filename)51Testing软件测试网g;P]u$|? d ?U

on error resume next

CheckFileType=false

dim fstream,fileExt,stamp,i

fileExt=mid(filename,InStrRev(filename,".")+1)51Testing软件测试网&oCb-n:mPL:kF$lH+v4_

set fstream=Server.createobject("ADODB.Stream")51Testing软件测试网-y%iW
j3~ZJ

fstream.Open51Testing软件测试网,Hty o.C$CKA
xq,e_X

fstream.Type=adTypeBinary51Testing软件测试网2EV S4c j(l2J

fstream.LoadFromFile filename51Testing软件测试网5PjP_9]:u Q

fstream.position=051Testing软件测试网:^ tKv'k;o+K

select case fileExt

case "jpg","jpeg"

stamp=fstream.read(2)51Testing软件测试网8a\2E9jf#XWp

for i=0 to 1

if ascB(MidB(stamp,i+1,1))=jpg(i) then CheckFileType=true else CheckFileType=false51Testing软件测试网
gMF\x2{(u I

next51Testing软件测试网9X5d/h)`$B6}

case "gif"

stamp=fstream.read(6)51Testing软件测试网 luWO~$a_

for i=0 to 551Testing软件测试网%tV'Dy?(AE4ThH

if ascB(MidB(stamp,i+1,1))=gif(i) then CheckFileType=true else CheckFileType=false

next

case "png"

stamp=fstream.read(4)51Testing软件测试网7?xa V-t;{Vw'p

for i=0 to 3

if ascB(MidB(stamp,i+1,1))=png(i) then CheckFileType=true else CheckFileType=false

next51Testing软件测试网-a\'s#xI$`X,f

case "bmp"51Testing软件测试网_+o?*D9t:I

stamp=fstream.read(2)51Testing软件测试网l!H!qIh[

for i=0 to 151Testing软件测试网TcHHIY

if ascB(MidB(stamp,i+1,1))=bmp(i) then CheckFileType=true else CheckFileType=false

next

end select

fstream.Close51Testing软件测试网I^_#fGI

set fseteam=nothing

if err.number<>0 then CheckFileType=false

end function51Testing软件测试网6S:a0xL(R]/o2\

%>51Testing软件测试网J!Q*\)R\vI7j

那么在应用的时候51Testing软件测试网+\yX"g8M

CheckFileType(server.mappath("cnbruce.jpg"))51Testing软件测试网3b0A3J.J f(P

或者

CheckFileType("F:/web/164/images/cnbruce.jpg"))

反正即是检测验证本地物理地址的图像文件类型，返回 true 或 false值51Testing软件测试网ueB6g(m3H3htU?

所以这个情况应用在图像上传中，目前的办法是先允许该“伪图像”文件的上传，接着使用以上的自定义函数判断该文件是否符合图像的规范，若是木马伪装的图像文件则FSO删除之，比如：

则是先将文件上传，接着立马使用自定义函数判断文件图像类型的吻合性，FSO做出删除该文件的操作。51Testing软件测试网Gf0G,m1Wj!M

ASP上传漏洞还利用"\0"对filepath进行手脚操作

http://www.hzd0.blog.163.com/blog/showlog.asp?cat_id=32&log_id=635

针对这样的情况可使用如下函数51Testing软件测试网s:O7WQ+G#F*r

接着就可判断后再做文件的上传

 51Testing软件测试网&k8Qbf@`)JU'r

JJa;Z5v,s!F0可将以下代码拷到DW再自行修改：

1C9Hr&s,g4`d'a0<%@LANGUAGE="VBscrīpt" CODEPAGE="936"%>51Testing软件测试网?'o4Z
KS`NR#SV"l
<!--#include file="upload.inc"-->51Testing软件测试网-Q-`.r(\%K^
<html>51Testing软件测试网\Y,K/F&[X
<head>
:S+UX7Y Q"B!g.LAb0<title>文件上传</title>51Testing软件测试网yb*^-Ru2Q)^\ ^;q1B
<meta http-equiv="content-type" content="text/html;charset=gb2312">
2t!sa1c
lb0</head>
(H:V7N1h'r"n9OxK}0<body>
a
e/s0Th(Iq0N XN0<%
;C9i?6m[8U6Dl0on error resume next
7f0vIW9Qal0dim upload,f_folder,file,formPath,iCount,filename,fileExt,filesizemin,filesizemax
)~)i0ja6CVQ2v0'******************************************************************
1i{l qg6d0'CheckFileType 函数用来检查文件是否为图片文件51Testing软件测试网b5sQYm4p%e
'参数filename是本地文件的路径
k6_o\NoK0'如果是文件jpeg,gif,bmp,png图片中的一种，函数返回true，否则返回false51Testing软件测试网b;o[d yZ'G
'******************************************************************51Testing软件测试网/X:?.Ylb.xN6e;EC
const adTypeBinary=1

|0T'YT9g}E0dim jpg(1):jpg(0)=CByte(&HFF):jpg(1)=CByte(&HD8)51Testing软件测试网:w l^ P k6V9Z|6O&l
dim bmp(1):bmp(0)=CByte(&H42):bmp(1)=CByte(&H4D)51Testing软件测试网V]7Wa/czO7z
dim png(3):png(0)=CByte(&H89):png(1)=CByte(&H50):png(2)=CByte(&H4E):png(3)=CByte(&H47)
_u b2i"n1Bft'jc8l0dim gif(5):gif(0)=CByte(&H47):gif(1)=CByte(&H49):gif(2)=CByte(&H46):gif(3)=CByte(&H39):gif(4)=CByte(&H38):gif(5)=CByte(&H61)

function CheckFileType(filename)51Testing软件测试网1cnq m)r1f?
CheckFileType=false51Testing软件测试网g?\6KP8Xq2UjN
dim fstream,fileExt,stamp,i51Testing软件测试网m"H+gM~1?8A;m
fileExt=mid(filename,InStrRev(filename,".")+1)
:vT.A&a1F~0set fstream=Server.createobject("ADODB.Stream")51Testing软件测试网 h.[Le}F7f&Xv
fstream.Open
2H4d\y0z$_0fstream.Type=adTypeBinary51Testing软件测试网pT:J]5M3sY
fstream.LoadFromFile filename51Testing软件测试网_2iFZI
fstream.position=0
,|o%n$b%t k0select case fileExt

GMG.E&].f0Nj0case "jpg","jpeg"
O`9U@["IB5g0stamp=fstream.read(2)
[;S|1TgH,|2WR5L3{0for i=0 to 1
)rS!G(c]#J0if ascB(MidB(stamp,i+1,1))=jpg(i) then CheckFileType=true else CheckFileType=false51Testing软件测试网;K6_,E-DmM|P7{
next51Testing软件测试网1[1aZ1m~fD
case "gif"
%T.mEJ,d9AT%l |!\3R0stamp=fstream.read(6)
4V*G@dA K!q I0for i=0 to 5
X;O(L,\6c0K U0if ascB(MidB(stamp,i+1,1))=gif(i) then CheckFileType=true else CheckFileType=false
"?%p_}q0V[0next
\dHtV-x6q0case "png"51Testing软件测试网A'}CC1M
vn"DY
stamp=fstream.read(4)51Testing软件测试网pE;j}$U8N7sn
for i=0 to 3
{F?.V-N#|L0if ascB(MidB(stamp,i+1,1))=png(i) then CheckFileType=true else CheckFileType=false
T k9nX$r;AoF0next51Testing软件测试网8[dU.N,z9\`)n
case "bmp"
"?p8C ~*R["ZM(A0stamp=fstream.read(2)51Testing软件测试网$f*m|:d'R3@
for i=0 to 151Testing软件测试网CZbJ#YBP)e&U
if ascB(MidB(stamp,i+1,1))=bmp(i) then CheckFileType=true else CheckFileType=false
W1U8ej3NN I(r4|0next51Testing软件测试网U`/H$yJKoo
end select
.P3_O*ki
nf:O0fstream.Close
m ~"k iNi5}})z0set fseteam=nothing51Testing软件测试网,ymvr`vu~d8n/ZHo*}c
if err.number<>0 then CheckFileType=false51Testing软件测试网R`!a)o&f-~N ra*Fo
end function51Testing软件测试网5u%e6CE'H c!JbsX

S!SP$l-dn0function TrueStr(fileTrue)
OC@(I6F
o0 str_len=len(fileTrue)51Testing软件测试网A+z |7G6t M*C~
 pos=Instr(fileTrue,chr(0))51Testing软件测试网&[*|g;WQK
 if pos=0 or pos=str_len then
j QR~ GHXE2Z9xr0 TrueStr=true
y dy zCE5\+kf0 else51Testing软件测试网#](VX z0X9a+Z
 TrueStr=false
mz5];C QDfH+ar,q0 end if51Testing软件测试网8] S@ ZZ@,z8s
end function

filesizemin=10051Testing软件测试网 J{~JN*HUe
filesizemax=200*102451Testing软件测试网4Q"f*GQF
set upload=new upload_5xSoft '建立上传对象
7n*}:[+Z'A0f_folder=upload.form("upfilefolder")51Testing软件测试网?4`OA}?&H]2D

'********************************列出所有上传文件***************************************************
2y/CD1^k0@0For each formName in upload.objFile51Testing软件测试网H G-|c5eAW*I
set file=upload.file(formName)
#[x o%w8Yl-vz0If file.filesize>0 then51Testing软件测试网J8E.u7W;DX.c5QB

    '********************************检测文件大小***************************************************
U-^8C`([%aq0    If file.filesize<filesizemin Then
{7l7W ro2c
^0        response.write "你上传的文件太小了　[ <a href=# ōnclick=history.go(-1)>重新上传</a> ]"
%Tl `#e1T9Z0    ElseIf file.filesize>filesizemax then51Testing软件测试网;ld z;? M6k#m'[ o
        response.write "文件大小超过了 "&filesizemax&"字节 限制　[ <a href=# ōnclick=history.go(-1)>重新上传</a> ]"51Testing软件测试网+{uh o7K;@
    End If

5q b3_(CuO Koc0    '********************************检测文件类型****************************************************
t3GS&B |'U$u}0    fileExt=ucase(right(file.filename,4))
B'J-~2MnJ'z~0    uploadsuc=false51Testing软件测试网Hvf Qm8S*G
    Forum_upload="RAR|ZIP|SWF|JPG|PNG|GIF|DOC|TXT|CHM|PDF|ACE|MP3|WMA|WMV|MIDI|AVI|RM|RA|RMVB|MOV|XLS"51Testing软件测试网0| U:mk.HA
    Forumupload=split(Forum_upload,"|")51Testing软件测试网]q]{2RU,{
    for i=0 to ubound(Forumupload)51Testing软件测试网*OC5f1A X;QV
        if fileEXT="."&trim(Forumupload(i)) then

ad$WKr,~0            uploadsuc=true
;o#w R kn$X6Dx0            exit for51Testing软件测试网&?'` {9Ke)x C;|
        else51Testing软件测试网#u2TP{Nxv
            uploadsuc=false
Pu`Kn)Q(b0        end if
}(wb(OF:VM0    next
/C5ve5j*a.X0    if uploadsuc=false then
v:[Gc9^!_%l0        response.write "文件格式不正确　[ <a href=# ōnclick=history.go(-1)>重新上传</a> ]"51Testing软件测试网 dK.Jy2m8Xc2H+ur
        response.end
)N?I(i\0PM g`0    end if

    '********************************建立文件上传的目录文件夹****************************************51Testing软件测试网)v `{8B#X`@J(F*P
    Set upf=Server.CreateObject("scrīpting.FileSystemObject")51Testing软件测试网0PD%vr
Ma!vm
    If Err<>0 Then
4g9`3KX^w0        Err.Clear
6o }lp ^sHp'eb0        response.write("您的服务器不支持FSO")
g8Zon(H/T/N%a1o0        response.end51Testing软件测试网4X?\3ou
s9j
    End If51Testing软件测试网-n-G,i Mizt
    f_type= replace(fileExt,".","")51Testing软件测试网w ze unD
    f_name= year(now)&"-"&month(now)
SdYFA4M\0    If upf.FolderExists(Server.MapPath(f_folder&"/"&f_type&"/"&f_name))=False Then
h_"K0}r8]0        If upf.FolderExists(Server.MapPath(f_folder&"/"&f_type))=False Then51Testing软件测试网
R
L XXe5S
            If upf.FolderExists(Server.MapPath(f_folder))=False Then
Fu*BK7b;@0                upf.CreateFolder Server.MapPath(f_folder)51Testing软件测试网6y/|bo-]K)_
                upf.CreateFolder Server.MapPath(f_folder&"/"&f_type)
'T"Rn"]/q,kix Ba0                upf.CreateFolder Server.MapPath(f_folder&"/"&f_type&"/"&f_name)
)cw7EluMz? r0            Else
${2zp9eK mT7A0                upf.CreateFolder Server.MapPath(f_folder&"/"&f_type)51Testing软件测试网)`'iO5l6Ks-zX
                upf.CreateFolder Server.MapPath(f_folder&"/"&f_type&"/"&f_name)
@DUo7nt`UM+Q0            End If51Testing软件测试网9iq.zy L+w:B7k
        Else51Testing软件测试网?Y3L0N,j*H e
            upf.CreateFolder Server.MapPath(f_folder&"/"&f_type&"/"&f_name)51Testing软件测试网 ek%QrX
        End If51Testing软件测试网5k$f
IGY\_;[n
    End If
au)g2@9^3Jw,mf0    f_ftn=f_folder&"/"&f_type&"/"&f_name
8peK-PH|J-K#n0    Set upf=Nothing51Testing软件测试网BB8L%Il;?} xO:Q'I

    '********************************保存上传文件至文件夹*****************************************
7fq},Rup&r0    randomize51Testing软件测试网p ]-krS Ao*`T
    ranNum=int(90000*rnd)+10000
@,S-_5PGE.L0    filename=f_ftn&"/"&day(now)&"-"&ranNum&"-"&file.filename
`P:a8g9e%M0    if TrueStr(filename)=false then51Testing软件测试网3L-S(W;Q:zM
        response.write "非法文件"
)_*Z/u!T2e9g1p0KM0        response.end
E"n#`gxaMy0    end if51Testing软件测试网 l8B6Q&X$xMq"I
    if file.filesize>filesizemin and file.filesize<filesizemax then51Testing软件测试网l6T5gqDDu
    file.SaveAs Server.mappath(filename)  '保存文件
3es|xR0        if f_type="JPG" or f_type="GIF" or f_type="PNG" then
Far0W U?0            If not CheckFileType(Server.mappath(filename)) then
u[O)w`1h#u$w0            response.write "错误的图像格式 　[ <a href=# ōnclick=history.go(-1)>重新上传</a> ]"
.\,n3_7Bu c0            Set fso = CreateObject("scrīpting.FileSystemObject")51Testing软件测试网~*C
@6x/]4}%NO
            Set ficn = fso.GetFile(Server.mappath(filename))51Testing软件测试网$]S6r)z X*^h0g7N w
            ficn.delete51Testing软件测试网E
hQIbAm;V
            set ficn=nothing
8odG)x(K*R0Jz0q0            set fso=nothing51Testing软件测试网
Tq(F*MyD8l
            response.end
3TWnN UOV0            end if51Testing软件测试网z(omf5upm\0wg
            response.write "<scrīpt>parent.cn_bruce.cn_content.value+='[img]"&filename&"[/img]'</scrīpt>"51Testing软件测试网 p C!g ?9i\1]
        ElseIf f_type="ZIP" or f_type="RAR" or f_type="DOC" or f_type="TXT" then
Yu]2MEr0            response.write "<scrīpt>parent.cn_bruce.cn_content.value+='[url]"&filename&"[/url]'</scrīpt>"51Testing软件测试网1v$e4Ku W
        'ElseIf
n ZH!L9}&h0        else51Testing软件测试网#\pD!r2_6Ey4v
            response.write "<scrīpt>parent.cn_bruce.cn_content.value+=' "&filename&" '</scrīpt>"51Testing软件测试网 lf%St5y
        end if
.A9D X.R,?Z0        iCount=iCount+151Testing软件测试网gLjG3w[;w;vea
    end if51Testing软件测试网*n:v8~0mB&M t
set file=nothing
Z {sNr7S4xwu0end if51Testing软件测试网t(R8M@#YYD0E-C|;k
next51Testing软件测试网N^5z:vN,p"{qW
set upload=nothing '删除此对象51Testing软件测试网#x|B N w,t

p1GD1g'k)g,A0response.write (iCount&" 个文件上传成功! <a href=# ōnclick=history.go(-1)>继续上传</a>")
2y c4~'z:bn0%>
aHw\IL0</body>51Testing软件测试网-i fM,S~
T9a3^2b-P3s
</html>
1f kElC_p0