解决ASP（图像）上传漏洞的方法

针对此情况使用下列函数进行辨别：51Testing软件测试网$V,sxz"o0|{

<%51Testing软件测试网#P!do4L
~

'******************************************************************51Testing软件测试网?&R*nkTW;u

'CheckFileType 函数用来检查文件是否为图片文件

'参数filename是本地文件的路径

'如果是文件jpeg,gif,bmp,png图片中的一种，函数返回true，否则返回false

'******************************************************************

const adTypeBinary=1

dim jpg(1):jpg(0)=CByte(&HFF):jpg(1)=CByte(&HD8)51Testing软件测试网(Jq1J;W oh#N(Z*x

dim bmp(1):bmp(0)=CByte(&H42):bmp(1)=CByte(&H4D)

dim png(3):png(0)=CByte(&H89):png(1)=CByte(&H50):png(2)=CByte(&H4E):png(3)=CByte(&H47)

dim gif(5):gif(0)=CByte(&H47):gif(1)=CByte(&H49):gif(2)=CByte(&H46):gif(3)=CByte(&H39):gif(4)=CByte(&H38):gif(5)=CByte(&H61)

function CheckFileType(filename)51Testing软件测试网N+Glbs*c

on error resume next51Testing软件测试网5~1Y(RuAjq?(A/N(X(X

CheckFileType=false

dim fstream,fileExt,stamp,i

fileExt=mid(filename,InStrRev(filename,".")+1)51Testing软件测试网%Os%tQ+@]2M

set fstream=Server.createobject("ADODB.Stream")

fstream.Open51Testing软件测试网DC:G.nI sO(b

fstream.Type=adTypeBinary

fstream.LoadFromFile filename

fstream.position=051Testing软件测试网/kl7L g,vS*u x

select case fileExt

case "jpg","jpeg"51Testing软件测试网
jL0cq0pzf

stamp=fstream.read(2)51Testing软件测试网3K:BI.slQ

for i=0 to 1

if ascB(MidB(stamp,i+1,1))=jpg(i) then CheckFileType=true else CheckFileType=false51Testing软件测试网fV'I#V{ S1kL(kt

next

case "gif"

stamp=fstream.read(6)

for i=0 to 5

if ascB(MidB(stamp,i+1,1))=gif(i) then CheckFileType=true else CheckFileType=false51Testing软件测试网F$nD2k` [[{

next

case "png"

stamp=fstream.read(4)51Testing软件测试网4Xb:O DqQ[I;[

for i=0 to 3

if ascB(MidB(stamp,i+1,1))=png(i) then CheckFileType=true else CheckFileType=false51Testing软件测试网"Ye:_Z0A6A9P'd

next

case "bmp"

stamp=fstream.read(2)

for i=0 to 1

if ascB(MidB(stamp,i+1,1))=bmp(i) then CheckFileType=true else CheckFileType=false

next51Testing软件测试网fB6y5aM0t6c

end select

fstream.Close51Testing软件测试网W4Ed_9u

set fseteam=nothing

if err.number<>0 then CheckFileType=false

end function

%>

那么在应用的时候51Testing软件测试网 a4PL
r+L'Er R

CheckFileType(server.mappath("cnbruce.jpg"))

或者

CheckFileType("F:/web/164/images/cnbruce.jpg"))51Testing软件测试网,VR
aN UHG*z

反正即是检测验证本地物理地址的图像文件类型，返回 true 或 false值51Testing软件测试网V\B3J&z1NXE)X2{

所以这个情况应用在图像上传中，目前的办法是先允许该“伪图像”文件的上传，接着使用以上的自定义函数判断该文件是否符合图像的规范，若是木马伪装的图像文件则FSO删除之，比如：

则是先将文件上传，接着立马使用自定义函数判断文件图像类型的吻合性，FSO做出删除该文件的操作。51Testing软件测试网0fy(U!S+hF*J1oZdyq_

ASP上传漏洞还利用"\0"对filepath进行手脚操作51Testing软件测试网;s+mY)r+QFK"gn

http://www.hzd0.blog.163.com/blog/showlog.asp?cat_id=32&log_id=635

针对这样的情况可使用如下函数

接着就可判断后再做文件的上传

l~ps tJ0 

%kBT7F/|B/YQ0 51Testing软件测试网K3mJ7o,|n$P3Y8r

@.l}
B B;u,|#e0可将以下代码拷到DW再自行修改：51Testing软件测试网_c'kjf,_

5x+@/m j6w7Npr0<%@LANGUAGE="VBscrīpt" CODEPAGE="936"%>
)Xc1H9o'\8I2s7`Ad0<!--#include file="upload.inc"-->51Testing软件测试网6W.lCo3H0]/KbZw
<html>51Testing软件测试网(G,Z'o&f [K S+G7\@
<head>51Testing软件测试网d)yg C!c @#T
<title>文件上传</title>
Q+g_U }.Eu0<meta http-equiv="content-type" content="text/html;charset=gb2312">
ipQ @*z&Iy5T]*~0</head>
zv:fR[y0<body>
7}y2U2l/l0<%51Testing软件测试网IfltD)qP;Gp F*y
on error resume next51Testing软件测试网cW3a,\:ng
e\)|,X
dim upload,f_folder,file,formPath,iCount,filename,fileExt,filesizemin,filesizemax
8N-Nn ?&i/? RF|0'******************************************************************51Testing软件测试网F&x
m[
K}-D
'CheckFileType 函数用来检查文件是否为图片文件
b4N)Y N2N[0'参数filename是本地文件的路径51Testing软件测试网2wz'T6y-^J%zM,U3@
'如果是文件jpeg,gif,bmp,png图片中的一种，函数返回true，否则返回false
]2w Z6|n+~%A0'******************************************************************51Testing软件测试网$a1v6fO:U3uvQ
const adTypeBinary=151Testing软件测试网&LV"KVFgw

dim jpg(1):jpg(0)=CByte(&HFF):jpg(1)=CByte(&HD8)51Testing软件测试网3f'BI+I-} ].Y$kF|
dim bmp(1):bmp(0)=CByte(&H42):bmp(1)=CByte(&H4D)
V1s@J
tj*z"d4m,Z0dim png(3):png(0)=CByte(&H89):png(1)=CByte(&H50):png(2)=CByte(&H4E):png(3)=CByte(&H47)51Testing软件测试网]FQhT*r
dim gif(5):gif(0)=CByte(&H47):gif(1)=CByte(&H49):gif(2)=CByte(&H46):gif(3)=CByte(&H39):gif(4)=CByte(&H38):gif(5)=CByte(&H61)

function CheckFileType(filename)51Testing软件测试网]%Mh'WC/J^.L
CheckFileType=false
{3xV'p#[!C]q}$X0dim fstream,fileExt,stamp,i

H!]nTV.QG0w d0fileExt=mid(filename,InStrRev(filename,".")+1)
-@6P8y6BR"|G1w:U0set fstream=Server.createobject("ADODB.Stream")51Testing软件测试网-|+@ W d;p(p@8B|m
fstream.Open
3Ts
LKfc
Ai0fstream.Type=adTypeBinary51Testing软件测试网
|fl
\ x*J%_4A
fstream.LoadFromFile filename
|3o.`7a
@#c0fstream.position=051Testing软件测试网4I%I.Vy
N9Y
|6E
select case fileExt51Testing软件测试网 @![2lE!t2rO
case "jpg","jpeg"51Testing软件测试网$K!kd2h2S
stamp=fstream.read(2)51Testing软件测试网M+[8ks%O
X"X
for i=0 to 1
vRx.\X2} s2o-P0if ascB(MidB(stamp,i+1,1))=jpg(i) then CheckFileType=true else CheckFileType=false51Testing软件测试网Dl9]]6q|'Ug
next
{}s2N0XBs1r`0case "gif"
tlEcS5ij1s0stamp=fstream.read(6)51Testing软件测试网D+]0f8eL:D7vU+n
for i=0 to 5
Rn
`3s
FEbF:^0if ascB(MidB(stamp,i+1,1))=gif(i) then CheckFileType=true else CheckFileType=false51Testing软件测试网U+^,L~z+wb{ ?RF
next51Testing软件测试网R4m*i,^8t K-I
case "png"51Testing软件测试网8s1O9c1s(^
stamp=fstream.read(4)51Testing软件测试网aW yj9p|~7oz
for i=0 to 351Testing软件测试网|t6hR4aD w
if ascB(MidB(stamp,i+1,1))=png(i) then CheckFileType=true else CheckFileType=false
/WWl G GZ0next51Testing软件测试网;v5K_$A
hZz
case "bmp"51Testing软件测试网RnzHl:b
stamp=fstream.read(2)51Testing软件测试网$JyD8o;^)i n:}G
for i=0 to 1
MR-K X6g5L_0kVT!K&B4P
]0if ascB(MidB(stamp,i+1,1))=bmp(i) then CheckFileType=true else CheckFileType=false51Testing软件测试网;^^(zN+u$s6{2G v X7^
next51Testing软件测试网V`H9Y6O%y
end select
W7t{c'W$uT3Ew#u]0fstream.Close51Testing软件测试网 OO:B#nP
set fseteam=nothing51Testing软件测试网+u!`3f!Ia@;[
if err.number<>0 then CheckFileType=false
/gD M?@"|uqV0end function

function TrueStr(fileTrue)
"?riL&G.f,e&P0 str_len=len(fileTrue)
H:[0v _7FiiUY%f7A0 pos=Instr(fileTrue,chr(0))
;K ZU,d(X.y
X0 if pos=0 or pos=str_len then51Testing软件测试网 I#|q?Sz
 TrueStr=true51Testing软件测试网
kD4g"Y&X&zbUfM1ntk
 else51Testing软件测试网 pu8N?N&ST`O_+|
 TrueStr=false51Testing软件测试网5gi f8T&@!y9v?A
 end if51Testing软件测试网.oFsd3z0Y+J
end function51Testing软件测试网1X)L8l-D&i`

filesizemin=10051Testing软件测试网
eXEu/Q8XW3~+Is
filesizemax=200*1024
2F3J'[C*Wn;p b0set upload=new upload_5xSoft '建立上传对象51Testing软件测试网&s(f;YgB? h#Gn
f_folder=upload.form("upfilefolder")51Testing软件测试网B cY \V@UV2p

xQt r ]'A^3v8r9H/t0'********************************列出所有上传文件***************************************************51Testing软件测试网9zrZP3g1g6w
For each formName in upload.objFile
5r0]6z7O8S"F,G7c}.m+IA W0set file=upload.file(formName)
:P&UK H1W+F.|0If file.filesize>0 then

    '********************************检测文件大小***************************************************51Testing软件测试网)[+n|wW(MW
    If file.filesize<filesizemin Then51Testing软件测试网u^XL1\bg
        response.write "你上传的文件太小了　[ <a href=# ōnclick=history.go(-1)>重新上传</a> ]"51Testing软件测试网C0?2x3M(RJXN$C?
    ElseIf file.filesize>filesizemax then51Testing软件测试网*q'D]|A9]"V6qJ
        response.write "文件大小超过了 "&filesizemax&"字节 限制　[ <a href=# ōnclick=history.go(-1)>重新上传</a> ]"51Testing软件测试网 S vT_5B*o H5{1~*I
    End If

9jWtP'p|X4d0    '********************************检测文件类型****************************************************51Testing软件测试网&nOGwyk7_f4~
    fileExt=ucase(right(file.filename,4))
*K{T7Q@F.JwW4D0    uploadsuc=false51Testing软件测试网)hm8o2r C-Q
    Forum_upload="RAR|ZIP|SWF|JPG|PNG|GIF|DOC|TXT|CHM|PDF|ACE|MP3|WMA|WMV|MIDI|AVI|RM|RA|RMVB|MOV|XLS"51Testing软件测试网;Ra1?ECm I
    Forumupload=split(Forum_upload,"|")51Testing软件测试网 Q8m Xu xrp
    for i=0 to ubound(Forumupload)
g6iYKm5rZA0        if fileEXT="."&trim(Forumupload(i)) then51Testing软件测试网QV R,w;SfjL
            uploadsuc=true
~ Gp;nL)p3q0            exit for51Testing软件测试网NF"v[ X{&P4\?
        else
$|V!i%O0h0C;Y9l0            uploadsuc=false51Testing软件测试网(Pw!b(~!Q
        end if
+UP+~ V,V,F4S X0    next51Testing软件测试网%fy/[s8W%r5G
    if uploadsuc=false then51Testing软件测试网T-x$Q4FX3o
        response.write "文件格式不正确　[ <a href=# ōnclick=history.go(-1)>重新上传</a> ]"51Testing软件测试网
B"e$V5f F?8l$^
        response.end51Testing软件测试网$E,i`-a:M
    end if51Testing软件测试网*bn&U_?+[*q!UQ

/EjDZ;Y8oTi0    '********************************建立文件上传的目录文件夹****************************************51Testing软件测试网7H cITG
V2d
    Set upf=Server.CreateObject("scrīpting.FileSystemObject")
"Sk
]uL/Na0    If Err<>0 Then
Lp'T7_%aH#jq0        Err.Clear
.s2Ur8h"{*{_hf0        response.write("您的服务器不支持FSO")51Testing软件测试网N2e&qc*Ag i$\
        response.end
.TfS-HG^ ~0    End If51Testing软件测试网]a+Kl,E:] G
    f_type= replace(fileExt,".","")51Testing软件测试网a3}c:W"{9aQ3B
    f_name= year(now)&"-"&month(now)51Testing软件测试网't6pv.h/|5{ i
|F U
    If upf.FolderExists(Server.MapPath(f_folder&"/"&f_type&"/"&f_name))=False Then51Testing软件测试网+E(a G
D5^m:\,^:f
        If upf.FolderExists(Server.MapPath(f_folder&"/"&f_type))=False Then
\sl3Z"E0            If upf.FolderExists(Server.MapPath(f_folder))=False Then
M&Y.j.s#T4I:V9I0                upf.CreateFolder Server.MapPath(f_folder)51Testing软件测试网XwzHvux!u
                upf.CreateFolder Server.MapPath(f_folder&"/"&f_type)
/D!UKg#B | [6CY0                upf.CreateFolder Server.MapPath(f_folder&"/"&f_type&"/"&f_name)51Testing软件测试网"{0pr}i@
            Else51Testing软件测试网o4BS3goE{
                upf.CreateFolder Server.MapPath(f_folder&"/"&f_type)51Testing软件测试网bY R ~4_H]X ~
                upf.CreateFolder Server.MapPath(f_folder&"/"&f_type&"/"&f_name)
8tsw`9T ['\p |,}0            End If
GV!X2O9{%CSS0        Else51Testing软件测试网dIr*Yq@x9h8P?
            upf.CreateFolder Server.MapPath(f_folder&"/"&f_type&"/"&f_name)
vXB!c9a)\*\g/O0        End If
-O.FT$A OU(J'~0    End If51Testing软件测试网*w(H!_ B1y
    f_ftn=f_folder&"/"&f_type&"/"&f_name
e4M;w s,rR0    Set upf=Nothing51Testing软件测试网+FWTH*{q}M}/y

v4e2GX9nZw0    '********************************保存上传文件至文件夹*****************************************
'H5i bv.]*rg;}0    randomize
Ym9HbF5Gk9uh0    ranNum=int(90000*rnd)+10000
8B9p6i`8irJ0    filename=f_ftn&"/"&day(now)&"-"&ranNum&"-"&file.filename51Testing软件测试网.i,Q1~n%s$rr
    if TrueStr(filename)=false then
1@| cG3Q-D'hS5@*A0        response.write "非法文件"
(l&`(R"y(tq3qdqW0        response.end51Testing软件测试网2Fnl"^-ast
    end if51Testing软件测试网*]3nOpRx
    if file.filesize>filesizemin and file.filesize<filesizemax then51Testing软件测试网1Gx"Ay#e;^*A+RSz
    file.SaveAs Server.mappath(filename)  '保存文件51Testing软件测试网 W\8nYY1Q4{"T'wF1D7Pc
        if f_type="JPG" or f_type="GIF" or f_type="PNG" then51Testing软件测试网iVw$juN
            If not CheckFileType(Server.mappath(filename)) then51Testing软件测试网7] h0Be7X
            response.write "错误的图像格式 　[ <a href=# ōnclick=history.go(-1)>重新上传</a> ]"
x
Hr-jt0            Set fso = CreateObject("scrīpting.FileSystemObject")51Testing软件测试网Wovn.FQ7A6b\
            Set ficn = fso.GetFile(Server.mappath(filename))
o9DnZ.?[d4^cC0            ficn.delete
*d;Bu"W e.{7r.I#D Ur0            set ficn=nothing
Zy1H Q7pe's+D7k0            set fso=nothing51Testing软件测试网*|4B1m9n/`R)I
            response.end51Testing软件测试网-rz`h/h^ V,g
            end if
J'B*_ p5^qA0            response.write "<scrīpt>parent.cn_bruce.cn_content.value+='[img]"&filename&"[/img]'</scrīpt>"
OG%upW0        ElseIf f_type="ZIP" or f_type="RAR" or f_type="DOC" or f_type="TXT" then51Testing软件测试网5LT\,x ]&o+s
            response.write "<scrīpt>parent.cn_bruce.cn_content.value+='[url]"&filename&"[/url]'</scrīpt>"
:vI@Y.GzI-h0        'ElseIf51Testing软件测试网 J?b-Eu\1HA7gz
        else51Testing软件测试网,}K$uN/D*@)H
            response.write "<scrīpt>parent.cn_bruce.cn_content.value+=' "&filename&" '</scrīpt>"
k.`S#^@~2l;S_0        end if51Testing软件测试网:O D6\I y9C+W
        iCount=iCount+151Testing软件测试网h8T
N| i
    end if51Testing软件测试网
r1x'm6r],K"ai*O
set file=nothing
Ya8u.kX$NOif0end if
(J ~#z$t"^0L`8p0next
8ao(D
}!Fu)T9v0set upload=nothing '删除此对象51Testing软件测试网^y(lh _$r'U2]%i

response.write (iCount&" 个文件上传成功! <a href=# ōnclick=history.go(-1)>继续上传</a>")51Testing软件测试网MPb*^k1v(m
%>
%p F p F~~
P0</body>51Testing软件测试网 Q6e sLzb
</html>
$@$f OJ%z ]:R051Testing软件测试网A7B%J yQ8Z@-c%JE