IIS6.0使用冒号上传漏洞利用
利用条件:
1.iis版本为6.0
SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。2.上传文件名不会重命名
利用:
上传一个jpg木马图片 名字为:cs.asp:.jpg 注意是: 默认windows是不允许文件字含:(冒号)的 所以需要抓包后改下!!
上传成功后,iis会忽略掉:后面的字符,也就是成了cs.asp .但是在接收判断文件后缀还是可以检测的.jpg 绕过了 后缀检测 。
iis截取到的数据是完整的cs.asp:.jpg 但是上传过去的文件应该由于windows不允许带:文件名 所以iis直接去掉了:后面的 这个和%00截断应该不是一样,%00截断是直接截断了后面的 这样的话如果在前面有检测就无法通过检测了。
附上测试代码
1 <form action=”1.asp?s=ys” method=”post” 2 enctype=”multipart/form-data” name=”form1″> 3 file:<input name=”FormNameItem” type=”file” /> 4 <button type=”submit”>提交</button> 5 </form> 6 <% 7 if len(Request(“s”))>0 then 8 Set oFileObj = New UpFileClass 9 oFileObj.GetData 10 For Each FormNameItem in oFileObj.File 11 FileName = oFileObj.File(FormNameItem).FileName 12 FileExtName = oFileObj.File(FormNameItem).FileExt 13 FileContent = oFileObj.File(FormNameItem).FileData 14 oFileObj.File(FormNameItem).SaveToFile server.MapPath(“\”) & 15 Response.Write server.MapPath(“\”) & “\0.asp:.jpg OK!” 16 23.Next 17 end if 18 Dim UpFileStream 19 Class UpFileClass 20 Dim Form,File,Err 21 Private Sub Class_Initialize 22 Err = -1 23 End Sub 24 Private Sub Class_Terminate 25 ’清除变量及对像 www.2cto.com 26 If Err < 0 Then 27 Form.RemoveAll 28 Set Form = Nothing 29 File.RemoveAll 30 Set File = Nothing 31 UpFileStream.Close 40.Set UpFileStream = Nothing 32 End If 42.End Sub 33 Public Property Get ErrNum() 34 ErrErrNum = Err 46.End Property 35 Public Sub GetData () 36 ’定义变量 37 Dim RequestBinData,sSpace,bCrLf,sObj,iObjStart,iObjEnd,tStrea 38 Dim iFileSize,sFilePath,sFileType,sFormValue,sFileName 39 Dim iFindStart,iFindEnd 40 Dim iFormStart,iFormEnd,sFormName 41 ’代码开始56.If Request.TotalBytes < 1 Then ‘如果没有数据 42 Err = 1 43 Exit Sub 44 End If 45 Set Form = CreateObject (“Scripting.Dictionary”) 46 Form.CompareMode = 1 47 Set File = CreateObject (“Scripting.Dictionary”) 48 File.CompareMode = 1 49 Set tStream = CreateObject (“ADODB.Stream”) 50 Set UpFileStream = CreateObject (“ADODB.Stream”) 51 UpFileStream.Type = 1 52 UpFileStream.Mode = 3 53 UpFileStream.Open 54 dim ReadedBytes,ChunkBytes 55 ReadedBytes=0 56 ChunkBytes=1024*100 ’100K分块上传方案 57 Do While ReadedBytes < Request.TotalBytes 58 UpFileStream.Write Request.BinaryRead(ChunkBytes) 59 ReadedBytesReadedBytes = ReadedBytes + ChunkBytes 60 If ReadedBytes > Request.TotalBytes Then ReadedBytes = Reque 61 Loop 62 ’UpFileStream.Write (Request.BinaryRead(Request.TotalBytes)) 63 UpFileStream.Position = 0 64 RequestBinData=UpFileStream.Read 65 iFormEnd = UpFileStream.Size 66 bCrLf = ChrB (13) & ChrB (10) 67 .’取得每个项目之间的分隔符84.sSpace=Mi 68 RequestBinData,bCrLf)-1) 85.iStart=LenB (sSpace) 69 iFormStart = iStart+2 87.’分解项目 70 Do 71 iObjEnd=InStrB(iFormStart,RequestBinData,bCrLf & bCrLf)+3 72 tStream.Type = 1 73 tStream.Mode = 3 74 tStream.Open 93.UpFileStream.Position = iFormStart 75 UpFileStream.CopyTo tStream,iObjEnd-iFormStart 76 tStream.Position = 0 77 tStream.Type = 2 97.tStream.CharSet = “gb2312″ 78 sObj = tStream.ReadText 79 ’取得表单项目名称100.iFormStart = InStrB (iObjEnd,RequestBinData,sSpace)-1 80 iFindStart = InStr (22,sObj,”name=”"”,1)+6 81 iFindEnd = InStr (iFindStart,sObj,”"”",1) 82 sFormName = Mid (sObj,iFindStart,iFindEnd-iFindStart) 83 ’如果是文件105.If InStr (45,sObj,”filename=”"”,1) > 0 Then 106.Set oFileObj = new FileObj_Class 84 ’取得文件属性 85 iFindStart = InStr (iFindEnd,sObj,”filename=”"”,1)+10 86 iFindEnd = InStr (iFindStart,sObj,”"”",1) 87 sFileName = Mid (sObj,iFindStart,iFindEnd-iFindStart) 88 oFileObj.FileName = Mid (sFileName,InStrRev (sFileNam 89 oFileObj.FilePath = Left (sFileName,InStrRev (sFileName, 90 oFileObj.FileExt = Mid (sFileName,InStrRev (sFileName, “ 91 iFindStart = InStr (iFindEnd,sObj,”Content-Type: “,1)+14 92 iFindEnd = InStr (iFindStart,sObj,vbCr) 93 oFileObj.FileType = Mid (sObj,iFindStart,iFindEnd-iFindSt 94 oFileObj.FileStart = iObjEnd 95 oFileObj.FileSize = iFormStart -iObjEnd -2 96 oFileObj.FormName = sFormName 97 File.add sFormName,oFileObj 98 else 99 ’如果是表单项目 100 tStream.Close 101 tStream.Type = 1 102 tStream.Mode = 3 103 tStream.Open 104 UpFileStream.Position = iObjEnd 105 UpFileStream.CopyTo tStream,iFormStart-iObjEnd-2 106 tStream.Position = 0 107 tStream.Type = 2 108 tStream.CharSet = “gb2312″ 109 sFormValue = tStream.ReadText 110 If Form.Exists(sFormName)Then 111 Form (sFormName) = Form (sFormName) & “, ” & sForm 112 else 113 form.Add sFormName,sFormValue 114 End If 115 End If 116 tStream.Close 117 iFormStartiFormStart = iFormStart+iStart+2 118 ’如果到文件尾了就退出 119 Loop Until (iFormStart+2) >= iFormEnd 120 RequestBinData = “” 121 Set tStream = Nothing 122 Set KS=Nothing 123 End Sub 124 End Class 125 ’————————————————————— 126 ’文件属性类 127 Class FileObj_Class 128 Dim FormName,FileName,FilePath,FileSize,FileType,FileS 129 ’保存文件方法154.Public Function SaveToFile (Path) 130 ’On Error Resume Next 131 Dim oFileStream 132 Set oFileStream = CreateObject (“ADODB.Stream”) 133 oFileStream.Type = 1 134 oFileStream.Mode = 3 135 oFileStream.Open 136 UpFileStream.Position = FileStart 137 UpFileStream.CopyTo oFileStream,FileSize 138 oFileStream.SaveToFile Path,2 139 oFileStream.Close 140 Set oFileStream = Nothing 141 Set KS=Nothing 142 End Function 143 ’取得文件数据 144 Public Function FileData 145 UpFileStream.Position = FileStart 146 FileData = UpFileStream.Read (FileSize) 147 End Function 148 End Class 149 %>
更多精彩
