简单分析一个上传函数 上传漏洞突破 – 网站安

时间: 2020-10-10|tag: 53次围观|0 条评论

 

Function fnUploadImg(ByVal upFile As HttpPostedFile, ByVal uploadPath As String) As String 
    Dim result As String = "" 
    Dim intImgSize As Int32 
    intImgSize = upFile.ContentLength 
    If intImgSize <> 0 Then 
        If intImgSize > 500000 Then 
            result = "图片太大" 
            Return result 
            Exit Function 
        End If 
        Dim strImgType As String = upFile.ContentType 
        '只接受.jpg格式的图片 
        Dim filesplit() As String = Split(strImgType, "/") 
        strImgType = filesplit(filesplit.Length - 1) 
        If strImgType = "jpg" Or strImgType = "jpeg" Then 
        Else 
            result = "图片格式错误" 
            Return result 
            Exit Function 
        End If 
        filesplit = Split(upFile.FileName, "\") 
        Dim filename As String = filesplit(filesplit.Length - 1) 
        upFile.SaveAs(Server.MapPath("upload\location\" & uploadPath) & "\" & filename) 
         Dim imgpath As String = "upload/location/" & uploadPath & "/" & filename 
         result = imgpath 
        Return result 
    End If 
End Function

突破方法:上传任意文件,抓包修改Content-Type为:image/jpeg

    上一篇: 维科家纺一分机服务器弱口令信息泄漏直接渗透

    下一篇: Discuz附件下载权限绕过方法 - 网站安全 - 自学p
本博客所有文章如无特别注明均为原创。
复制或转载请以超链接形式注明转自起风了,原文地址《简单分析一个上传函数 上传漏洞突破 – 网站安
   

还没有人抢沙发呢~