This article mainly introduces the principle and solution of ASP's chr(0) file upload vulnerability. The chr(0) vulnerability can bypass extension verification when uploading files. It is a very harmful vulnerability. Friends in need can refer to it. Down
When we use ASP to develop the file upload function, in order to prevent users from uploading Trojan programs, we often restrict the upload of some files. A common method is to determine whether the extension of the uploaded file meets the regulations. You can use the right string function to retrieve the uploaded file. The last four digits of the file name can be easily determined, but there is a vulnerability in it, which is very dangerous, and it is the chr(0) vulnerability. Please read on for details.
1. First, explain what is chr(0)?
In ASP, you can use the chr() function to call the ASCII code, where chr(0) means that the call is an end character. Simply put, when a string contains the chr(0) character, only the front of chr(0) can be output. characters, the characters after chr(0) will not be output. Give an example to illustrate:
Copy the code code as follows:
<%response.write "HTMer.com"&chr(0)&"Welcome"%>
If you run the above code under IIS, will it only output "HTMer.com"? The following "Welcome" is gone, because when chr(0) is read, the statement is considered to have ended.
2. Chr(0) vulnerability uploading principle:
Assume that I have set up the ASP program to only upload jpg files. Here is how I use the chr(0) vulnerability to upload the ASP Trojan:
Assume here that there is an ASP Trojan file called htmer.asp. I renamed it htmer.asp .jpg. Did you see a space in the middle? When we get the file name, this space is considered chr(0). When we use right("htmer.asp .jpg",4) to view it, it is indeed .jpg, but when we actually read htmer.asp .jpg, and when generating the file, the system thinks it is over when it reads chr(0), so the subsequent .jpg cannot be output. The uploaded file name is automatically generated as htmer.asp. What does this mean? I think you should know it.
3. Methods to solve the chr(0) vulnerability
The solution is to check whether there is chr(0) in the uploaded file name, and directly replace the chr(0) character with the replace function in ASP.