We must have heard of the ASP upload vulnerability. The principle is to modify the suffix name of some Trojan files (to the image file suffix) and upload it.
Note: CheckFileType cannot determine files disguised as GIF89a.
Use the following function to identify this situation:
<%
'************************************************ *****************
'CheckFileType function is used to check whether the file is an image file
'The parameter filename is the path of the local file
'If it is one of the files jpeg, gif, bmp, png, the function returns true, otherwise it returns false
'************************************************ *****************
const adTypeBinary=1
dim jpg(1):jpg(0)=CByte(&HFF):jpg(1)=CByte(&HD8)
dim bmp(1):bmp(0)=CByte(&H42):bmp(1)=CByte(&H4D)
dim png(3):png(0)=CByte(&H89):png(1)=CByte(&H50):png(2)=CByte(&H4E):png(3)=CByte(&H47)
dim gif(5):gif(0)=CByte(&H47):gif(1)=CByte(&H49):gif(2)=CByte(&H46):gif(3)=CByte(&H39):gif(4) =CByte(&H38):gif(5)=CByte(&H61)
function CheckFileType(filename)
on error resume next
CheckFileType=false
filename=LCase(filename)
dim fstream,fileExt,stamp,i
fileExt=mid(filename,InStrRev(filename,.)+1)
set fstream=Server.createobject(ADODB.Stream)
fstream.Open
fstream.Type=adTypeBinary
fstream.LoadFromFile filename
fstream.position=0
select case fileExt
case jpg,jpeg
stamp=fstream.read(2)
for i=0 to 1
if ascB(MidB(stamp,i+1,1))=jpg(i) then CheckFileType=true else CheckFileType=false
next
case gif
stamp=fstream.read(6)
for i=0 to 5
if ascB(MidB(stamp,i+1,1))=gif(i) then CheckFileType=true else CheckFileType=false
next
case png
stamp=fstream.read(4)
for i=0 to 3
if ascB(MidB(stamp,i+1,1))=png(i) then CheckFileType=true else CheckFileType=false
next
case bmp
stamp=fstream.read(2)
for i=0 to 1
if ascB(MidB(stamp,i+1,1))=bmp(i) then CheckFileType=true else CheckFileType=false
next
end select
fstream.Close
set fseteam=nothing
if err.number<>0 then CheckFileType=false
end function
%>
Then when applying
CheckFileType(server.mappath(cnbruce.jpg))
or
CheckFileType(F:/web/164/images/cnbruce.jpg))
Anyway, it is to detect and verify the image file type of the local physical address and return a true or false value.
Therefore, this situation applies to image upload. The current method is to first allow the upload of the pseudo image file, and then use the above custom function to determine whether the file meets the image specifications. If it is an image file disguised by a Trojan horse, FSO will delete it, such as :
file.SaveAs Server.mappath(filename) 'Save the file
If not CheckFileType(Server.mappath(filename)) then
response.write wrong image format
Set fso = CreateObject(Scripting.FileSystemObject)
Set ficn = fso.GetFile(Server.mappath(filename))
ficn.delete
setficn=nothing
set fso=nothing
response.end
end if
The ASP upload vulnerability also uses /0 to manipulate filepath.
http://www.vevb.com/blog/showlog.asp?cat_id=32&log_id=635
For this situation, you can use the following function
function TrueStr(fileTrue)
str_len=len(fileTrue)
pos=Instr(fileTrue,chr(0))
if pos=0 or pos=str_len then
TrueStr=true
else
TrueStr=false
end if
end function
Then you can make a judgment before uploading the file.
if TrueStr(filename)=false then
response.write illegal file
response.end
end if
file.SaveAs Server.mappath(filename)