The ASP upload vulnerability that I often hear is to upload some Trojan files by modifying the suffix name (modifying it to image file suffix) and uploading them.
For this situation, use the following functions to distinguish:
The code copy is as follows:
<%
'******************************************************************************
'CheckFileType function is used to check whether the file is an image file
'The parameter filename is the path to the local file
'If it is a file jpeg, gif, bmp, png picture, the function returns true, otherwise it returns false
'******************************************************************************
constadTypeBinary=1
dimjpg(1):jpg(0)=CByte(&HFF):jpg(1)=CByte(&HD8)
dimbmp(1):bmp(0)=CByte(&H42):bmp(1)=CByte(&H4D)
dimpng(3):png(0)=CByte(&H89):png(1)=CByte(&H50):png(2)=CByte(&H4E):png(3)=CByte(&H47)
dimgif(5):gif(0)=CByte(&H47):gif(1)=CByte(&H49):gif(2)=CByte(&H46):gif(3)=CByte(&H39):gif(4)=CByte(&H38):gif(5)=CByte(&H61)
functionCheckFileType(filename)
onerrorresumenext
CheckFileType=false
dimfstream,fileExt,stamp,i
fileExt=mid(filename,InStrRev(filename,".")+1)
setfstream=Server.createobject("ADODB.Stream")
fstream.Open
fstream.Type=adTypeBinary
fstream.LoadFromFilefilename
fstream.position=0
selectcasefileExt
case"jpg","jpeg"
stamp=fstream.read(2)
fori=0to1
ifacB(MidB(stamp,i+1,1))=jpg(i)thenCheckFileType=trueelseCheckFileType=false
next
case "gif"
stamp=fstream.read(6)
fori=0to5
ifacB(MidB(stamp,i+1,1))=gif(i)thenCheckFileType=trueelseCheckFileType=false
next
case"png"
stamp=fstream.read(4)
fori=0to3
ifacB(MidB(stamp,i+1,1))=png(i)thenCheckFileType=trueelseCheckFileType=false
next
case "bmp"
stamp=fstream.read(2)
fori=0to1
ifacB(MidB(stamp,i+1,1))=bmp(i)thenCheckFileType=trueelseCheckFileType=false
next
endselect
fstream.Close
setfsetem=nothing
iferr.number<>0thenCheckFileType=false
endfunction
%>
Then when applying
The code copy is as follows: CheckFileType(server.mappath("cnbruce.jpg"))
or
CheckFileType("F:/web/164/images/cnbruce.jpg")) Anyway, it is to detect the image file type that verifies the local physical address, and returns true or false value
Therefore, this situation is used in image upload. The current method is to first allow the upload of the "pseudo-image" file, and then use the above custom function to determine whether the file complies with the image specifications. If it is a Trojan disguised image file, FSO will delete it, for example:
Copy the code as follows: file.SaveAsServer.mappath(filename)'Save the file
IfnotCheckFileType(Server.mappath(filename))then