上传函数，求突破，简单分析一个上传函数

上传函数,求突破

thesums | 2013-12-25 14:04

Function fnUploadImg(ByVal upFile As HttpPostedFile, ByVal uploadPath As String) As String
    Dim result As String = ""
    Dim intImgSize As Int32
    intImgSize = upFile.ContentLength
    If intImgSize  0 Then
        If intImgSize > 500000 Then
            result = "图片太大"
            Return result
            Exit Function
        End If
        Dim strImgType As String = upFile.ContentType
        '只接受.jpg格式的图片
        Dim filesplit() As String = Split(strImgType, "/")
        strImgType = filesplit(filesplit.Length - 1)
        If strImgType = "jpg" Or strImgType = "jpeg" Then
        Else
            result = "图片格式错误"
            Return result
            Exit Function
        End If
        filesplit = Split(upFile.FileName, "")
        Dim filename As String = filesplit(filesplit.Length - 1)
        upFile.SaveAs(Server.MapPath("uploadlocation" & uploadPath) & "" & filename)
         Dim imgpath As String = "upload/location/" & uploadPath & "/" & filename
         result = imgpath
        Return result
    End If
End Function

[原文地址]

相关讨论：

1#

thesums | 2013-12-25 14:05

环境:iis 7.5

2#

thesums | 2013-12-25 14:06

00截断失败

3#

thesums | 2013-12-25 14:11

uploadPath参数不可控

4#

felixk3y (Just do it!) | 2013-12-25 15:05

上传任意文件,抓包修改Content-Type为:image/jpeg

5#

乌帽子 (中国的黄牛就是多，无处不在啊。乌云也有大量哦) | 2013-12-25 15:05

貌似只检测了ContentType

6#

thesums | 2013-12-25 15:49

问题已经解决,感谢felixk3y,乌帽子

7#

核攻击 (统治全球，奴役全人类！毁灭任何胆敢阻拦的有机生物！) | 2013-12-26 09:16

Dim strImgType As String = upFile.ContentType    ←★
'只接受.jpg格式的图片
Dim filesplit() As String = Split(strImgType, "/")
strImgType = filesplit(filesplit.Length - 1)    ←★
If strImgType = "jpg" Or strImgType = "jpeg" Then    ←★
Else
    result = "图片格式错误"
    Return result
    Exit Function
End If
filesplit = Split(upFile.FileName, "")    ←★
Dim filename As String = filesplit(filesplit.Length - 1)    ←★
upFile.SaveAs(Server.MapPath("uploadlocation" & uploadPath) & "" & filename)    ←★
Dim imgpath As String = "upload/location/" & uploadPath & "/" & filename

8#

核攻击 (统治全球，奴役全人类！毁灭任何胆敢阻拦的有机生物！) | 2013-12-26 09:17

只验证了“upFile.ContentType”，任意上传，修改 ContentType = "jpg" Or "jpeg"

文章来源于lcx.cc:上传函数，求突破，简单分析一个上传函数

相关推荐: LiveCart 1.4 Remote Code Execution

#Title : LiveCart 1.4 Remote Code Execution #Author : DevilScreaM #Date : 10/23/2013 #Category : Web Applications #Type : PHP #Ven…