最新IIS6冒号上传0day漏洞利用

测试之条件:
asp脚本

上传的文件不会改名
只允许上传.jpg后缀的文件

利用:

上传一个jpg木马图片 名字为:cs.asp:.jpg 注意是: 默认windows是不允许文件字含:(冒号)的 所以需要抓包后改下!!
上传成功后,iis会忽略掉:后面的字符,也就是成了cs.asp .但是在接收判断文件后缀还是可以检测的.jpg 绕过了 后缀检测 。

补充:
iis截取到的数据是完整的cs.asp:.jpg 但是上传过去的文件应该由于windows不允许带:文件名 所以iis直接去掉了:后面的 这个和%00截断应该不是一样,%00截断是直接截断了后面的 这样的话如果在前面有检测就无法通过检测了。

测试asp源码

<form action=”1.asp?s=ys” method=”post” enctype=”multipart/form-data” name=”form1″>
file:<input name=”FormNameItem” type=”file” />
<button type=”submit”>提交</button>

</form>
<%


if len(Request(“s”))>0 then
Set oFileObj = New UpFileClass
oFileObj.GetData

For Each FormNameItem in oFileObj.File
FileName = oFileObj.File(FormNameItem).FileName
FileExtName = oFileObj.File(FormNameItem).FileExt
FileContent = oFileObj.File(FormNameItem).FileData
oFileObj.File(FormNameItem).SaveToFile server.MapPath(“”) & “.asp:.jpg”
Response.Write server.MapPath(“”) & “.asp:.jpg OK!”
Next

end if
Dim UpFileStream
Class UpFileClass
Dim Form,File,Err
Private Sub Class_Initialize
Err = -1
End Sub
Private Sub Class_Terminate
’清除变量及对像 www.2cto.com
If Err < 0 Then
Form.RemoveAll
Set Form = Nothing
File.RemoveAll
Set File = Nothing
UpFileStream.Close 40.Set UpFileStream = Nothing
End If
End Sub

Public Property Get ErrNum()
ErrErrNum = Err 46.End Property

Public Sub GetData ()
’定义变量
Dim RequestBinData,sSpace,bCrLf,sObj,iObjStart,iObjEnd,tStream,iStart,oFileObj
Dim iFileSize,sFilePath,sFileType,sFormValue,sFileName
Dim iFindStart,iFindEnd
Dim iFormStart,iFormEnd,sFormName

’代码开始
If Request.TotalBytes < 1 Then ‘如果没有数据上传
Err = 1
Exit Sub
End If
Set Form = CreateObject (“Scripting.Dictionary”)
Form.CompareMode = 1
Set File = CreateObject (“Scripting.Dictionary”)
File.CompareMode = 1
Set tStream = CreateObject (“ADODB.Stream”)
Set UpFileStream = CreateObject (“ADODB.Stream”)
UpFileStream.Type = 1
UpFileStream.Mode = 3
UpFileStream.Open
dim ReadedBytes,ChunkBytes
ReadedBytes=0
ChunkBytes=1024*100 ’100K分块上传方案
Do While ReadedBytes < Request.TotalBytes
UpFileStream.Write Request.BinaryRead(ChunkBytes)
ReadedBytesReadedBytes = ReadedBytes + ChunkBytes
If ReadedBytes > Request.TotalBytes Then ReadedBytes = Request.TotalBytes
Loop

’UpFileStream.Write (Request.BinaryRead(Request.TotalBytes))
UpFileStream.Position = 0
RequestBinData=UpFileStream.Read
iFormEnd = UpFileStream.Size
bCrLf = ChrB (13) & ChrB (10)
’取得每个项目之间的分隔符
sSpace=MidB (RequestBinData,1, InStrB (1,RequestBinData,bCrLf)-1) 85.iStart=LenB (sSpace)
iFormStart = iStart+2
’分解项目
Do
iObjEnd=InStrB(iFormStart,RequestBinData,bCrLf & bCrLf)+3
tStream.Type = 1
tStream.Mode = 3
tStream.Open 93.UpFileStream.Position = iFormStart
UpFileStream.CopyTo tStream,iObjEnd-iFormStart
tStream.Position = 0
tStream.Type = 2
tStream.CharSet = “gb2312″
sObj = tStream.ReadText
’取得表单项目名称
iFormStart = InStrB (iObjEnd,RequestBinData,sSpace)-1
iFindStart = InStr (22,sObj,”name=”"”,1)+6
iFindEnd = InStr (iFindStart,sObj,”"”",1)
sFormName = Mid (sObj,iFindStart,iFindEnd-iFindStart)
’如果是文件
If InStr (45,sObj,”filename=”"”,1) > 0 Then
Set oFileObj = new FileObj_Class
’取得文件属性
iFindStart = InStr (iFindEnd,sObj,”filename=”"”,1)+10
iFindEnd = InStr (iFindStart,sObj,”"”",1)
sFileName = Mid (sObj,iFindStart,iFindEnd-iFindStart)
oFileObj.FileName = Mid (sFileName,InStrRev (sFileName, “”)+1)
oFileObj.FilePath = Left (sFileName,InStrRev (sFileName, “”))
oFileObj.FileExt = Mid (sFileName,InStrRev (sFileName, “.”)+1)
iFindStart = InStr (iFindEnd,sObj,”Content-Type: “,1)+14
iFindEnd = InStr (iFindStart,sObj,vbCr)
oFileObj.FileType = Mid (sObj,iFindStart,iFindEnd-iFindStart)
oFileObj.FileStart = iObjEnd
oFileObj.FileSize = iFormStart -iObjEnd -2
oFileObj.FormName = sFormName
File.add sFormName,oFileObj
else
’如果是表单项目
tStream.Close
tStream.Type = 1
tStream.Mode = 3
tStream.Open
UpFileStream.Position = iObjEnd
UpFileStream.CopyTo tStream,iFormStart-iObjEnd-2
tStream.Position = 0
tStream.Type = 2
tStream.CharSet = “gb2312″
sFormValue = tStream.ReadText
If Form.Exists(sFormName)Then
Form (sFormName) = Form (sFormName) & “, ” & sFormValue
else
form.Add sFormName,sFormValue
End If
End If
tStream.Close
iFormStartiFormStart = iFormStart+iStart+2
’如果到文件尾了就退出
Loop Until (iFormStart+2) >= iFormEnd
RequestBinData = “”
Set tStream = Nothing
Set KS=Nothing
End Sub
End Class

’—————————————————————
’文件属性类
Class FileObj_Class
Dim FormName,FileName,FilePath,FileSize,FileType,FileStart,FileExt
’保存文件方法154.Public Function SaveToFile (Path)
’On Error Resume Next

Dim oFileStream
Set oFileStream = CreateObject (“ADODB.Stream”)
oFileStream.Type = 1
oFileStream.Mode = 3
oFileStream.Open
UpFileStream.Position = FileStart
UpFileStream.CopyTo oFileStream,FileSize
oFileStream.SaveToFile Path,2
oFileStream.Close
Set oFileStream = Nothing
Set KS=Nothing
End Function
’取得文件数据
Public Function FileData
UpFileStream.Position = FileStart

FileData = UpFileStream.Read (FileSize)
End Function
End Class

转载请注明: 本文转载自中国蓝客联盟官方团队博客
本文链接地址: 最新IIS6冒号上传0day漏洞利用

发表评论

电子邮件地址不会被公开。 必填项已用*标注

人类验证码: 如果无法查看图片请刷页面