无组件上传漏洞的修补方法
sub upload_0()set upload=new UpFile_Class ”建立上传对象
upload.GetDate (int(Forum_Setting(56))*1024) ‘取得上传数据,不限大小
iCount=0
if upload.err > 0 then
select case upload.err
case 1
Response.Write “请先选择你要上传的文件 [ <a href=# onclick=history.go(-1)>重新上传</a> ]”
case 2
Response.Write “图片大小超过了限制 “&Forum_Setting(56)&”K [ <a href=# onclick=history.go(-1)>重新上传</a> ]”
end select
exit sub
else
formPath=upload.form(“filepath”)
”在目录后加(/)
if right(formPath,1)<>”/” then formPath=formPath&”/”
for each formName in upload.file ”列出所有上传了的文件
set file=upload.file(formName) ”生成一个文件对象
if file.filesize<100 then
response.write “请先选择你要上传的图片 [ <a href=# onclick=history.go(-1)>重新上传</a> ]”
response.end
end if
fileExt=lcase(file.FileExt)
if CheckFileExt(fileEXT)=false then
response.write “文件格式不正确 [ <a href=# onclick=history.go(-1)>重新上传</a> ]”
response.end
end if
randomize
ranNum=int(90000*rnd)+10000
filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&”.”&fileExt
‘测试文件字符是否非法
Dim R_Char,R_i
for R_i=1 to Len(filename)
R_Char=ASC(MID(filename,R_i,1))
if R_Char=0 then
response.write “做点有意义的事情好不好,黑客是研究技术的,不是破坏的”
response.end
end if
Next
if file.FileSize>0 then ”如果 FileSize > 0 说明有文件数据
file.SaveToFile Server.mappath(filename) ”保存文件
‘ response.write file.FilePath&file.FileName&” (“&file.FileSize&”) => “&formPath&File.FileName&” 成功!<br>”
response.write “<script>parent.document.forms[0].myface.value=’”&FileName&”‘</script>”
iCount=iCount+1
end if
set file=nothing
next
set upload=nothing
session(“upface”)=”done”
Htmend iCount&” 个文件上传结束!”
end ifend sub
- 最新评论