WooYun.org

位置：BLL.B_UpLoadFile
public class B_UpLoadFile
{
private string string_0 = string.Empty;
private M_Site m_Site_0 = new M_Site();
private B_Site b_Site_0 = new B_Site();
private B_Common b_Common_0 = new B_Common();
public B_UpLoadFile()
{
this.m_Site_0 = this.b_Site_0.GetModel();
}
public string GetUpLoadFile(HtmlInputFile FilePicName, string FilePicPath, int FileSize)
{
return this.method_0(FilePicName.PostedFile, FilePicPath, FileSize);
}
public string GetUpLoadFile(HttpPostedFile FilePicName, string FilePicPath, int FileSize)
{
return this.method_0(FilePicName, FilePicPath, FileSize);
}
private string method_0(HttpPostedFile httpPostedFile_0, string string_1, int int_0)
{
string text = DateTime.Now.ToString("yyyyMM") + "/" + DateTime.Now.ToString("dd");
string extension = Path.GetExtension(httpPostedFile_0.FileName);
string result;
if (string_1.ToLower().IndexOf("asp") == -1 && string_1.ToLower().IndexOf("php") == -1 && string_1.ToLower().IndexOf("aspx") == -1 && string_1.ToLower().IndexOf("jsp") == -1)
{
string text2 = string.Empty;
if (this.m_Site_0.UploadAutoName)
{
text2 = Function.GetFileName();
}
else
{
text2 = Path.GetFileNameWithoutExtension(httpPostedFile_0.FileName);
}
string text3 = HttpContext.Current.Server.MapPath(string.Concat(new string[]
{
Param.ApplicationRootPath,
"/",
this.m_Site_0.UploadFolder,
"/",
string_1,
"/",
text,
"/"
}));
if (text2 == "" || text2 == null)
{
HttpContext.Current.Response.Write("<script language=javascript>alert('请选择需要上传的文件');window.location.href='" + HttpContext.Current.Request.Url.AbsoluteUri + "';</script>");
HttpContext.Current.Response.End();
}
bool flag = false;
this.m_Site_0 = this.b_Site_0.GetModel();
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append(string.Concat(new string[]
{
this.m_Site_0.UpLoadPic,
"|",
this.m_Site_0.UpLoadVideo,
"|",
this.m_Site_0.UpLoadAudio,
"|",
this.m_Site_0.UpLoadSoft,
"|",
this.m_Site_0.UpLoadOther
}));
string[] array = stringBuilder.ToString().Split(new char[]
{
'|'
});
for (int i = 0; i < array.Length; i++)
{
if (array[i].ToLower() == extension.ToLower())
{
flag = true;
IL_2E3:
if (!flag)
{
HttpContext.Current.Response.Write(string.Concat(new string[]
{
"<script>alert('上传文件格式只能够是：",
stringBuilder.ToString(),
"');window.location.href='",
HttpContext.Current.Request.Url.AbsoluteUri,
"';</script>"
}));
HttpContext.Current.Response.End();
}
string text4 = "," + Function.GetContentType(extension) + ",";
if (text4.ToLower().IndexOf("," + httpPostedFile_0.ContentType.ToLower() + ",") == -1)
{
HttpContext.Current.Response.Write("<script>alert('上传文件格式不正确');window.location.href='" + HttpContext.Current.Request.Url.AbsoluteUri + "';</script>");
HttpContext.Current.Response.End();
}
if (int_0 != 0 && httpPostedFile_0.ContentLength > int_0 * 1024)
{
HttpContext.Current.Response.Write("<script>alert('上传文件大小超出了限制');window.location.href='" + HttpContext.Current.Request.Url.AbsoluteUri + "';</script>");
HttpContext.Current.Response.End();
}
if (!Directory.Exists(text3))
{
Directory.CreateDirectory(text3);
}
string text5 = this.method_1(text3, text2.Replace(".", "_").Replace(";", "_"), extension, 0);
string filename = text3 + text5 + extension;
httpPostedFile_0.SaveAs(filename);
result = text + "/" + text5 + extension;
return result;
}
}
goto IL_2E3;
}
this.b_Common_0.CreateLog(string.Concat(new string[]
{
Function.GetIp(),
"----",
string_1,
"----",
DateTime.Now.ToString()
}), "uploadfile");
result = text + "/" + Function.GetFileName() + extension;
return result;
}
这里的
if (string_1.ToLower().IndexOf("asp") == -1 && string_1.ToLower().IndexOf("php") == -1 && string_1.ToLower().IndexOf("aspx") == -1 && string_1.ToLower().IndexOf("jsp") == -1)
这个string_1是传过来的filepath，这里判断也就是说如果文件夹的名称不存在asp,aspx,php,jsp就可以通过这里了
所以filepath=1.cer
利用方法：先注册一个账户，然后在我的账户->添加试卷->上传附件，上传一句话的图片格式同时抓包：
Content-Disposition: form-data; name="FilePicPath"
1.cer|0