网站曾经被上传一个.asa文件,修改后缀名为.rar然后逃过了我的简单后缀名判断。
结果网站被挂马,幸亏麻烦不大,现在已经加上真实文件类型判断了,安全多了。
大气象
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="TrueFile.aspx.cs" Inherits="test_TrueFile" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>无标题页</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:FileUpload ID="uploadFile" runat="server" />
<asp:Button ID="btnOk" runat="server" Text="判断" OnClick="btnOk_Click" />
</div>
</form>
</body>
</html>
<head runat="server">
<title>无标题页</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:FileUpload ID="uploadFile" runat="server" />
<asp:Button ID="btnOk" runat="server" Text="判断" OnClick="btnOk_Click" />
</div>
</form>
</body>
</html>
大气象
using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls; public partial class test_TrueFile : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
/// C#检测真实文件类型函数
/// </summary>
/// <param name="hifile"></param>
/// <returns></returns>
private bool IsAllowedExtension(HttpPostedFile hifile)
{
bool ret = false;
System.IO.BinaryReader r = new System.IO.BinaryReader(fs);
string fileclass = "";
byte buffer;
try
{
buffer = r.ReadByte();
fileclass = buffer.ToString();
buffer = r.ReadByte();
fileclass += buffer.ToString();
}
catch
{
return false;
}
r.Close();
fs.Close();
/*文件扩展名说明
*4946/104116 txt
*7173 gif
*255216 jpg
*13780 png
*6677 bmp
*239187 txt,aspx,asp,sql
*208207 xls.doc.ppt
*6063 xml
*6033 htm,html
*4742 js
*8075 xlsx,zip,pptx,mmap,zip
*8297 rar
*01 accdb,mdb
*7790 exe,dll
*5666 psd
*255254 rdp
*10056 bt种子
*64101 bat
*4059 sgf
*/
String[] fileType = {
"7173", //gif
"255216", //jpg
"13780" //png
};
{
if (fileclass == fileType[i])
{
ret = true;
break;
}
}
Response.Write(fileclass);//可以在这里输出你不知道的文件类型的扩展名
return ret;
}
protected void btnOk_Click(object sender, EventArgs e)
{
if (IsAllowedExtension(uploadFile.PostedFile))
{
Response.Write("ok");
}
}
}
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls; public partial class test_TrueFile : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
/// C#检测真实文件类型函数
/// </summary>
/// <param name="hifile"></param>
/// <returns></returns>
private bool IsAllowedExtension(HttpPostedFile hifile)
{
bool ret = false;
System.IO.FileStream fs
= new System.IO.FileStream(hifile.FileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);System.IO.BinaryReader r = new System.IO.BinaryReader(fs);
string fileclass = "";
byte buffer;
try
{
buffer = r.ReadByte();
fileclass = buffer.ToString();
buffer = r.ReadByte();
fileclass += buffer.ToString();
}
catch
{
return false;
}
r.Close();
fs.Close();
/*文件扩展名说明
*4946/104116 txt
*7173 gif
*255216 jpg
*13780 png
*6677 bmp
*239187 txt,aspx,asp,sql
*208207 xls.doc.ppt
*6063 xml
*6033 htm,html
*4742 js
*8075 xlsx,zip,pptx,mmap,zip
*8297 rar
*01 accdb,mdb
*7790 exe,dll
*5666 psd
*255254 rdp
*10056 bt种子
*64101 bat
*4059 sgf
*/
//String[] fileType = { "255216", "7173", "6677", "13780", "8297", "5549", "870", "87111", "8075" };
//纯图片
String[] fileType = {
"7173", //gif
"255216", //jpg
"13780" //png
};
for (int i = 0; i < fileType.Length; i++)
{
if (fileclass == fileType[i])
{
ret = true;
break;
}
}
Response.Write(fileclass);//可以在这里输出你不知道的文件类型的扩展名
return ret;
}
protected void btnOk_Click(object sender, EventArgs e)
{
if (IsAllowedExtension(uploadFile.PostedFile))
{
Response.Write("ok");
}
}
}