科讯KESION CMS最新版任意文件上传WEBSHELL

### 简要描述： 最新版本上传漏洞哦^_^ ### 详细说明： 会员上传文件漏洞，可以上传任意后缀 user/swfupload.asp文件漏洞 If UpFileObj.Form("NoReName")="1" Then '不更名 Dim PhysicalPath,FsoObj:Set FsoObj = KS.InitialObject(KS.Setting(99)) PhysicalPath = Server.MapPath(replace(TempFileStr,"|","")) TempFileStr= mid(TempFileStr,1, InStrRev(TempFileStr, "/")) & FileTitles If FsoObj.FileExists(PhysicalPath)=true Then FsoObj.MoveFile PhysicalPath,server.MapPath(TempFileStr) End If End If 会员注册登录后，手工构造一NoReName参数即可上传自定义文件名 绕过危险代码可以用<!--#include file=""-->类型来包含图片即可，可以用远程下载或者修改/user/User_Blog.asp?action=BlogEdit里的LOGO文件来上传代码文件（不检查危险代码的哦） ### 漏洞证明： [<img src="https://images.seebug.org/upload/201404/2116535685b35bdfc64ff7aca8bf5604769ba5f8.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/2116535685b35bdfc64ff7aca8bf5604769ba5f8.jpg) [<img src="https://images.seebug.org/upload/201404/21165426695bbb198d60f1ddf10e12fe86e93729.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/21165426695bbb198d60f1ddf10e12fe86e93729.jpg) [<img src="https://images.seebug.org/upload/201404/21165440879b1507cba1b5a3496fe0b802e8fbd0.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/21165440879b1507cba1b5a3496fe0b802e8fbd0.jpg) [<img src="https://images.seebug.org/upload/201404/21165622b63f5bda0ff7383b0c03ce7a20e03bd2.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/21165622b63f5bda0ff7383b0c03ce7a20e03bd2.jpg) [<img src="https://images.seebug.org/upload/201404/211656103aacee51fa03ed9a5c7f3fc82869b794.jpg" alt="5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/211656103aacee51fa03ed9a5c7f3fc82869b794.jpg) [<img src="https://images.seebug.org/upload/201404/21165603cf255f15e6dca4dbdffff4b1f6e7378b.jpg" alt="6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/21165603cf255f15e6dca4dbdffff4b1f6e7378b.jpg) [<img src="https://images.seebug.org/upload/201404/21165546ee0ae8b859fd16798b2d1e30cbc395a7.jpg" alt="7.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/21165546ee0ae8b859fd16798b2d1e30cbc395a7.jpg) [<img src="https://images.seebug.org/upload/201404/2116554014da7b2331ea58279617b78da899e1b2.jpg" alt="8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/2116554014da7b2331ea58279617b78da899e1b2.jpg) [<img src="https://images.seebug.org/upload/201404/211655314c95ad3aa1764202f7b46df8a5547040.jpg" alt="9.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/211655314c95ad3aa1764202f7b46df8a5547040.jpg)