asp.net(C#)检测真实文件类型
文章录入:王子 责任编辑:dingkai1983 106 【字体:小 大】 网站曾经被上传一个.asa文件,修改后缀名为.rar然后逃过了我的简单后缀名判断。 结果网站被挂马,幸亏麻烦不大,现在已经加上真实文件类型判断了,安全多了。 大气象
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="TrueFile.aspx.cs" Inherits="test_TrueFile" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www./TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www./1999/xhtml" >
<head runat="server"> <title>无标题页</title> </head> <body> <form id="form1" runat="server"> <div> <asp:FileUpload ID="uploadFile" runat="server" /> <asp:Button ID="btnOk" runat="server" Text="判断" OnClick="btnOk_Click" /> </div> </form> </body> </html> 大气象
using System; using System.Data; using System.Configuration; using System.Collections; using System.Web; using System.Web.Security; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; using System.Web.UI.HtmlControls; public partial class test_TrueFile : System.Web.UI.Page
{ protected void Page_Load(object sender, EventArgs e) { }
/// <summary> /// C#检测真实文件类型函数 /// </summary> /// <param name="hifile"></param> /// <returns></returns> private bool IsAllowedExtension(HttpPostedFile hifile) { bool ret = false; System.IO.FileStream fs = new System.IO.FileStream(hifile.FileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
System.IO.BinaryReader r = new System.IO.BinaryReader(fs); string fileclass = ""; byte buffer; try { buffer = r.ReadByte(); fileclass = buffer.ToString(); buffer = r.ReadByte(); fileclass += buffer.ToString(); } catch { return false; } r.Close(); fs.Close(); /*文件扩展名说明 *4946/104116 txt *7173 gif *255216 jpg *13780 png *6677 bmp *239187 txt,aspx,asp,sql *208207 xls.doc.ppt *6063 xml *6033 htm,html *4742 js *8075 xlsx,zip,pptx,mmap,zip *8297 rar *01 accdb,mdb *7790 exe,dll *5666 psd *255254 rdp *10056 bt种子 *64101 bat *4059 sgf */ //String[] fileType = { "255216", "7173", "6677", "13780", "8297", "5549", "870", "87111", "8075" }; //纯图片
String[] fileType = { "7173", //gif "255216", //jpg "13780" //png }; for (int i = 0; i < fileType.Length; i++)
{ if (fileclass == fileType[i]) { ret = true; break; } } Response.Write(fileclass);//可以在这里输出你不知道的文件类型的扩展名 return ret; } protected void btnOk_Click(object sender, EventArgs e) { if (IsAllowedExtension(uploadFile.PostedFile)) { Response.Write("ok"); } } } 摘自红色黑客联盟(www.) 原文:http://www./kf/201008/55124.html
|
|