eWebEditor v3.8 列目录漏洞【asp版本】

  • 2013-05-27
  • 6,539
  • 2

标题:asp eWebEditor v3.8 列目录漏洞(其他版本为测试)
漏洞文件:asp/browse.asp
漏洞产生:

Sub InitParam()
        sType = UCase(Trim(Request.QueryString("type")))
        sStyleName = Trim(Request.QueryString("style"))
        sCusDir = Trim(Request.QueryString("cusdir"))
        Dim i, aStyleConfig, bValidStyle
        bValidStyle = False
        For i = 1 To Ubound(aStyle)
                aStyleConfig = Split(aStyle(i), "|||")
                If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then
                        bValidStyle = True
                        Exit For
                End If
        Next
        If bValidStyle = False Then
                OutScript("alert('Invalid Style.')")
        End If
        sBaseUrl = aStyleConfig(19)
        nAllowBrowse = CLng(aStyleConfig(43))
        nCusDirFlag = Clng(aStyleConfig(61))
        If nAllowBrowse <> 1 Then
                OutScript("alert('Do not allow browse!')")
        End If
        If nCusDirFlag <> 1 Then
                sCusDir = ""
        Else
                sCusDir = Replace(sCusDir, "", "/")
                If Left(sCusDir, 1) = "/" Or Left(sCusDir, 1) = "." Or Right(sCusDir, 1) = "." Or InStr(sCusDir, "./") > 0 Or InStr(sCusDir, "/.") > 0 Or InStr(sCusDir, "//") > 0 Then
                        sCusDir = ""
                Else
                        If Right(sCusDir, 1) <> "/" Then
                                sCusDir = sCusDir & "/"
                        End If
                End If
        End If
        sUploadDir = aStyleConfig(3)
        If Left(sUploadDir, 1) <> "/" Then
                sUploadDir = "../" & sUploadDir
        End If
        Select Case sBaseUrl
        Case "0"
                sContentPath = aStyleConfig(23)
        Case "1"
                sContentPath = RelativePath2RootPath(sUploadDir)
        Case "2"
                sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))
        End Select
    sUploadDir = sUploadDir & sCusDir
        sContentPath = sContentPath & sCusDir
        Select Case sType
        Case "FILE"
                sAllowExt = ""
        Case "MEDIA"
                sAllowExt = "rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov"
        Case "FLASH"
                sAllowExt = "swf"
        Case Else
                sAllowExt = "bmp|jpg|jpeg|png|gif"
        End Select
        sCurrDir = sUploadDir
        sDir = Trim(Request("dir"))
'1.假设dir= ../
'2.假设dir=...//
'3.假设dir=.....///
        sDir = Replace(sDir, "", "/")  '过滤1
        sDir = Replace(sDir, "../", "") '过滤2
'1.到这里就被过滤了
        sDir = Replace(sDir, "./", "") '过滤3
'2到这里也被功率了
'3到这里就成../了。比较有趣的饶过!好象不少cms这样过滤过。[/color]
        If sDir <> "" Then
                If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then
                        sCurrDir = sUploadDir & sDir & "/"
                Else
                        sDir = ""
                End If
        End If
End Sub

漏洞发生者:鬼哥

感谢打赏!
支付宝

评论

你必须 登录 才能发表评论.