標題asp eWebEditor v 列目錄漏洞(其他版本為測試)
漏洞文件asp/browseasp
漏洞產生
Sub InitParam()
sType = UCase(Trim(Request
QueryString("type")))
sStyleName = Trim(Request
QueryString("style"))
sCusDir = Trim(Request
QueryString("cusdir"))
Dim i
aStyleConfig
bValidStyle
bValidStyle = False
For i =
To Ubound(aStyle)
aStyleConfig = Split(aStyle(i)
"|||")
If Lcase(sStyleName) = Lcase(aStyleConfig(
)) Then
bValidStyle = True
Exit For
End If
Next
If bValidStyle = False Then
OutScript("alert(
Invalid Style
)")
End If
sBaseUrl = aStyleConfig(
)
nAllowBrowse = CLng(aStyleConfig(
))
nCusDirFlag = Clng(aStyleConfig(
))
If nAllowBrowse <>
Then
OutScript("alert(
Do not allow browse!
)")
End If
If nCusDirFlag <>
Then
sCusDir = ""
Else
sCusDir = Replace(sCusDir
""
"/")
If Left(sCusDir
) = "/" Or Left(sCusDir
) = "
" Or Right(sCusDir
) = "
" Or InStr(sCusDir
"
/") >
Or InStr(sCusDir
"/
") >
Or InStr(sCusDir
"//") >
Then
sCusDir = ""
Else
If Right(sCusDir
) <> "/" Then
sCusDir = sCusDir & "/"
End If
End If
End If
sUploadDir = aStyleConfig(
)
If Left(sUploadDir
) <> "/" Then
sUploadDir = "
/" & sUploadDir
End If
Select Case sBaseUrl
Case "
"
sContentPath = aStyleConfig(
)
Case "
"
sContentPath = RelativePath
RootPath(sUploadDir)
Case "
"
sContentPath = RootPath
DomainPath(RelativePath
RootPath(sUploadDir))
End Select
sUploadDir = sUploadDir & sCusDir
sContentPath = sContentPath & sCusDir
Select Case sType
Case "FILE"
sAllowExt = ""
Case "MEDIA"
sAllowExt = "rm|mp
|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov"
Case "FLASH"
sAllowExt = "swf"
Case Else
sAllowExt = "bmp|jpg|jpeg|png|gif"
End Select
sCurrDir = sUploadDir
sDir = Trim(Request("dir"))
假設dir=
/
假設dir=
//
假設dir=
///
sDir = Replace(sDir
""
"/")
過濾
sDir = Replace(sDir
"
/"
"")
過濾
到這裡就被過濾了
sDir = Replace(sDir
"
/"
"")
過濾
到這裡也被功率了
到這裡就成
/了
比較有趣的饒過!好象不少cms這樣過濾過
[/color]
If sDir <> "" Then
If CheckValidDir(Server
Mappath(sUploadDir & sDir)) = True Then
sCurrDir = sUploadDir & sDir & "/"
Else
sDir = ""
End If
End If
End Sub
From:http://tw.wingwit.com/Article/program/net/201311/14445.html
