熱點推薦:
您现在的位置: 電腦知識網 >> 編程 >> .NET編程 >> 正文

eWebEditor v3.8 列目錄

2013-11-13 10:45:20  來源: .NET編程 

  標題asp eWebEditor v 列目錄漏洞(其他版本為測試)

  漏洞文件asp/browseasp

  漏洞產生

  Sub InitParam()

        sType = UCase(Trim(RequestQueryString("type")))         sStyleName = Trim(RequestQueryString("style"))         sCusDir = Trim(RequestQueryString("cusdir"))         Dim i aStyleConfig bValidStyle         bValidStyle = False         For i = To Ubound(aStyle)                 aStyleConfig = Split(aStyle(i) "|||")                 If Lcase(sStyleName) = Lcase(aStyleConfig()) Then                         bValidStyle = True                         Exit For                 End If         Next         If bValidStyle = False Then                 OutScript("alert(Invalid Style)")         End If         sBaseUrl = aStyleConfig()         nAllowBrowse = CLng(aStyleConfig())         nCusDirFlag = Clng(aStyleConfig())         If nAllowBrowse <> Then                 OutScript("alert(Do not allow browse!)")         End If         If nCusDirFlag <> Then                 sCusDir = ""         Else                 sCusDir = Replace(sCusDir "" "/")                 If Left(sCusDir ) = "/" Or Left(sCusDir ) = "" Or Right(sCusDir ) = "" Or InStr(sCusDir "/") > Or InStr(sCusDir "/") > Or InStr(sCusDir "//") > Then                         sCusDir = ""                 Else                         If Right(sCusDir ) <> "/" Then                                 sCusDir = sCusDir & "/"                         End If                 End If         End If         sUploadDir = aStyleConfig()         If Left(sUploadDir ) <> "/" Then                 sUploadDir = "/" & sUploadDir         End If         Select Case sBaseUrl         Case ""                 sContentPath = aStyleConfig()         Case ""                 sContentPath = RelativePathRootPath(sUploadDir)         Case ""                 sContentPath = RootPathDomainPath(RelativePathRootPath(sUploadDir))         End Select     sUploadDir = sUploadDir & sCusDir         sContentPath = sContentPath & sCusDir         Select Case sType         Case "FILE"                 sAllowExt = ""         Case "MEDIA"                 sAllowExt = "rm|mp|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov"         Case "FLASH"                 sAllowExt = "swf"         Case Else                 sAllowExt = "bmp|jpg|jpeg|png|gif"         End Select         sCurrDir = sUploadDir         sDir = Trim(Request("dir")) 假設dir= / 假設dir=// 假設dir=///         sDir = Replace(sDir "" "/")  過濾         sDir = Replace(sDir "/" "") 過濾 到這裡就被過濾了         sDir = Replace(sDir "/" "") 過濾 到這裡也被功率了 到這裡就成/了比較有趣的饒過!好象不少cms這樣過濾過[/color]         If sDir <> "" Then                 If CheckValidDir(ServerMappath(sUploadDir & sDir)) = True Then                         sCurrDir = sUploadDir & sDir & "/"                 Else                         sDir = ""                 End If         End If End Sub
From:http://tw.wingwit.com/Article/program/net/201311/14445.html
    推薦文章
    Copyright © 2005-2013 電腦知識網 Computer Knowledge   All rights reserved.