标题asp eWebEditor v 列目录漏洞(其他版本为测试)
漏洞文件asp/browseasp
漏洞产生
Sub InitParam()
sType = UCase(Trim(Request
QueryString("type")))sStyleName = Trim(Request
QueryString("style"))sCusDir = Trim(Request
QueryString("cusdir"))Dim i
aStyleConfig
bValidStylebValidStyle = FalseFor i =
To Ubound(aStyle)aStyleConfig = Split(aStyle(i)
"|||")If Lcase(sStyleName) = Lcase(aStyleConfig(
)) ThenbValidStyle = TrueExit ForEnd IfNextIf bValidStyle = False ThenOutScript("alert(
Invalid Style
)")End IfsBaseUrl = aStyleConfig(
)nAllowBrowse = CLng(aStyleConfig(
))nCusDirFlag = Clng(aStyleConfig(
))If nAllowBrowse <>
ThenOutScript("alert(
Do not allow browse!
)")End IfIf nCusDirFlag <>
ThensCusDir = ""ElsesCusDir = Replace(sCusDir
""
"/")If Left(sCusDir
) = "/" Or Left(sCusDir
) = "
" Or Right(sCusDir
) = "
" Or InStr(sCusDir
"
/") >
Or InStr(sCusDir
"/
") >
Or InStr(sCusDir
"//") >
ThensCusDir = ""ElseIf Right(sCusDir
) <> "/" ThensCusDir = sCusDir & "/"End IfEnd IfEnd IfsUploadDir = aStyleConfig(
)If Left(sUploadDir
) <> "/" ThensUploadDir = "
/" & sUploadDirEnd IfSelect Case sBaseUrlCase "
"sContentPath = aStyleConfig(
)Case "
"sContentPath = RelativePath
RootPath(sUploadDir)Case "
"sContentPath = RootPath
DomainPath(RelativePath
RootPath(sUploadDir))End SelectsUploadDir = sUploadDir & sCusDirsContentPath = sContentPath & sCusDirSelect Case sTypeCase "FILE"sAllowExt = ""Case "MEDIA"sAllowExt = "rm|mp
|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov"Case "FLASH"sAllowExt = "swf"Case ElsesAllowExt = "bmp|jpg|jpeg|png|gif"End SelectsCurrDir = sUploadDirsDir = Trim(Request("dir"))
假设dir=
/
假设dir=
//
假设dir=
///sDir = Replace(sDir
""
"/")
过滤
sDir = Replace(sDir
"
/"
"")
过滤
到这里就被过滤了sDir = Replace(sDir
"
/"
"")
过滤
到这里也被功率了
到这里就成
/了
比较有趣的饶过!好象不少cms这样过滤过
If sDir <> "" ThenIf CheckValidDir(Server
Mappath(sUploadDir & sDir)) = True ThensCurrDir = sUploadDir & sDir & "/"ElsesDir = ""End IfEnd IfEnd Sub
