| 作者:Tr4c3
本来这个礼物只是给BK瞬间群的朋友们共享了,特意说不让拿去搞官方,不幸的是还是有人首先拿官方测试,让人很郁闷,T了该人,拉黑。今天放出来给大家。
########################################################################
Tr4c3[at]126[dot]com 写于[2008-4-29]
版权所有:
http://www.nspcn.org/
http://www.tr4c3.com/
Bk瞬间 [QQ群] & Hi [QQ群]
########################################################################
程序下载:http://down.oblog.cn/oblog4/oblog46_Final_20080403.rar
########################################################################
描述:
愚人节那天雕牌在blog上公布了一个Oblog任意文件下载漏洞。文章见/Article/200804/24841.html<0day>愚人节的礼物 oblog文件下载漏洞。
随后官方发布的Oblog版本里对代码做了些许改动,并发布了相关补丁。详见:http://bbs.oblog.cn/dispbbs.asp?boardid=119&Id=132375 [oblog46体验版_patch_20080403补丁]
http://www.target.com/attachment.asp?path=./conn.asp这样已经无法下载文件,我从官方下载了最新版本4.60 Final Build080403 Access(集成了attachment.asp补丁),发现修改后的代码并不能解决问题,OBlog任意文件下载漏洞依然存在。具体看 attachment.asp代码。
########################################################################
关键部分:
- Path = Trim(Request("path")) '获取用户提交的路径
- FileID = Trim(Request("FileID"))
- If FileID ="" And Path = "" Then
- Response.WrITe "参数不足"
- Response.End
- End If
- ...
- If CheckDownLoad Or 1= 1Then
- If Path = "" Then
- set rs = Server.CreateObject("ADODB.RecordSet")
- link_database
- SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = "&CLng(FileID))
- rs.open sql,conn,1,3
- If Not rs.Eof Then
- uid = rs(1)
- file_ext = rs(2)
- rs("ViewNum") = rs("ViewNum") + 1
- rs.Update
- downloadFile Server.MapPath(rs(0)),0
- Else
- Response.Status=404
- Response.WrITe "该附件不存在!"
- End If
- rs.Close
- Set rs = Nothing
- Else
- If InStr(path,Oblog.CacheConfig(56)) > 0 Then 'Tr4c3 标注:注意这里,仅仅判断用户提交的路径是否包含UploadFiles,为真则调用downloadfile函数下载文件
- downloadFile Server.MapPath(Path),1
- End if
- End If
- Else
- '如果附件为图片的话,当权限检验无法通过则调用一默认图片,防止<img>标记无法调用,影响显示效果
- If Path = "" Then
- Response.Status=403
- Response.WrITe ShowDownErr
- Response.End
- Else
- downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1
- End if
- End if
-
- Set oblog = Nothing
-
- Sub downloadFile(strFile,stype)
- On Error Resume Next
- Server.ScriptTimeOut=9999999
- Dim S,fso,f,intFilelength,strFilename
- strFilename = strFile
- Response.Clear
- Set s = Server.CreateObject(oblog.CacheCompont(2))
- s.Open
- s.Type = 1
- Set fso = Server.CreateObject(oblog.CacheCompont(1))
- If Not fso.FileExists(strFilename) Then
- If stype = 0 Then
- Response.Status=404
- Response.WrITe "该附件已经被删除!"
- ExIT Sub
- Else
- strFilename = Server.MapPath(blogdir&"images/nopic.gif")
- End if
- End If
- Set f = fso.GetFile(strFilename)
- intFilelength = f.size
- s.LoadFromFile(strFilename)
- If Err Then
- Response.WrITe("<h1>错误: </h1>" & Err.Description & "<p>")
- Response.End
- End If
- Set fso=Nothing
- Dim Data
- Data=s.Read
- s.Close
- Set s=Noth
[1] [2] 下一页
|
