Path = Trim(Request("path")) 'Get the path submitted by the user
FileID = Trim(Request("FileID"))
If FileID ="" And Path = "" Then
"Insufficient parameters"
End If
...
If CheckDownLoad Or 1= 1Then
If Path = "" Then
set rs = ("")
link_database
SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = "&CLng(FileID))
sql,conn,1,3
If Not Then
uid = rs(1)
file_ext = rs(2)
rs("ViewNum") = rs("ViewNum") + 1
downloadFile (rs(0)),0
Else
=404
"This attachment does not exist!"
End If
Set rs = Nothing
Else
If InStr(path,(56)) > 0 Then 'Tr4c3 Note: Note here, just determine whether the path submitted by the user contains UploadFiles. If it is true, call the downloadfile function to download the file.
downloadFile (Path),1
End if
End If
Else
'If the attachment is a picture, when the permission verification cannot be passed, a default picture will be called to prevent the <img> mark from being unable to be called, affecting the display effect.
If Path = "" Then
=403
ShowDownErr
Else
downloadFile (blogdir&"images/oblog_powered.gif"),1
End if
End if
Set oblog = Nothing
Sub downloadFile(strFile,stype)
On Error Resume Next
=9999999
Dim S,fso,f,intFilelength,strFilename
strFilename = strFile
Set s = ((2))
= 1
Set fso = ((1))
If Not (strFilename) Then
If stype = 0 Then
=404
"This attachment has been deleted!"
Exit Sub
Else
strFilename = (blogdir&"images/")
End if
End If
Set f = (strFilename)
intFilelength =
(strFilename)
If Err Then
("<h1>Error: </h1>" & & "<p>")
End If
Set fso=Nothing
Dim Data
Data=
Set s=Nothing
Dim ContentType
select Case LCase(Right(strFile, 4))
Case ".asp",".mdb",".config",".js" 'Tr4c3 Note: Looking at this again, what did you remember? By the way, the arbitrary download vulnerability of the news system I posted a few days ago is similar to the method of checking [http:///post/]. The method of use is also similar, and the magical "." comes in handy again.
Exit Sub
Case ".asf"
ContentType = "video/x-ms-asf"
Case ".avi"
ContentType = "video/avi"
Case ".doc"
ContentType = "application/msword"
Case ".zip"
ContentType = "application/zip"
Case ".xls"
ContentType = "application/-excel"
Case ".gif"
ContentType = "image/gif"
Case ".jpg", "jpeg"
ContentType = "image/jpeg"
Case ".wav"
ContentType = "audio/wav"
Case ".mp3"
ContentType = "audio/mpeg3"
Case ".mpg", "mpeg"
ContentType = "video/mpeg"
Case ".rtf"
ContentType = "application/rtf"
Case ".htm", "html"
ContentType = "text/html"
Case ".txt"
ContentType = "text/plain"
Case Else
ContentType = "application/octet-stream"
End select
If Then
If Not (InStr(LCase(),".gif")>0 Or InStr(LCase(),".jpg")>0 Or InStr(LCase(),".jpeg")>0 Or InStr(LCase(),".bmp")>0 Or InStr(LCase(),".png")>0 )Then
"Content-Disposition", "attachment; filename=" &
End If
"Content-Length", intFilelength
= "UTF-8"
= ContentType
Data
()
End If
End Sub
<* Reference:
Tr4c3[at]126[dot]com
*>
Test method:
[warn]
The following procedures (methods) may be aggressive and are for safety research and teaching only. You are at your own risk!
########################################################################
Utilization method:
/?path=UploadFiles/../.
########################################################################
suggestion:
Repair suggestions:
Wait for the official release of new patches.
########################################################################
Temporary solution:
Change line 5 Path = Trim(Request("path")) to Path = Replace(Trim(Request("path")),"..","")
########################################################################