The problem appears on flash/, let's take a look at the code first
<%
Dim url,strUrl,strPath
url = Replace(Replace(Replace(Request("url"), "'", ""), "%", ""), "\", "/")
//First replace some characters first, 'replace it with empty, % also with empty, \replace it with /
If Len(url) > 3 Then
If Left(url,1) = "/" Then
url //If the first character of the url submitted by the user is /, then turn to the url directly
End If
If Left(url,3) = "../" Then
url //Same as above, it means that it will not be used for you.../Jump the directory
End If
strUrl = Left(url,10)
If InStr(strUrl, "://")> 0 Then //This, sweat·~~://://you don't know what to use
url
End If
If InStr(url, "/") > 0 Then
strPath = (".") & "\" & url //Replace the physical address
strPath = Replace(strPath, "/", "\") //Replace/ to \
Call downThisFile(strPath) //HOHO~~~Download
Else
url
End If
End If
Sub downThisFile(thePath)
On Error Resume Next
Dim stream, fileName, fileContentType
fileName = split(thePath,"\")(UBound(split(thePath,"\")))
Set stream = ("")
= 1
(thePath)
"Content-Disposition", "attachment; filename=" & fileName
"Content-Length",
= "UTF-8"
= "application/octet-stream"
Set stream = Nothing
End Sub
%>
It seems that all the urls have been processed, so it is impossible to use.../ to jump to the directory. However, he judged.../It was strange, just to judge the first three characters of the url. So, hehe! The first three characters cannot be.../, can't I be the ones behind me? So, the url parameter is "uploadfile/../../", so the overall address is http://127.0.0.1/flash/?url=uploadfile/../../../. Hehe~~The file has been downloaded.
This whole site program is quite a lot of people, and I even saw two hacker websites using it. But the same thing is that this loophole exists. It can be said that this vulnerability is a killer of all systems online that use the new cloud, and even the sp1 out of 10.18 has not been filled. However, many large sites use the SQL version, and the host blocks port 1433, so utilization becomes a problem. For access systems, as long as the background has not changed its name, and the md5 password can be queried through, and the background has the function of database backup, it is no problem to obtain a webshell.
<%
Dim url,strUrl,strPath
url = Replace(Replace(Replace(Request("url"), "'", ""), "%", ""), "\", "/")
//First replace some characters first, 'replace it with empty, % also with empty, \replace it with /
If Len(url) > 3 Then
If Left(url,1) = "/" Then
url //If the first character of the url submitted by the user is /, then turn to the url directly
End If
If Left(url,3) = "../" Then
url //Same as above, it means that it will not be used for you.../Jump the directory
End If
strUrl = Left(url,10)
If InStr(strUrl, "://")> 0 Then //This, sweat·~~://://you don't know what to use
url
End If
If InStr(url, "/") > 0 Then
strPath = (".") & "\" & url //Replace the physical address
strPath = Replace(strPath, "/", "\") //Replace/ to \
Call downThisFile(strPath) //HOHO~~~Download
Else
url
End If
End If
Sub downThisFile(thePath)
On Error Resume Next
Dim stream, fileName, fileContentType
fileName = split(thePath,"\")(UBound(split(thePath,"\")))
Set stream = ("")
= 1
(thePath)
"Content-Disposition", "attachment; filename=" & fileName
"Content-Length",
= "UTF-8"
= "application/octet-stream"
Set stream = Nothing
End Sub
%>
It seems that all the urls have been processed, so it is impossible to use.../ to jump to the directory. However, he judged.../It was strange, just to judge the first three characters of the url. So, hehe! The first three characters cannot be.../, can't I be the ones behind me? So, the url parameter is "uploadfile/../../", so the overall address is http://127.0.0.1/flash/?url=uploadfile/../../../. Hehe~~The file has been downloaded.
This whole site program is quite a lot of people, and I even saw two hacker websites using it. But the same thing is that this loophole exists. It can be said that this vulnerability is a killer of all systems online that use the new cloud, and even the sp1 out of 10.18 has not been filled. However, many large sites use the SQL version, and the host blocks port 1433, so utilization becomes a problem. For access systems, as long as the background has not changed its name, and the md5 password can be queried through, and the background has the function of database backup, it is no problem to obtain a webshell.