|OBlog任意文件下载漏洞 - VULHUB开源网络安全威胁库

OBlog任意文件下载漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

attachment.asp代码 Path = Trim(Request("path")) '获取用户提交的路径 FileID = Trim(Request("FileID")) If FileID ="" And Path = "" Then Response.Write "参数不足" Response.End End If ... If CheckDownLoad Or 1= 1Then If Path = "" Then set rs = Server.CreateObject("ADODB.RecordSet") link_database SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = "&amp;CLng(FileID)) rs.open sql,conn,1,3 If Not rs.Eof Then uid = rs(1) file_ext = rs(2) rs("ViewNum") = rs("ViewNum") + 1 rs.Update downloadFile Server.MapPath(rs(0)),0 Else Response.Status=404 Response.Write "该附件不存在!" End If rs.Close Set rs = Nothing Else If InStr(path,Oblog.CacheConfig(56)) &gt; 0 Then 'Tr4c3 标注：注意这里，仅仅判断用户提交的路径是否包含UploadFiles，为真则调用downloadfile函数下载文件 downloadFile Server.MapPath(Path),1 End if End If Else '如果附件为图片的话，当权限检验无法通过则调用一默认图片，防止&lt;img&gt;标记无法调用，影响显示效果 If Path = "" Then Response.Status=403 Response.Write ShowDownErr Response.End Else downloadFile Server.MapPath(blogdir&amp;"images/oblog_powered.gif"),1 End if End if Set oblog = Nothing Sub downloadFile(strFile,stype) On Error Resume Next Server.ScriptTimeOut=9999999 Dim S,fso,f,intFilelength,strFilename strFilename = strFile Response.Clear Set s = Server.CreateObject(oblog.CacheCompont(2)) s.Open s.Type = 1 Set fso = Server.CreateObject(oblog.CacheCompont(1)) If Not fso.FileExists(strFilename) Then If stype = 0 Then Response.Status=404 Response.Write "该附件已经被删除!" Exit Sub Else strFilename = Server.MapPath(blogdir&amp;"images/nopic.gif") End if End If Set f = fso.GetFile(strFilename) intFilelength = f.size s.LoadFromFile(strFilename) If Err Then Response.Write("&lt;h1&gt;错误: &lt;/h1&gt;" &amp; Err.Description &amp; "&lt;p&gt;") Response.End End If Set fso=Nothing Dim Data Data=s.Read s.Close Set s=Nothing Dim ContentType select Case LCase(Right(strFile, 4)) Case ".asp",".mdb",".config",".js" 'Tr4c3 标注：再看这里，想起来什么来了？对了，前几天我发的沸腾展望新闻系统的任意下载漏洞跟这个检查的方法差不多[http://www.tr4c3.com /post/306.html]，利用方法也相似，神奇的"."又派上用场了。 Exit Sub Case ".asf" ContentType = "video/x-ms-asf" Case ".avi" ContentType = "video/avi" Case ".doc" ContentType = "application/msword" Case ".zip" ContentType = "application/zip" Case ".xls" ContentType = "application/vnd.ms-excel" Case ".gif" ContentType = "image/gif" Case ".jpg", "jpeg" ContentType = "image/jpeg" Case ".wav" ContentType = "audio/wav" Case ".mp3" ContentType = "audio/mpeg3" Case ".mpg", "mpeg" ContentType = "video/mpeg" Case ".rtf" ContentType = "application/rtf" Case ".htm", "html" ContentType = "text/html" Case ".txt" ContentType = "text/plain" Case Else ContentType = "application/octet-stream" End select If Response.IsClientConnected Then If Not (InStr(LCase(f.name),".gif")&gt;0 Or InStr(LCase(f.name),".jpg")&gt;0 Or InStr(LCase(f.name),".jpeg")&gt;0 Or InStr(LCase(f.name),".bmp")&gt;0 Or InStr(LCase(f.name),".png")&gt;0 )Then Response.AddHeader "Content-Disposition", "attachment; filename=" &amp; f.name End If Response.AddHeader "Content-Length", intFilelength Response.CharSet = "UTF-8" Response.ContentType = ContentType Response.BinaryWrite Data Response.Flush Response.Clear() End If End Sub OBlog 4.60 修补建议：等待官方发布新的补丁程序。 ######################################################################## 临时解决办法：将attachment.asp第5行 Path = Trim(Request(”path”)) 改成 Path = Replace(Trim(Request(”path”)),”..”,”") ########################################################################

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™