漏洞文件:attachment.asp,path参数过滤不严。导致可以下载任何文件。 <!-- #include file="inc/inc_syssite.asp" --> <% Dim Path,rs,FileID,ShowDownErr,uid,file_ext Dim SQL Path = Trim(Request("path")) FileID = Trim(Request("FileID")) If FileID ="" And Path = "" Then Response.Write "参数不足" Response.End End If If CheckDownLoad Then If Path = "" Then set rs = Server.CreateObject("ADODB.RecordSet") link_database SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile Where FileID = "&CLng(FileID)) rs.open sql,conn,1,3 If Not rs.Eof Then uid = rs(1) file_ext = rs(2) rs("ViewNum") = rs("ViewNum") + 1 rs.Update downloadFile Server.MapPath(rs(0)),0 Else Response.Status=404 Response.Write "该附件不存在!" End If rs.Close Set rs = Nothing Else If true_domain = 1 Then downloadFile Server.MapPath(Replace(Path,blogurl,"")),1 else downloadFile Server.MapPath(Path),1 End If End If...
漏洞文件:attachment.asp,path参数过滤不严。导致可以下载任何文件。 <!-- #include file="inc/inc_syssite.asp" --> <% Dim Path,rs,FileID,ShowDownErr,uid,file_ext Dim SQL Path = Trim(Request("path")) FileID = Trim(Request("FileID")) If FileID ="" And Path = "" Then Response.Write "参数不足" Response.End End If If CheckDownLoad Then If Path = "" Then set rs = Server.CreateObject("ADODB.RecordSet") link_database SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile Where FileID = "&CLng(FileID)) rs.open sql,conn,1,3 If Not rs.Eof Then uid = rs(1) file_ext = rs(2) rs("ViewNum") = rs("ViewNum") + 1 rs.Update downloadFile Server.MapPath(rs(0)),0 Else Response.Status=404 Response.Write "该附件不存在!" End If rs.Close Set rs = Nothing Else If true_domain = 1 Then downloadFile Server.MapPath(Replace(Path,blogurl,"")),1 else downloadFile Server.MapPath(Path),1 End If End If Else '如果附件为图片的话,当权限检验无法通过则调用一默认图片,防止<img>标记无法调用,影响显示效果 If Path = "" Then Response.Status=403 Response.Write ShowDownErr Response.End Else downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1 End if End if oblog 暂无,很关注官方网站
