Asp program File Download Vulnerability

1: boiling Outlook
Const adTypeBinary = 1
FileName = Request. QueryString ("FileName") if FileName = "" Then
Response. Write "invalid file name !" Response. End
End if FileExt = Mid (FileName, limit Rev (FileName, ".") + 1)
Select Case UCase (FileExt) Case "ASP", "ASA", "aspX", "ASAX", "MDB"
Response. Write "Invalid operation !" Response. End
End Select Response. Clear
If lcase (right (FileName, 3) = "gif" or lcase (right (FileName, 3) = "jpg" or lcase (right (FileName, 3 )) = "png" then Response. contentType = "image/*" 'does not display the download dialog box for image files.
Else Response. ContentType = "application/ms-download"
End if Response. AddHeader "content-disposition", "attachment; filename =" & GetFileName (Request. QueryString ("FileName "))
Set Stream = server. CreateObject ("ADODB. Stream") Stream. Type = adTypeBinary
Stream. Open
SavePath = FileUploadPath 'Directory for storing uploaded files TrueFileName = SavePath & FileName
Stream. LoadFromFile Server. MapPath (TrueFileName)
While Not Stream. EOS Response. BinaryWrite Stream. Read (1024*64)
Wend

Exploit:
Http://www.target.com/down.asp? FileName = ../conn. asp. (logon is not required. Use minibro to forge referer)
The key is this Code. The insterRev function is used to obtain the file suffix. This is normal, but after adding a dot, the blank suffix is intercepted. The following judgment is skipped and can be downloaded.

FileExt = Mid (FileName, limit Rev (FileName, ".") + 1)
Select Case UCase (FileExt) Case "ASP", "ASA", "ASPX", "ASAX", "MDB"
Response. Write "Invalid operation !" Response. End
End Select

The suffix is after determining the last.. The last. We construct is empty, so it will not be invalid.

InsterRev Function

First, let's figure out the last parameter, which is a comparison method.
0: Perform binary comparison.
1 text comparison
2. compare the information contained in the database (compare in this database.

InstrRev is used to start searching from the rightmost to the left. It's easy to understand this.

SearchString = "XXpXXpXXPXXP"
X p x p x p
1 2 3 4 5 6 7 8 9 10 11 12

'Binary comparison starts with 10th characters. Return 9.
MyPos = Limit Rev (SearchString, SearchChar, 10, 0)
Description: Start from 10th characters (X) and start to left. The position of the first P is 9.

'Text comparison starts with the last character. Returns 12.
MyPos = descrirev (SearchString, SearchChar,-1, 1)
-1 is to start from the last position, from right to left, is the last P, so it is 12

'The default value is binary comparison (the last parameter is omitted ). Returns 0.
MyPos = descrirev (SearchString, SearchChar, 8)
Starting from 8th, from left to left, no uppercase P, So 0 is returned.

1: numbers are returned.

2: Search from right to left

3: Limit Rev (FileName, ".") + 1) to get the position of the first letter of the suffix. Here:

<%
Dim strTXT, pos strTXT = "www.webjx.com"
Pos = Limit Rev (strTXT, ".") Response. Write pos
%>

The start of the search is inverted. The length of the Start character from a point before com. contains this point, a total of ten characters, and the returned result is 9. Therefore, when using the Mid function to get the function name, you must know the location of the first letter of the suffix, So + 1 is available! (Asp mid: http://www.fzs8.net/asp/2007-06-10/4209.html)

2: Oblog Download Vulnerability
Carved one
Path = Trim (Request ("path "))

Then download it directly.

If true_domain = 1 Then
DownloadFile Server. MapPath (Replace (Path, blogurl, ""), 1 else
DownloadFile Server. MapPath (Path), 1 End If

The vulnerability has appeared.

TRACE Daniel's
Path = Trim (Request ("path "))

Then there was a precaution.

If InStr (path, Oblog. cacheConfig (56)> 0 then' Tr4c3 Note: Here, you only need to determine whether the submitted path contains PreviousFile/Article. If it is true, the downloadfile function is called to download the file.
DownloadFile Server. MapPath (Path), 1 End if
Select Case LCase (Right (strFile, 4) Case ". asp", ". mdb", ". config", ". js"
'Tr4c3 annotation: Let's look at it again. What do you think? By the way, the arbitrary Download Vulnerability of the news system I sent a few days ago is similar to the method used for this check [http://www.tr4c3.com/post/306.html]. I also tried it to use it, and the amazing website was deployed again.

By the way, record the method for obtaining the Suffix:
LCase (Right (strFile, 4 ))

 

FileExt = Mid (FileName, limit Rev (FileName, ".") + 1)
Select Case UCase (FileExt) Case "ASP", "ASA", "ASPX", "ASAX", "MDB"
Response. Write "Invalid operation !"