Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞
Fix the Oblog 2.52 help. asp vulnerability
This is a very interesting thing.
OBlog is an asp-based Blog system. The current version is 2.52.
A help. asp file vulnerability occurred some days ago,
You can view the source files of any file, including asp files. The consequence is naturally serious.
Now, this problem has been officially fixed. The modified key code is as follows:
Fname = trim (request ("file "))
Fname = lcase (fname)
Fname = replace (fname, "asp ","")
If fname = "" then
Fname = "help/h_sysmain.htm"
If right (fname, 4) = ". htm" then
Show_help = "Current location: <a href = 'index. asp '> homepage </a> → blog help Show_help = show_help & adodb_loadfile (fname)
Show = replace (show, "$ show_list $", show_help)
Response. Write show
Call bottom ()
Response. Write ("incorrect input file ")
Yesterday, in a QQ group, a user suddenly experienced a whim, saying that the above code after the fix still had a problem.
Let's take a look at his analysis ideas:
The patched code is mainly used in two aspects. One is to replace all asp strings to prevent viewing asp files, and the other is to use only files with a suffix of htm.
First, let's look at the code for replacing asp:
Fname = replace (fname, "asp ","")
So if you access help. asp? When file = conn. asp, it becomes help. asp? File = conn.
So if we access help. asp? File = conn. aaspsp. After replacement, it becomes help. asp? File = conn. asp.
Therefore, the protection measures to replace asp are not very reliable and can be bypassed.
Then, let's look at the second point. The suffix is the. Htm check.
His idea is as follows:
Isn't there an upload vulnerability some time ago? We usually capture packets first and then modify the data,
Structure file name, such as a.asp000000.gif,
In this way, the upload program will assume that this is a gif file, but it will only be saved as a. asp.
So here, is it OK?
Construct a conn.asp000000.htm file name, so that the fname detection can be spoofed,
Then, in the adodb_loadfile (fname) function, the conn. asp file is actually opened,
This achieves the goal.
From his perspective, it is still logical,
In addition, the first step of his analysis is to bypass the asp check.
In the second step, his understanding is still incorrect.
Many people know the upload vulnerability, but what is the upload vulnerability,
It is unclear to many people.
In addition, asp is somewhat different from php and perl.
For details, refer to this document,
I believe it is helpful for you to understand the upload vulnerability.
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to firstname.lastname@example.org. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
and provide relevant evidence. A staff member will contact you within 5 working days.