Problems on patching of Oblog 2.52 help.asp vulnerabilities
This is a very interesting thing.
Oblog is a set of blog based on ASP system, the current version is 2.52 bar.
A few days ago, there was a help.asp file vulnerability,
You can view the source files of any file, including ASP files, the consequences of nature is serious.
Now, the issue has been patched, and the revised key code is as follows:
<%
Fname=trim (Request ("file")
Fname=lcase (fname)
Fname=replace (fname, "ASP", "")
If Fname= "" Then
Fname= "Help/h_sysmain.htm"
End If
If Right (fname,4) = ". htm" Then
show_help= "Current position: <a href= ' index.asp ' > Home </a>→blog use Help Show_help=show_help&adodb_loadfile (fname)
Show=replace (Show, "$show _list$", Show_help)
Response. Write Show
Call Bottom ()
Else
Response. Write ("Incorrect input file")
End If
%>
Yesterday, a group of QQ, a user whim, said the patch after the above code is still a problem.
Let's take a look at his analytical ideas:
Patching code is mainly two aspects, one is to replace all ASP strings, to prevent viewing ASP files, and the second is only the suffix is htm files to use.
First, look at the code that replaces the ASP:
Fname=replace (fname, "ASP", "")
So if you visit help.asp?file=conn.asp, you become a help.asp?file=conn.
So if we visit help.asp?file=conn.aaspsp, we become help.asp?file=conn.asp after the replacement.
Therefore, this substitution of ASP protection measures are not very reliable, or can be bypassed.
So, look at the 2nd, is how to bypass the suffix is. htm check
His idea was this:
Some time ago there is not an upload vulnerability, we are generally the first to grasp the package, and then modify the data,
Constructs a filename, such as A.asp%00.gif,
In this way, the upload program will also think that this is a GIF file, and actually save the time only to save into a.asp.
So here, is it okay?
Constructs a conn.asp%00.htm file name so that you can cheat fname detection.
And then in the Adodb_loadfile (fname) function, the conn.asp file is really open,
This achieves the purpose.
From his point of view, still more logical,
Moreover, the first step in his analysis is to bypass the ASP's inspection is also correct
Only the second step, his understanding is still wrong.
Many people know how to upload a vulnerability, but what is the upload vulnerability,
A lot of people don't know.
And in the ASP, and Php,perl there are some differences.
You can refer to this document specifically,
Http://security-assessment.com/Papers/0x00_vs_ASP_File_Uploads.pdf
I believe it is more helpful for us to understand the uploading vulnerabilities.