By: 小A
官方网址:http://www.reaft.com/
Cms下载地址: http://www.2cto.com/ym/201102/26373.html
界面做的还不错,搜索了一下好像用的人很少,开始。
首先看目录下 UpLoad.html 文件上传,调用了的是 UpLoad.asp。
UpLoad.asp:
<!--#include file="UpLoad_Class.vbs.asp"--> <!--#include file="request.asp" --> <!--#include file="conn.asp" --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>文件上传</title> <link href="styles/iframe.css" rel="stylesheet" type="text/css" /> <script src="scripts/admin.js"></script> </head>
<body> <div class="iframeBody"> <% dim upload set upload = new AnUpLoad upload.Exe = "*" upload.MaxSize = 4 * 1024 * 1024 '4M upload.GetData() if upload.ErrorID>0 then response.Write upload.Description else postMess("images/operate_02.jpg") dim savpath savepath = "/upload/"&year(date())&"/"&month(date())&"/" for each f in upload.files(-1) dim file set file = upload.files(f) if not(file is nothing) then if file.saveToFile(savepath,0,true) then postMess("images/operate_01.jpg") postValue = postValue&""&savepath&file.filename&"|" response.write ("<script>window.parent.document.getElementById("""&postName&""").value="""&postValue&""";</script>") end if end if set file = nothing next end if set upload = nothing %> </div> </body> </html>
然后在来看看:UpLoad_Class.vbs.asp。
UpLoad_Class.vbs.asp:
<!--#include file="admin.asp" --> <% '========================================================= '类名: AnUpLoad(艾恩无组件上传类 www.2cto.com ) '========================================================= C省略N行代码 Public Function GetWH() '本函数代码参考网络 On Error Resume Next mvarExtend = lcase(mvarExtend) if instr("|jpg|jpeg|bmp|png|gif|asa|","|" & mvarExtend & "|")<=0 then exit function Dim m_binItem Set m_binItem =server.CreateObject("ADODB.Stream") m_binItem.Mode = 3 m_binItem.Type = 1 m_binItem.Open Dim Info Set Info = server.CreateObject("ADODB.Recordset") Info.Fields.Append "value", 205, -1 Info.Open Info.AddNew Info("value").AppendChunk (mvarValue) m_binItem.Write (Info("value")) Info("value").AppendChunk (Null) Info.Update Info.Close Set Info = Nothing select case lcase(mvarExtend) case "jpg","jpeg" m_binItem.Position=3 do while not m_binItem.EOS do intTemp = Ascb(m_binItem.Read(1)) loop while intTemp = 255 and not m_binItem.EOS if intTemp < 192 or intTemp > 195 then m_binItem.read(Bin2Val(m_binItem.Read(2))-2) else Exit do end if do intTemp = Ascb(m_binItem.Read(1)) loop while intTemp < 255 and not m_binItem.EOS loop m_binItem.Read(3) mvarHeight = Bin2Val(m_binItem.Read(2)) mvarWidth = Bin2Val(m_binItem.Read(2)) case "gif" if Lcase(strFext)<>"gif" then strFext="gif" m_binItem.Position=6 mvarWidth = BinVal2(m_binItem.Read(2)) mvarHeight = BinVal2(m_binItem.Read(2)) case "png" if Lcase(strFext)<>"png" then strFext="png" m_binItem.Position=18 mvarWidth = Bin2Val(m_binItem.Read(2)) m_binItem.Read(2) mvarHeight = Bin2Val(m_binItem.Read(2)) case "bmp" if Lcase(strFext)<>"bmp" then strFext="bmp" m_binItem.Position=18 mvarWidth = BinVal2(m_binItem.Read(4)) mvarHeight = BinVal2(m_binItem.Read(4)) case "asa" if Lcase(strFext)<>"asa" then strFext="asa" m_binItem.Position=18 mvarWidth = BinVal2(m_binItem.Read(2)) mvarHeight = BinVal2(m_binItem.Read(2)) end select m_binItem.Close If err then mException=Err.Description End If End Function
看红色部分,其他就不解释了。
直接上传asa拿shell。
还有就是上传可能会提示登录,直接伪造session就可以通过了。 (站长评论:什么、?伪造 Session???……我了个擦,这要是能伪造,那岂不、、、小A同学可能是看错了,当成了cookie ……)
验证代码在 admin.asp。
admin.asp:
<% if session("username")="" and session("password")="" then session("Errortxt")="登录超时,请重新登陆" response.Redirect("login.asp") response.end end if %>
其他就不多说了!
这个应该算是一个 漏洞 吧,不知道是不是作者故意加上的,在上传扩展名,检查那里,居然加了个asa,无意间发现的。
查看更多关于80After CMS V4 鸡肋上传漏洞及修复 - 网站安全 - 自的详细内容...