Home>Network programming tutorial>ASP tutorial

eWebEditor v3.8 column directory

Author:Eve Cole Update Time:2025-08-09 22:48:01

Recommended: ASP component-free paging implementation ideas and code
The component-free pagination is incredible. You will know by looking at the effect of this article. Let’s share with you the specific implementation below. Interested friends can refer to it.

Title: asp eWebEditor v3.8 column directory vulnerability (other versions are tests)

Vulnerability file: asp/browse.asp

Vulnerability occurs:

Sub InitParam()

sType = UCase(Trim(Request.QueryString(type)))sStyleName = Trim(Request.QueryString(style))sCusDir = Trim(Request.QueryString(cusdir))Dim i, aStyleConfig, bValidStylebValidStyle = FalseFor i = 1 To Ubound(aStyle)aStyleConfig = Split(aStyle(i), |||)If Lcase(sStyleName) = Lcase(aStyleConfig(0)) ThenbValidStyle = TrueExit ForEnd IfNextIf bValidStyle = False ThenOutScript(alert('Invalid Style.'))End IfsBaseUrl = aStyleConfig(19)nAllowBrowse = CLng(aStyleConfig(43))nCusDirFlag = Clng(aStyleConfig(61))If nAllowBrowse <> 1 ThenOutScript(alert('Do not allow browser!'))End If If nCusDirFlag <> 1 ThenCusDir = ElsesCusDir = Replace(sCusDir, /, /)If Left(sCusDir, 1) = / Or Left(sCusDir, 1) = . Or Right(sCusDir, 1) = . Or InStr(sCusDir, ./) > 0 Or InStr(sCusDir, /.) > 0 Or InStr(sCusDir, //) > 0 ThensCusDir = ElseIf Right(sCusDir, 1) <> / ThensCusDir = sCusDir & /End IfEnd IfEnd IfsUploadDir = aStyleConfig(3)If Left(sUploadDir, 1) <> / ThensUploadDir = ../ & sUploadDirEnd IfSelect Case sBaseUrlCase 0sContentPath = aStyleConfig(23)Case 1sContentPath = RelativePath2RootPath(sUploadDir)Case 2sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))End SelectsUploadDir = sUploadDir & sCusDirsContentPath = sContentPath & sCusDirSelect Case sTypeCase FILEsAllowExt = Case MEDIAsAllowExt = rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|movCase FLASHsAllowExt = swfCase ElsesAllowExt = bmp|jpg|jpeg|png|gifEnd SelectsCurrDir = sUploadDirsDir = Trim(Request(dir))'1. Assume dir= ../'2. Assume dir=...//'3. Assume dir=...///sDir = Replace(sDir, /, /) 'Filter 1sDir = Replace(sDir, ../, ) 'Filter 2'1. It is filtered here sDir = Replace(sDir, ./, ) 'Filter 3'2 is also powered here '3 is here.../. More interesting! It seems that many cms are filtered like this. [/color]If sDir <> ThenIf CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True ThensCurrDir = sUploadDir & sDir & /ElsesDir = End IfEnd IfEnd Sub

Share: How to obtain real IP address of ASP
Use Request.ServerVariables(REMOTE_ADDR) in ASP to obtain the IP address of the client, but if the client uses a proxy server to access it, the IP address of the proxy server is obtained, not the real client IP address. To obtain the client's real IP address through the proxy server, you must use Request.ServerVariables(H

Related Articles