推薦:ASP無組件分頁實現思路及代碼無組件分頁不可思議吧,看一看本文的效果就知道了,下面與大家分享下具體的實現,感興趣的朋友可以參考下哈
標題:asp eWebEditor v3.8 列目錄漏洞(其他版本為測試)
漏洞文件:asp/browse.asp
漏洞產生:
Sub InitParam()
sType = UCase(Trim(Request.QueryString(type)))sStyleName = Trim(Request.QueryString(style))sCusDir = Trim(Request.QueryString(cusdir))Dim i, aStyleConfig, bValidStylebValidStyle = FalseFor i = 1 To Ubound(aStyle)aStyleConfig = Split(aStyle(i), |||)If Lcase(sStyleName) = Lcase(aStyleConfig(0)) ThenbValidStyle = TrueExit ForEnd IfNextIf bValidStyle = False ThenOutScript(alert('Invalid Style.'))End IfsBaseUrl = aStyleConfig(19)nAllowBrowse = CLng(aStyleConfig(43))nCusDirFlag = Clng(aStyleConfig(61))If nAllowBrowse <> 1 ThenOutScript(alert('Do not allow browse!'))End IfIf nCusDirFlag <> 1 ThensCusDir = ElsesCusDir = Replace(sCusDir, /, /)If Left(sCusDir, 1) = / Or Left(sCusDir, 1) = . Or Right(sCusDir, 1) = . Or InStr(sCusDir, ./) > 0 Or InStr(sCusDir, /.) > 0 Or InStr(sCusDir, //) > 0 ThensCusDir = ElseIf Right(sCusDir, 1) <> / ThensCusDir = sCusDir & /End IfEnd IfEnd IfsUploadDir = aStyleConfig(3)If Left(sUploadDir, 1) <> / ThensUploadDir = ../ & sUploadDirEnd IfSelect Case sBaseUrlCase 0sContentPath = aStyleConfig(23)Case 1sContentPath = RelativePath2RootPath(sUploadDir)Case 2sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))End SelectsUploadDir = sUploadDir & sCusDirsContentPath = sContentPath & sCusDirSelect Case sTypeCase FILEsAllowExt = Case MEDIAsAllowExt = rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|movCase FLASHsAllowExt = swfCase ElsesAllowExt = bmp|jpg|jpeg|png|gifEnd SelectsCurrDir = sUploadDirsDir = Trim(Request(dir))'1.假設dir= ../'2.假設dir=...//'3.假設dir=.....///sDir = Replace(sDir, /, /) '過濾1sDir = Replace(sDir, ../, ) '過濾2'1.到這裡就被過濾了sDir = Replace(sDir, ./, ) '過濾3'2到這裡也被功率了'3到這裡就成../了。比較有趣的饒過!好像不少cms這樣過濾過。 [/color]If sDir <> ThenIf CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True ThensCurrDir = sUploadDir & sDir & /ElsesDir = End IfEnd IfEnd Sub分享:ASP如何獲取真實IP地址在ASP 中使用Request.ServerVariables(REMOTE_ADDR) 來取得客戶端的IP 地址,但如果客戶端是使用代理服務器來訪問,那取到的就是代理服務器的IP 地址,而不是真正的客戶端IP 地址。要想透過代理服務器取得客戶端的真實IP 地址,就要使用Request.ServerVariables(H