国产探花免费观看_亚洲丰满少妇自慰呻吟_97日韩有码在线_资源在线日韩欧美_一区二区精品毛片,辰东完美世界有声小说,欢乐颂第一季,yy玄幻小说排行榜完本

首頁 > 網(wǎng)站 > 建站經(jīng)驗(yàn) > 正文

eWeb_Editor v3.8 列目錄

2019-11-02 14:45:09
字體:
供稿:網(wǎng)友

   標(biāo)題:asp eWebEditor v3.8 列目錄漏洞(其他版本為測試)

  漏洞文件:asp/browse.asp

  漏洞產(chǎn)生:

 Sub InitParam()

        sType = UCase(Trim(Request.QueryString("type")))        sStyleName
網(wǎng)名大全[www.la240.com/html2017/1/]
= Trim(Request.QueryString("style"))        sCusDir = Trim(Request.QueryString("cusdir"))        Dim i, aStyleConfig, bValidStyle        bValidStyle = False        For i = 1 To Ubound(aStyle)                aStyleConfig = Split(aStyle(i), "|||")                If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then                        bValidStyle = True                        Exit For                End If        Next        If bValidStyle = False Then                OutScript("alert('Invalid Style.')")        End If        sBaseUrl = aStyleConfig(19)        nAllowBrowse = CLng(aStyleConfig(43))        nCusDirFlag = Clng(aStyleConfig(61))        If nAllowBrowse <> 1 Then                OutScript("alert('Do not allow browse!')")        End If        If nCusDirFlag <> 1 Then                sCusDir = ""        Else                sCusDir = Replace(sCusDir, "", "/")                If Left(sCusDir, 1) = "/" Or Left(sCusDir, 1) = "." Or Right(sCusDir, 1) = "." Or InStr(sCusDir, "./") > 0 Or InStr(sCusDir, "/.") > 0 Or InStr(sCusDir, "//") > 0 Then                        sCusDir = ""                Else                        If Right(sCusDir, 1) <> "/" Then                                sCusDir = sCusDir & "/"                        End If                End If        End If        sUploadDir = aStyleConfig(3)        If Left(sUploadDir, 1) <> "/" Then                sUploadDir = "../" & sUploadDir        End If        Select Case sBaseUrl        Case "0"                sContentPath = aStyleConfig(23)        Case "1"                sContentPath = RelativePath2RootPath(sUploadDir)        Case "2"                sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))        End Select    sUploadDir = sUploadDir & sCusDir        sContentPath = sContentPath & sCusDir        Select Case sType        Case "FILE"                sAllowExt = ""        Case "MEDIA"                sAllowExt = "rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov"        Case "FLASH"                sAllowExt = "swf"        Case Else                sAllowExt = "bmp|jpg|jpeg|png|gif"        End Select        sCurrDir = sUploadDir        sDir = Trim(Request("dir"))'1.假設(shè)dir= ../'2.假設(shè)dir=...//'3.假設(shè)dir=.....///        sDir = Replace(sDir, "", "/")  '過濾1        sDir = Replace(sDir, "../", "") '過濾2'1.到這里就被過濾了        sDir = Replace(sDir, "./", "") '過濾3'2到這里也被功率了'3到這里就成../了。比較有趣的饒過!好象不少cms這樣過濾過。[/color]        If sDir <> "" Then                If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then                        sCurrDir = sUploadDir & sDir & "/"                Else                        sDir = ""                End If        End IfEnd Sub

發(fā)表評論 共有條評論
用戶名: 密碼:
驗(yàn)證碼: 匿名發(fā)表
主站蜘蛛池模板: 长子县| 汪清县| 垫江县| 富平县| 大埔区| 齐齐哈尔市| 剑川县| 重庆市| 河东区| 进贤县| 内乡县| 丹巴县| 江孜县| 察雅县| 喜德县| 利辛县| 宁德市| 柏乡县| 盐亭县| 长乐市| 茶陵县| 额尔古纳市| 北票市| 桃源县| 大邑县| 林周县| 策勒县| 宜阳县| 武胜县| 水城县| 绵竹市| 怀宁县| 顺昌县| 南陵县| 兴和县| 竹北市| 沂源县| 金溪县| 金乡县| 当雄县| 临夏县|