eWebEditor v3.8 列目錄_ASP教程

2024-05-04 11:04:45

字體：大中小

來源：轉(zhuǎn)載

供稿：網(wǎng)友

推薦：ASP無組件分頁(yè)實(shí)現(xiàn)思路及代碼
無組件分頁(yè)不可思議吧，看一看本文的效果就知道了，下面與大家分享下具體的實(shí)現(xiàn)，感興趣的朋友可以參考下哈

　　標(biāo)題：asp eWebEditor v3.8 列目錄漏洞(其他版本為測(cè)試)

　　漏洞文件：asp/browse.asp

　　漏洞產(chǎn)生：

　Sub InitParam()

sType = UCase(Trim(Request.QueryString("type"))) sStyleName = Trim(Request.QueryString("style")) sCusDir = Trim(Request.QueryString("cusdir")) Dim i, aStyleConfig, bValidStyle bValidStyle = False For i = 1 To Ubound(aStyle) aStyleConfig = Split(aStyle(i), "|||") If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then bValidStyle = True Exit For End If Next If bValidStyle = False Then OutScript("alert('Invalid Style.')") End If sBaseUrl = aStyleConfig(19) nAllowBrowse = CLng(aStyleConfig(43)) nCusDirFlag = Clng(aStyleConfig(61)) If nAllowBrowse <> 1 Then OutScript("alert('Do not allow browse!')") End If If nCusDirFlag <> 1 Then sCusDir = "" Else sCusDir = Replace(sCusDir, "/", "/") If Left(sCusDir, 1) = "/" Or Left(sCusDir, 1) = "." Or Right(sCusDir, 1) = "." Or InStr(sCusDir, "./") > 0 Or InStr(sCusDir, "/.") > 0 Or InStr(sCusDir, "//") > 0 Then sCusDir = "" Else If Right(sCusDir, 1) <> "/" Then sCusDir = sCusDir & "/" End If End If End If sUploadDir = aStyleConfig(3) If Left(sUploadDir, 1) <> "/" Then sUploadDir = "../" & sUploadDir End If Select Case sBaseUrl Case "0" sContentPath = aStyleConfig(23) Case "1" sContentPath = RelativePath2RootPath(sUploadDir) Case "2" sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir)) End Select sUploadDir = sUploadDir & sCusDir sContentPath = sContentPath & sCusDir Select Case sType Case "FILE" sAllowExt = "" Case "MEDIA" sAllowExt = "rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov" Case "FLASH" sAllowExt = "swf" Case Else sAllowExt = "bmp|jpg|jpeg|png|gif" End Select sCurrDir = sUploadDir sDir = Trim(Request("dir"))'1.假設(shè)dir= ../'2.假設(shè)dir=...//'3.假設(shè)dir=...../// sDir = Replace(sDir, "/", "/") '過濾1 sDir = Replace(sDir, "../", "") '過濾2'1.到這里就被過濾了 sDir = Replace(sDir, "./", "") '過濾3'2到這里也被功率了'3到這里就成../了。比較有趣的饒過！好象不少cms這樣過濾過。[/color] If sDir <> "" Then If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then sCurrDir = sUploadDir & sDir & "/" Else sDir = "" End If End IfEnd Sub

分享：ASP如何獲取真實(shí)IP地址
在 ASP 中使用 Request.ServerVariables(REMOTE_ADDR) 來取得客戶端的 IP 地址，但如果客戶端是使用代理服務(wù)器來訪問，那取到的就是代理服務(wù)器的 IP 地址，而不是真正的客戶端 IP 地址。要想透過代理服務(wù)器取得客戶端的真實(shí)IP 地址，就要使用Request.ServerVariables(H

上一篇：ASP無組件分頁(yè)實(shí)現(xiàn)思路及代碼_ASP教程

下一篇：asp中用for循環(huán)的一個(gè)小技巧_ASP教程