WooYun.org

同样的是tools/upload_ajax.ashx:
private void UpLoadFile(HttpContext context)
{
DTcms.Model.siteconfig siteConfig = new DTcms.BLL.siteconfig().loadConfig();
string _delfile = DTRequest.GetString("DelFilePath");
HttpPostedFile _upfile = context.Request.Files["Filedata"];
bool _iswater = false;
bool _isthumbnail = false;
if (DTRequest.GetQueryString("IsWater") == "1")
{
_iswater = true;
}
if (DTRequest.GetQueryString("IsThumbnail") == "1")
{
_isthumbnail = true;
}
if (_upfile == null)
{
context.Response.Write("{\"status\": 0, \"msg\": \"请选择要上传文件！\"}");
}
else
{
UpLoad upFiles = new UpLoad();
string msg = upFiles.fileSaveAs(_upfile, _isthumbnail, _iswater);
if (!string.IsNullOrEmpty(_delfile) && _delfile.ToLower().StartsWith(siteConfig.webpath.ToLower() + siteConfig.filepath.ToLower()))
{
Utils.DeleteUpFile(_delfile);
}
context.Response.Write(msg);
context.Response.End();
}
}
补丁应该就是：
if (!string.IsNullOrEmpty(_delfile) && _delfile.ToLower().StartsWith(siteConfig.webpath.ToLower() + siteConfig.filepath.ToLower()))
这里其实就是读取xmlconfig/site.config配置文件，里面有webpath => "/"和filepath => "upload"也就是说只要我们提交的DelFilePath中以/upload开头就可以绕过这个逻辑判断了，那么我们可以构造：
DelFilePath=/upload/../web.config