英雄宽频WEB站任意下载0DAY漏洞漏洞预警 -电脑资料
无意看到的,下载播放器时弹出的地址,http://10.0.2.100/web/html/download.asp?file=../../herotemp/jtplayer.exe
来看看download.asp的源码
<%
Dim path
path=Request.QueryString("file")
If path<>"" Then
On Error
path=Server.MapPath(path)
downloadfile(path)
End If
function downloadfile(fullpath)
downloadfile = false
dim strfilename, s, fso, f, intfilelength
set fso = server.createobject("scripting.filesystemobject")
if not fso.fileexists(fullpath) Then
response.write "对不起,该文件不存在"
response.end
exit function
end if
set f = fso.getfile(fullpath)
' 获取文件大小
intfilelength = f.size
set s = server.createobject("adodb.stream")
s.open
s.type = 1
s.loadfromfile(fullpath)
response.buffer = true
response.clear
'response.addheader "content-type","application/x-msdownload"
response.addheader "content-disposition","attachment;filename=" & f.name
response.addheader "content-length" ,intfilelength
response.contenttype = "application/octet-stream"
while not s.eos
response.binarywrite s.read(1024 * 64)
response.flush
wend
s.close
set s = nothing
downloadfile = true
end function
%>
直接
path=Server.MapPath(path)
downloadfile(path)
了,file赋值的时候,没做判断,直接调FSO
好了,下首页,看配置文件,
再下 WebFolderUrl=root_SiteUrl & "web/" '读取配置文件(config.xml)读电影所在目录
直接找到了配置文件,下图
有SQL,有ACCESS路径,不用说了吧,还可以直接下SYSTEM32里的可读DLL等,
英雄宽频WEB站任意下载0DAY漏洞漏洞预警
,电脑资料
《英雄宽频WEB站任意下载0DAY漏洞漏洞预警》()。。可以猜SERV-U,IIS等配置文件路径哦~呵呵
网吧用这个程序的很多的,愿官方早日修复
