发觉平昔没注入成功也尚未报错,发现直接没注入成功也并未报错澳门永利娱乐总站

小编小学文化,文采倒霉,写的不好请各位多多包括,

自然认为没什么办法了,然后查看页面源码,发现一个引用引起了笔者的令人瞩目:澳门永利娱乐总站 1

标题代码就在

今天就先到那吗。。。还得写文书档案,前些天示范项目,注定又是1个无眠夜。。。

 

世家都应该清楚 大家引用js也许css的时候平日会有../
那样的路子,其实一点也不细略,正是上面目录,

就像是此大家就足以得到web.config了,然后拼成完整的url:http://fineui.com/demo/res.axd?img=../../../../appboxpro/web.config&t=icon
 浏览器输入澳门永利娱乐总站 2

/res/images/../../web.config  

今日就先到那吗。。。还得写文书档案,明日示范项目,注定又是三个无眠夜。。。

注:屏蔽本漏洞的热切文告:http://fineui.com/bbs/forum.php?mod=viewthread&tid=7863

    近来小编喜欢商量一些代码安全方面包车型客车难点,前些日子研讨了下力软的框架,发现代码安全方面做的或许欠缺的,前几日有时候的机遇接触了下fineui,从最初叶的流入初始,都尚未怎么突破,

题材代码就在

using System;
using System.Collections.Generic;
using System.Text;
using System.Web;
using System.Reflection;
using System.IO;
using System.Drawing.Imaging;

namespace FineUI
{
    /// <summary>
    /// 资源处理程序
    /// </summary>
    public class ResourceHandler : IHttpHandler
    {
        /// <summary>
        /// 处理资源的请求
        /// </summary>
        /// <param name="context">Http请求上下文</param>
        public void ProcessRequest(HttpContext context)
        {
            string type = String.Empty;
            string typeValue = String.Empty;
            string extjsBasePath = GlobalConfig.GetExtjsBasePath();
            //resName = "FineUI.";


            if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["icon"]))
            {
                type = "icon";
            }
            //else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["js"]))
            //{
            //    type = "js";
            //    //resName += "js." + typeValue;
            //}
            //else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["lang"]))
            //{
            //    type = "lang";
            //    //resName += "js.lang." + typeValue;
            //}
            else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["theme"]))
            {
                // res.axd?theme=default.grid.refresh.gif
                type = "theme";
                //resName += "res.theme." + typeValue;
            }
            //else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["css"]))
            //{
            //    type = "css";
            //    //resName += "res.css." + typeValue;
            //}
            else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["img"]))
            {
                type = "img";
                //resName += "res.img." + typeValue;
            }
            else
            {
                context.Response.Write("Not supported!");
                return;
            }

            //byte[] binary;
            switch (type)
            {
                case "icon":
                    if (!typeValue.EndsWith(".png") && !typeValue.EndsWith(".gif"))
                    {
                        typeValue = IconHelper.GetName((Icon)Enum.Parse(typeof(Icon), typeValue));
                    }
                    //resName += "res.icon." + typeValue;
                    string serverPath = String.Format("{0}/{1}", GlobalConfig.GetIconBasePath(), typeValue);
                    context.Response.WriteFile(context.Server.MapPath(serverPath));

                    context.Response.ContentType = "image/" + GetImageFormat(typeValue);
                    break;
                //case "js":
                //    context.Response.Write(ResourceHelper.GetResourceContent(resName));
                //    context.Response.ContentType = "text/javascript";
                //case "lang":
                //    context.Response.Write(ResourceHelper.GetResourceContent(resName));
                //    context.Response.ContentType = "text/javascript";
                //    break;
                //case "css":
                //    context.Response.Write(ResourceHelper.GetResourceContent(resName));
                //    context.Response.ContentType = "text/css";
                //    break;
                case "theme":
                    string themePath = "";
                    string themeImageFormat = "";
                    int lastDotIndex = typeValue.LastIndexOf(".");
                    if (lastDotIndex >= 0)
                    {
                        themePath = typeValue.Substring(0, lastDotIndex).Replace('.', '/');
                        themeImageFormat = typeValue.Substring(lastDotIndex + 1);
                    }

                    context.Response.WriteFile(context.Server.MapPath(String.Format("{0}/res{1}.{2}", extjsBasePath, themePath, themeImageFormat)));

                    context.Response.ContentType = "image/" + GetImageFormat(typeValue);
                    break;
                case "img":
                    //binary = ResourceHelper.GetResourceContentAsBinary(resName);
                    //context.Response.OutputStream.Write(binary, 0, binary.Length);
                    //context.Response.ContentType = "image/" + GetImageFormat(resName);


                    context.Response.WriteFile(context.Server.MapPath(String.Format("{0}/res{1}", extjsBasePath, typeValue)));

                    context.Response.ContentType = "image/" + GetImageFormat(typeValue);
                    break;
            }


            // 缓存一年,只能通过改变 URL 来强制更新缓存
            context.Response.Cache.SetExpires(DateTime.Now.AddYears(1));
            context.Response.Cache.SetCacheability(HttpCacheability.Public);
        }

        //private void RenderImage(HttpContext context, string resName)
        //{
        //    Assembly assembly = Assembly.GetExecutingAssembly();
        //    using (Stream stream = assembly.GetManifestResourceStream(resName))
        //    {
        //        using (System.Drawing.Image image = System.Drawing.Image.FromStream(stream))
        //        {
        //            // PNG输出时出现“GDI+ 中发生一般性错误”
        //            using (MemoryStream ms = new MemoryStream())
        //            {
        //                image.Save(ms, image.RawFormat);
        //                ms.WriteTo(context.Response.OutputStream);
        //                context.Response.ContentType = "image/" + GetImageFormat(image.RawFormat);
        //            }
        //        }
        //    }
        //}

        private string GetImageFormat(string imageName)
        {
            int lastDotIndex = imageName.LastIndexOf(".");
            if (lastDotIndex >= 0)
            {
                return imageName.Substring(lastDotIndex + 1);
            }
            return "png";
        }

        private string GetImageFormat(ImageFormat format)
        {
            if (format == ImageFormat.Bmp)
            {
                return "bmp";
            }
            else if (format == ImageFormat.Gif)
            {
                return "gif";
            }
            else if (format == ImageFormat.Jpeg)
            {
                return "jpeg";
            }
            else if (format == ImageFormat.Png)
            {
                return "png";
            }
            else if (format == ImageFormat.Tiff)
            {
                return "tiff";
            }
            else if (format == ImageFormat.Icon)
            {
                return "icon";
            }
            return "gif";
        }


        /// <summary>
        /// 只要请求的 URL 相同,则请求可以重用
        /// </summary>
        public bool IsReusable
        {
            get
            {
                return true;
            }
        }
    }
}

最好就想开列其余排序,从列别排序注入,弄了漫漫,发现平素没注入成功也尚未报错,小编就极度意外,然后看了下fineui的开源版,看了代码,发现原本她是判断的
,不是东拼西凑的,难怪注入战败,

我们都应当清楚 我们引用js只怕css的时候时不时会有../
那样的不二法门,其实很简单,正是上级目录,

看了下,喜气洋洋啊。。太好了,不精通你们看到难题来了从未有过,

澳门永利娱乐总站,注:屏蔽本漏洞的迫切文告:http://fineui.com/bbs/forum.php?mod=viewthread&tid=7863

就这么我们就能够获得web.config了,然后拼成完整的url:http://fineui.com/demo/res.axd?img=../../../../appboxpro/web.config&t=icon
浏览器输入澳门永利娱乐总站 3

自然以为没什么办法了,然后查看页面源码,发现贰个引用引起了小编的注意:澳门永利娱乐总站 4

澳门永利娱乐总站 5澳门永利娱乐总站 6澳门永利娱乐总站 7

以此地点,于是去看了下他的源码

    方今小编喜欢钻研一些代码安全方面包车型大巴难题,前些日子探究了下力软的框架,发现代码安全地点做的依旧欠缺的,前天有时的机会接触了下fineui,从最开首的注入起头,都尚未怎么突破,

ok
web.config就这么被砍下来了,,,当然,web.config都打下了,别的也就都没什么可说的了,

其一地方,于是去看了下她的源码

  case "img":
                    //binary = ResourceHelper.GetResourceContentAsBinary(resName);
                    //context.Response.OutputStream.Write(binary, 0, binary.Length);
                    //context.Response.ContentType = "image/" + GetImageFormat(resName);


                    context.Response.WriteFile(context.Server.MapPath(String.Format("{0}/res{1}", extjsBasePath, typeValue)));

                    context.Response.ContentType = "image/" + GetImageFormat(typeValue);
                    break;
using System;using System.Collections.Generic;using System.Text;using System.Web;using System.Reflection;using System.IO;using System.Drawing.Imaging;namespace FineUI{    /// <summary>    /// 资源处理程序    /// </summary>    public class ResourceHandler : IHttpHandler    {        /// <summary>        /// 处理资源的请求        /// </summary>        /// <param name="context">Http请求上下文</param>        public void ProcessRequest(HttpContext context)        {            string type = String.Empty;            string typeValue = String.Empty;            string extjsBasePath = GlobalConfig.GetExtjsBasePath();            //resName = "FineUI.";            if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["icon"]))            {                type = "icon";            }            //else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["js"]))            //{            //    type = "js";            //    //resName += "js." + typeValue;            //}            //else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["lang"]))            //{            //    type = "lang";            //    //resName += "js.lang." + typeValue;            //}            else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["theme"]))            {                // res.axd?theme=default.grid.refresh.gif                type = "theme";                //resName += "res.theme." + typeValue;            }            //else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["css"]))            //{            //    type = "css";            //    //resName += "res.css." + typeValue;            //}            else if (!String.IsNullOrEmpty(typeValue = context.Request.QueryString["img"]))            {                type = "img";                //resName += "res.img." + typeValue;            }            else            {                context.Response.Write("Not supported!");                return;            }            //byte[] binary;            switch             {                case "icon":                    if (!typeValue.EndsWith(".png") && !typeValue.EndsWith(".gif"))                    {                        typeValue = IconHelper.GetNameEnum.Parse(typeof, typeValue));                    }                    //resName += "res.icon." + typeValue;                    string serverPath = String.Format("{0}/{1}", GlobalConfig.GetIconBasePath(), typeValue);                    context.Response.WriteFile(context.Server.MapPath(serverPath));                    context.Response.ContentType = "image/" + GetImageFormat(typeValue);                    break;                //case "js":                //    context.Response.Write(ResourceHelper.GetResourceContent;                //    context.Response.ContentType = "text/javascript";                //case "lang":                //    context.Response.Write(ResourceHelper.GetResourceContent;                //    context.Response.ContentType = "text/javascript";                //    break;                //case "css":                //    context.Response.Write(ResourceHelper.GetResourceContent;                //    context.Response.ContentType = "text/css";                //    break;                case "theme":                    string themePath = "";                    string themeImageFormat = "";                    int lastDotIndex = typeValue.LastIndexOf(".");                    if (lastDotIndex >= 0)                    {                        themePath = typeValue.Substring(0, lastDotIndex).Replace('.', '/');                        themeImageFormat = typeValue.Substring(lastDotIndex + 1);                    }                    context.Response.WriteFile(context.Server.MapPath(String.Format("{0}/res/images/{1}.{2}", extjsBasePath, themePath, themeImageFormat)));                    context.Response.ContentType = "image/" + GetImageFormat(typeValue);                    break;                case "img":                    //binary = ResourceHelper.GetResourceContentAsBinary;                    //context.Response.OutputStream.Write(binary, 0, binary.Length);                    //context.Response.ContentType = "image/" + GetImageFormat;                                        context.Response.WriteFile(context.Server.MapPath(String.Format("{0}/res/images/{1}", extjsBasePath, typeValue)));                    context.Response.ContentType = "image/" + GetImageFormat(typeValue);                    break;            }            // 缓存一年,只能通过改变 URL 来强制更新缓存            context.Response.Cache.SetExpires(DateTime.Now.AddYears(1));            context.Response.Cache.SetCacheability(HttpCacheability.Public);        }        //private void RenderImage(HttpContext context, string resName)        //{        //    Assembly assembly = Assembly.GetExecutingAssembly();        //    using (Stream stream = assembly.GetManifestResourceStream        //    {        //        using (System.Drawing.Image image = System.Drawing.Image.FromStream        //        {        //            // PNG输出时出现“GDI+ 中发生一般性错误”        //            using (MemoryStream ms = new MemoryStream        //            {        //                image.Save(ms, image.RawFormat);        //                ms.WriteTo(context.Response.OutputStream);        //                context.Response.ContentType = "image/" + GetImageFormat(image.RawFormat);        //            }        //        }        //    }        //}        private string GetImageFormat(string imageName)        {            int lastDotIndex = imageName.LastIndexOf(".");            if (lastDotIndex >= 0)            {                return imageName.Substring(lastDotIndex + 1);            }            return "png";        }        private string GetImageFormat(ImageFormat format)        {            if (format == ImageFormat.Bmp)            {                return "bmp";            }            else if (format == ImageFormat.Gif)            {                return "gif";            }            else if (format == ImageFormat.Jpeg)            {                return "jpeg";            }            else if (format == ImageFormat.Png)            {                return "png";            }            else if (format == ImageFormat.Tiff)            {                return "tiff";            }            else if (format == ImageFormat.Icon)            {                return "icon";            }            return "gif";        }        /// <summary>        /// 只要请求的 URL 相同,则请求可以重用        /// </summary>        public bool IsReusable        {            get            {                return true;            }        }    }}

澳门永利娱乐总站 8澳门永利娱乐总站 9澳门永利娱乐总站 10

ok
web.config就这么被拿下来了,,,当然,web.config都攻破了,别的也就都没事儿可说的了,

作者们就使用这几个../  把小编写的/res给去掉  也正是变成路径  

  case "img":                    //binary = ResourceHelper.GetResourceContentAsBinary;                    //context.Response.OutputStream.Write(binary, 0, binary.Length);                    //context.Response.ContentType = "image/" + GetImageFormat;                                        context.Response.WriteFile(context.Server.MapPath(String.Format("{0}/res/images/{1}", extjsBasePath, typeValue)));                    context.Response.ContentType = "image/" + GetImageFormat(typeValue);                    break;

看了下,满面红光呀。。太好了,不理解你们看看难点来了从未,

咱俩就选取那个../ 把作者写的/res/images/给去掉 也正是变成路径

 

本人小学文化,文采倒霉,写的不佳请各位多多包罗,

最好就想开列其他排序,从列别排序注入,弄了好久,发现直接没注入成功也从未报错,小编就极度想不到,然后看了下fineui的开源版,看了代码,发现原先他是判定的
,不是东拼西凑的,难怪注入失利,

/res../../web.config  

相关文章