0x00 简介

UEditor 的.NET版本N年前爆出一个远程下载漏洞。

0x01 漏洞成因

URL:

http://192.168.110.129:520/gbk-net/net/controller.ashx?action=catchimage

在POC中请求的URL如上,直接定位到文件controller.ashx

utf8-net\net\controller.ashx


case "listfile":
    action = new ListFileManager(context, Config.GetString("fileManagerListPath"), Config.GetStringList("fileManagerAllowFiles"));
    break;
case "catchimage":
    action = new CrawlerHandler(context);
    break;

catchimage 调用CrawlerHandler 进而跟进CrawlerHandler

utf8-net\net\App_Code\CrawlerHandler.cs


public class CrawlerHandler : Handler
{
    private string[] Sources;
    private Crawler[] Crawlers;
    public CrawlerHandler(HttpContext context) : base(context) { }

    public override void Process()
    {
        Sources = Request.Form.GetValues("source[]");
        if (Sources == null || Sources.Length == 0)
        {
            WriteJson(new
            {
                state = "参数错误:没有指定抓取源"
            });
            return;
        }
        Crawlers = Sources.Select(x => new Crawler(x, Server).Fetch()).ToArray();
        WriteJson(new
        {
            state = "SUCCESS",
            list = Crawlers.Select(x => new
            {
                state = x.State,
                source = x.SourceUrl,
                url = x.ServerUrl
            })
        });
    }
}

CrawlerHandler获取Sources判断是否为空,这里只需要构造Sources[]=url即可,然后后调用Crawler Fetch

Crawler Fetch()


public Crawler Fetch()
{
    if (!IsExternalIPAddress(this.SourceUrl))
    {
        State = "INVALID_URL";
        return this;
    }
    var request = HttpWebRequest.Create(this.SourceUrl) as HttpWebRequest;
    using (var response = request.GetResponse() as HttpWebResponse)
    {
        if (response.StatusCode != HttpStatusCode.OK)
        {
            State = "Url returns " + response.StatusCode + ", " + response.StatusDescription;
            return this;
        }
        if (response.ContentType.IndexOf("image") == -1)
        {
            State = "Url is not an image";
            return this;
        }
        ServerUrl = PathFormatter.Format(Path.GetFileName(this.SourceUrl), Config.GetString("catcherPathFormat"));
        var savePath = Server.MapPath(ServerUrl);
        if (!Directory.Exists(Path.GetDirectoryName(savePath)))
        {
            Directory.CreateDirectory(Path.GetDirectoryName(savePath));
        }
        try
        {
            var stream = response.GetResponseStream();
            var reader = new BinaryReader(stream);
            byte[] bytes;
            using (var ms = new MemoryStream())
            {
                byte[] buffer = new byte[4096];
                int count;
                while ((count = reader.Read(buffer, 0, buffer.Length)) != 0)
                {
                    ms.Write(buffer, 0, count);
                }
                bytes = ms.ToArray();
            }
            File.WriteAllBytes(savePath, bytes);
            State = "SUCCESS";
        }
        catch (Exception e)
        {
            State = "抓取错误:" + e.Message;
        }
        return this;
    }
}

这里首先调用函数IsExternalIPAddress 判断你是不是一个正常的域名,不是则return
然后请求传入的URL查看是否响应200,再判断ContentType是否为image,在这里其实只要构建服务器返回的Content-Typeimage/xxxx即可,重点在PathFormatter我们跟进。

utf8-net\net\App_Code\PathFormater.cs


public static string Format(string originFileName, string pathFormat)
{
    if (String.IsNullOrWhiteSpace(pathFormat))
    {
        pathFormat = "{filename}{rand:6}";
    }

    var invalidPattern = new Regex(@"[\\\/\:\*\?\042\<\>\|]");
    originFileName = invalidPattern.Replace(originFileName, "");  //替换正则匹配到的为空1.png.aspx

    string extension = Path.GetExtension(originFileName); //.aspx
    string filename = Path.GetFileNameWithoutExtension(originFileName);

    pathFormat = pathFormat.Replace("{filename}", filename);
    pathFormat = new Regex(@"\{rand(\:?)(\d+)\}", RegexOptions.Compiled).Replace(pathFormat, new MatchEvaluator(delegate(Match match)
    {
        var digit = 6;
        if (match.Groups.Count > 2)
        {
            digit = Convert.ToInt32(match.Groups[2].Value);
        }
        var rand = new Random();
        return rand.Next((int)Math.Pow(10, digit), (int)Math.Pow(10, digit + 1)).ToString();
    }));

    pathFormat = pathFormat.Replace("{time}", DateTime.Now.Ticks.ToString());
    pathFormat = pathFormat.Replace("{yyyy}", DateTime.Now.Year.ToString());
    pathFormat = pathFormat.Replace("{yy}", (DateTime.Now.Year % 100).ToString("D2"));
    pathFormat = pathFormat.Replace("{mm}", DateTime.Now.Month.ToString("D2"));
    pathFormat = pathFormat.Replace("{dd}", DateTime.Now.Day.ToString("D2"));
    pathFormat = pathFormat.Replace("{hh}", DateTime.Now.Hour.ToString("D2"));
    pathFormat = pathFormat.Replace("{ii}", DateTime.Now.Minute.ToString("D2"));
    pathFormat = pathFormat.Replace("{ss}", DateTime.Now.Second.ToString("D2"));

    return pathFormat + extension;
}

整个逻辑流程就是 originFileName: 1.png?.aspx -> 1.png.aspx - > .aspx

pathFormat: 获取config.json的格式 然后拼接返回保存文件的路径,可以把代码单独扣出来运行。

其实我们直接控制Content-Typeimage/xxxx 后缀名为我们想要的即可,比如

http://192.168.110.1:8000/1.ashx

0x02 总结

有的网上的poc只是为了方便大多数环境,当我们细读源码后知道新的方法往往能找到一些WAF绕过的技巧。

点击关注,共同学习!
安全狗的自我修养

github haidragon

https://github.com/haidragon

原文地址:http://www.cnblogs.com/haidragon/p/16865242.html

1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长! 2. 分享目的仅供大家学习和交流,请务用于商业用途! 3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入! 4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解! 5. 如有链接无法下载、失效或广告,请联系管理员处理! 6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需! 7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员! 8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载 声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性