oblog4.5վ©԰

[oblog4.5վ©԰ ȫ]
[ԭ]oblog4.5վ©԰
ϢԴа˽ϢȫŶӣwww.eviloctal.com
ߣҶ׷[S.S.T]
    oblog׳ӦöϤ˰ɣƾļࡢȫȶΪڶûblogѡģϸ²ųoblog4.5°룬˭֪ȻNXSS㡣
    ȸҿһĿվ㣬Ȼüֵ󣬵Ҿÿ˼·ҿѧϰ¡upload.aspuser_files.aspļ©롣
upload.asp:
....ʡԲִ....
Set File = Upload.UploadFiles(FormName)
F_FileName = FilePath & File.FileName
file_name = File.FileName
//ļֵḶ́ϴ̵Ĵ룬ʡԡ

user_files.asp
....ʡԲִ....
<%
i=0
Do while not rs.eof
imgsrc = rs("file_path")
ext=rs("file_ext")
If InStr("jpg,jpeg,gif,bmp,png,psd",ext) Then
imgsrc0 = imgsrc
Else
imgsrc0 = "images/nopic.gIf"
End if
%>
....ʡԲִ....
<a href="<%=imgsrc%>" onclick="chk_iddiv(''<%=cstr(rs("fileid"))%>'')" target="_blank" title="cssbody=[dogvdvbdy] cssheader=[dogvdvhdr] body=[<table cellpadding=''0''><tr><td><img src=''<%=imgsrc0%>'' onload=''javascript:if(this.width>190){this.resized=true;this.style.width=190;}'' /></td></tr></table>] fixedabsx=[5] fixedabsy=[47]"><%=OB_IIF(rs("file_showname"),rs("file_name"))%></a></td>
....ʡԲִ....
    趨ֻϴ׺Ϊjpg,jpeg,gif,bmp,png,psdļҺĴƺ©κιϵǸôأüҵδ룬©ûйϵϸһ£ǽupload.aspļϴʱļôǰļΪվ+׺ϴǲǾͿԳɹִпվأwindowsԣļвܺС/\|:<>?*"⼸ַͼ1

 
    ѻ뵽renameļǾԷ֣rename޸ļʱֻҪַͻ޸ʧܡôǸ©أЩϵͳ˵ַǿԷûйˡ%ôǿɲ԰ļ̨ٴأʵ£URLѡ''><script>alert()</script><''δһ£ַΪ%27%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E%3C%27ͼ2

 
    OKٰһͼƬļΪ%27%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E%3C%27.gifɹõģǰϷϴɹǴ򿪡ͼƬļͼ3

 
    ǺǣվɹվòΪֻԼܿԭļֻҿһµĿվ˼·ѡ
    ٿһվ㣬վuser_photo.aspuser_subject.aspindex.aspļУǵ©룺
user_subject.asp:
....ʡԲִ....
Sub addclass()
Dim subjectname, rs, ordernum,ishide
subjectname = Trim(request.Form("subjectname"))
....ʡԲִ....
If subjectname = "" Or oblog.strLength(subjectname) > 50 Then oblog.adderrstr ("ΪҲܴ50ַ)")
....ʡԲִ....
    rs.open "select top 1 * from [oblog_subject] Where SubjectType=" & t, conn, 1, 3
    rs.addnew
    rs("subjectname") = subjectname
    rs("userid") = oblog.l_uid
    rs("ordernum") = ordernum
    rs("subjectType") = t
    If ishide = "on" Then RS("ishide") = 1 Else rs("ishide") = 0
    rs.Update
....ʡԲִ....
user_photo.asp:
....ʡԲִ....
ҵķ:
<%=subjectname%>
....ʡԲִ....
index.aspļǵµݲʱindex.htmlļ,,վĴͲ뵽index.htmlļˡ
    £עûǽ롰ų̂Ȼ١ᡱѡѡࡱࡱϵġӷࡱڷ롰"><script>alert(56)</script><",Ȼӡťͼ4

 
    ˣˣվЧ򿪡ôվĴִ˰ɣͼ5

 
    ȥҳɣôվҳҳɹִˣͼ6

 
        ǺǣȤ˰ɣٿվ㣬վuser_team.aspmanager/m_team.aspļСoblog4.0ʱڹٷԳɹˣٷ37ŷ˲Ϊ©4.5ˣ˭֪ȻǸأ©룺
user_team.asp:
....ʡԲִ....
ico = Trim(Request.Form("ico"))
....ʡԲִ....
rs.AddNew
rs("t_name")=name
rs("t_ico")=ico
rs("joinlimit")=t1
rs("joinscores")=t2
....ʡԲִ....
rs.Update
rs.Close
rs.Open "select Max(teamid) From oblog_team Where createrid=" & oblog.l_uid
tid=rs(0)
rs.Close
....ʡԲִ....
manager/m_team.asp
....ʡԲִ....
<%=rs("t_ico")%>  //t_icoղŵıico
....ʡԲִ....
    ˰ɣicoûκι˾Ͷݿȥˣ¡򿪡ȦӡѡѡġȦӡڵıеġⲿáվ롰"><script>alert(1)</script><"Ȼȷύˣǽݹ̨ġȦӹôվִ˰ɣͼ7

 
    ȥҳҲɹִˣͼ8

 
    ܽ᣺ܶ˶ÿվһЩûõС©ѣʵվΣǷǳģֻǿǷ񶮵ðˣҶȥһЩ۽űȫ̳ѧϰ£hackyoumilw0rmվǸѡ