Oblog文件下载漏洞 愚人节的礼物

1
<!-- #include file="inc/inc_syssite.asp" -->
2
<%
3
Dim Path,rs,FileID,ShowDownErr,uid,file_ext
4
Dim SQL
5
Path = Trim(Request("path"))
6
FileID = Trim(Request("FileID"))
7
If FileID ="" And Path = "" Then
8
    Response.Write "参数不足"
9
    Response.End
10
End If
11
If CheckDownLoad Then
12
    If Path = "" Then
13
        set rs = Server.CreateObject("ADODB.RecordSet")
14
        link_database
15
        SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile Where FileID = "&CLng(FileID))
159 collapsed lines
16
        rs.open sql,conn,1,3
17
        If Not rs.Eof Then
18
            uid = rs(1)
19
            file_ext = rs(2)
20
            rs("ViewNum") = rs("ViewNum") + 1
21
            rs.Update
22
            downloadFile Server.MapPath(rs(0)),0
23
        Else
24
            Response.Status=404
25
            Response.Write "该附件不存在!"
26
        End If
27
        rs.Close
28
        Set rs = Nothing
29
    Else
30
        If true_domain    =    1 Then
31
        downloadFile Server.MapPath(Replace(Path,blogurl,"")),1
32
        else
33
        downloadFile Server.MapPath(Path),1
34
        End If
35
    End If
36
Else
37
    '如果附件为图片的话，当权限检验无法通过则调用一默认图片，防止<img>标记无法调用，影响显示效果
38
    If Path = "" Then
39
        Response.Status=403
40
        Response.Write ShowDownErr
41
        Response.End
42
    Else
43
        downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1
44
    End if
45
End if
46

47
Set oblog = Nothing
48

49
Sub downloadFile(strFile,stype)
50
    On Error Resume Next
51
    Server.ScriptTimeOut=9999999
52
    Dim S,fso,f,intFilelength,strFilename
53
    strFilename = strFile
54
    Response.Clear
55
    Set s = Server.CreateObject(oblog.CacheCompont(2))
56
    s.Open
57
    s.Type = 1
58
    Set fso = Server.CreateObject(oblog.CacheCompont(1))
59
    If Not fso.FileExists(strFilename) Then
60
        If stype = 0 Then
61
            Response.Status=404
62
            Response.Write "该附件已经被删除!"
63
            Exit Sub
64
        Else
65
            strFilename = Server.MapPath(blogdir&"images/nopic.gif")
66
        End if
67
    End If
68
    Set f = fso.GetFile(strFilename)
69
    intFilelength = f.size
70
    s.LoadFromFile(strFilename)
71
    If Err Then
72
         Response.Write("<h1>错误: </h1>" & Err.Description & "<p>")
73
        Response.End
74
    End If
75
    Set fso=Nothing
76
    Dim Data
77
    Data=s.Read
78
    s.Close
79
    Set s=Nothing
80
    Dim ContentType
81
    select Case LCase(Right(strFile, 4))
82
    Case ".asf"
83
        ContentType = "video/x-ms-asf"
84
    Case ".avi"
85
        ContentType = "video/avi"
86
    Case ".doc"
87
        ContentType = "application/msword"
88
    Case ".zip"
89
        ContentType = "application/zip"
90
    Case ".xls"
91
        ContentType = "application/vnd.ms-excel"
92
    Case ".gif"
93
        ContentType = "image/gif"
94
    Case ".jpg", "jpeg"
95
        ContentType = "image/jpeg"
96
    Case ".wav"
97
        ContentType = "audio/wav"
98
    Case ".mp3"
99
        ContentType = "audio/mpeg3"
100
    Case ".mpg", "mpeg"
101
        ContentType = "video/mpeg"
102
    Case ".rtf"
103
        ContentType = "application/rtf"
104
    Case ".htm", "html"
105
        ContentType = "text/html"
106
    Case ".txt"
107
        ContentType = "text/plain"
108
    Case Else
109
        ContentType = "application/octet-stream"
110
    End select
111
    If Response.IsClientConnected Then
112
        If Not (InStr(LCase(f.name),".gif")>0 or InStr(LCase(f.name),".jpg")>0 or InStr(LCase(f.name),".jpeg")>0 or InStr(LCase(f.name),".bmp")>0 or InStr(LCase(f.name),".png")>0 )Then
113
            Response.AddHeader "Content-Disposition", "attachment; filename=" & f.name
114
        End If
115
        Response.AddHeader "Content-Length", intFilelength
116
        Response.CharSet = "UTF-8"
117
        Response.ContentType = ContentType
118
        Response.BinaryWrite Data
119
        Response.Flush
120
        Response.Clear()
121
    End If
122
End Sub
123
'验证下载权限
124
Function CheckDownLoad()
125
    On Error Resume Next
126
    CheckDownLoad = False
127
    '如果不允许游客下载附件
128
    If oblog.CacheConfig(67) = "1" Then
129
        If oblog.ChkPost = False Then
130
            ShowDownErr = "无浏览附件权限"
131
            Exit Function
132
        End If
133
    Else
134
        If oblog.CheckUserLogined = False Then
135
            If oblog.CacheConfig(82) = "0" Then
136
                ShowDownErr = "游客无浏览附件权限"
137
                Exit Function
138
            End if
139
        Else
140
            '如果此浏览者为上传者则返回True
141
            If uid = oblog.l_uid Then
142
                CheckDownLoad = True
143
                Exit Function
144
            End if
145
            '如果当前用户组不允许下载附件
146
            If oblog.l_Group(35,0) = "0" Then
147
                ShowDownErr = "当前用户组无浏览附件权限"
148
                Exit Function
149
            Else
150
                '如果下载附件需扣除积分
151
                If oblog.CacheScores(21) >"0" Then
152
                    '如果当前积分小于下载附件需扣除的积分
153
                    If oblog.l_uScores < Int(oblog.CacheScores(21)) Then
154
                        ShowDownErr = "积分不足，无浏览附件权限"
155
                        Exit Function
156
                    Else
157
                        '执行扣分操作
158
                        oblog.GiveScore "",-1*Abs(oblog.CacheScores(21)),""
159
                        Session ("CheckUserLogined_"&oblog.l_uName) = ""
160
                        Oblog.CheckUserLogined()
161
                        ShowDownErr = ""
162
                    End If
163
                End If
164
            End if
165
        End If
166
    End If
167
    If Err Then
168
        CheckDownLoad = False
169
        ShowDownErr = Err.Description
170
        Err.Clear
171
    End If
172
    CheckDownLoad = True
173
End Function
174
%>