Path = Trim(Request("path")) '获取用户提交的路径 FileID = Trim(Request("FileID")) If FileID ="" And Path = "" Then Response.Write "参数不足" Response.End End If ... If CheckDownLoad Or 1= 1Then If Path = "" Then set rs = Server.CreateObject("ADODB.RecordSet") link_database SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = "&CLng(FileID)) rs.open sql,conn,1,3 If Not rs.Eof Then uid = rs(1) file_ext = rs(2) rs("ViewNum") = rs("ViewNum") + 1 rs.Update downloadFile Server.MapPath(rs(0)),0 Else Response.Status=404 Response.Write "该附件不存在!" End If rs.Close Set rs = Nothing Else If InStr(path,Oblog.CacheConfig(56)) > 0 Then 'Tr4c3 标注:注意这里,仅仅判断用户提交的路径是否包含UploadFiles,为真则调用downloadfile函数下载文件 downloadFile Server.MapPath(Path),1 End if End If Else '如果附件为图片的话,当权限检验无法通过则调用一默认图片,防止<img>标记无法调用,影响显示效果 If Path = "" Then Response.Status=403 Response.Write ShowDownErr Response.End Else downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1 End if End if
Set oblog = Nothing
Sub downloadFile(strFile,stype) On Error Resume Next Server.ScriptTimeOut=9999999 Dim S,fso,f,intFilelength,strFilename strFilename = strFile Response.Clear Set s = Server.CreateObject(oblog.CacheCompont(2)) s.Open s.Type = 1 Set fso = Server.CreateObject(oblog.CacheCompont(1)) If Not fso.FileExists(strFilename) Then If stype = 0 Then Response.Status=404 Response.Write "该附件已经被删除!" Exit Sub Else strFilename = Server.MapPath(blogdir&"images/nopic.gif") End if End If Set f = fso.GetFile(strFilename) intFilelength = f.size s.LoadFromFile(strFilename) If Err Then Response.Write("<h1>错误: </h1>" & Err.Description & "<p>") Response.End End If Set fso=Nothing Dim Data Data=s.Read s.Close Set s=Nothing Dim ContentType select Case LCase(Right(strFile, 4)) Case ".asp",".mdb",".config",".js" 'Tr4c3 标注:再看这里,想起来什么来了?对了,前几天我发的沸腾展望新闻系统的任意下载漏洞跟这个检查的方法差不多[http://www.tr4c3.com /post/306.html],利用方法也相似,神奇的"."又派上用场了。 Exit Sub Case ".asf" ContentType = "video/x-ms-asf" Case ".avi" ContentType = "video/avi" Case ".doc" ContentType = "application/msword" Case ".zip" ContentType = "application/zip" Case ".xls" ContentType = "application/vnd.ms-excel" Case ".gif" ContentType = "image/gif" Case ".jpg", "jpeg" ContentType = "image/jpeg" Case ".wav" ContentType = "audio/wav" Case ".mp3" ContentType = "audio/mpeg3" Case ".mpg", "mpeg" ContentType = "video/mpeg" Case ".rtf" ContentType = "application/rtf" Case ".htm", "html" ContentType = "text/html" Case ".txt" ContentType = "text/plain" Case Else ContentType = "application/octet-stream" End select If Response.IsClientConnected Then If Not (InStr(LCase(f.name),".gif")>0 Or InStr(LCase(f.name),".jpg")>0 Or InStr(LCase(f.name),".jpeg")>0 Or InStr(LCase(f.name),".bmp")>0 Or InStr(LCase(f.name),".png")>0 )Then Response.AddHeader "Content-Disposition", "attachment; filename=" & f.name End If Response.AddHeader "Content-Length", intFilelength Response.CharSet = "UTF-8" Response.ContentType = ContentType Response.BinaryWrite Data Response.Flush Response.Clear() End If End Sub
