乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-19: 细节已通知厂商并且等待厂商处理中 2016-04-20: 厂商已经确认,细节仅向厂商公开 2016-04-23: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-06-14: 细节向核心白帽子及相关领域专家公开 2016-06-24: 细节向普通白帽子公开 2016-07-04: 细节向实习白帽子公开 2016-07-19: 细节向公众公开
虽然没有源码,但是可以通过反编译审计源代码,且代码不严谨出现了漏洞。
这次出现在SignatureDownLoad类上面。片段如下:
public class SignatureDownLoad extends HttpServlet{ public void doGet(HttpServletRequest paramHttpServletRequest, HttpServletResponse paramHttpServletResponse) throws ServletException, IOException { String str1 = Util.getFileidIn(Util.null2String(paramHttpServletRequest.getParameter("markId"))); //getFileidIn函数就是返回原来传递的字符串,Util.null2String只是处理了null。 String str2 = Util.null2String(paramHttpServletRequest.getParameter("download")); ... ConnStatement localConnStatement = new ConnStatement(); try { String str8 = "select markPath from DocSignature where markId = " + str1; //可控 boolean bool = localConnStatement.getDBType().equals("oracle"); localConnStatement.setStatementSql(str8); //带入查询 localConnStatement.executeQuery(); if (localConnStatement.next()) { str5 = Util.null2String(localConnStatement.getString("markPath")); //可以通过union控制结果,从而控制markPath,即str5可控。 BufferedInputStream localBufferedInputStream = null; str3 = "application/octet-stream"; paramHttpServletResponse.setHeader("content-disposition", "attachment; filename=markPicture.jpg"); System.out.println("realPath:" + str5); if (str5.equals("")) { if (bool) { localBufferedInputStream = new BufferedInputStream(localConnStatement.getBlobBinary("imagefile")); } else { localBufferedInputStream = new BufferedInputStream(localConnStatement.getBinaryStream("imagefile")); } } else //如果str5不等于空 { localObject1 = new File(str5); //可以控制str5,既可以引入任何路径。 if (str6.equals("1")) { ZipInputStream localZipInputStream = new ZipInputStream(new FileInputStream((File)localObject1)); if (localZipInputStream.getNextEntry() != null) { localBufferedInputStream = new BufferedInputStream(localZipInputStream); } } else { localBufferedInputStream = new BufferedInputStream(new FileInputStream((File)localObject1)); } } Object localObject1 = paramHttpServletResponse.getOutputStream(); paramHttpServletResponse.setContentType(str3); int i; while ((i = localBufferedInputStream.read(arrayOfByte)) != -1) //读取 { ((OutputStream)localObject1).write(arrayOfByte, 0, i); //写入 ((OutputStream)localObject1).flush(); } localBufferedInputStream.close(); ((OutputStream)localObject1).flush(); ((OutputStream)localObject1).close(); } } catch (Exception localException) { BaseBean localBaseBean = new BaseBean(); localBaseBean.writeLog(localException); } finally { localConnStatement.close(); } }}
可以看到markId未做任何过滤导致了SQL注入,并且通过union可以形成另外一个漏洞,即任意文件读取。
过滤。
危害等级:中
漏洞Rank:10
确认时间:2016-04-20 09:48
官方已经发布安全补丁修复漏洞,谢谢提交!
暂无