HanDs
管理员

[7月漏洞公开] 泛微ecology无需登录SQL注入2+任意文件读取 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

虽然没有源码,但是可以通过反编译审计源代码,且代码不严谨出现了漏洞。

详细说明:

这次出现在SignatureDownLoad类上面。片段如下:

code 区域
public class SignatureDownLoad
extends HttpServlet
{
public void doGet(HttpServletRequest paramHttpServletRequest, HttpServletResponse paramHttpServletResponse)
throws ServletException, IOException
{
String str1 = Util.getFileidIn(Util.null2String(paramHttpServletRequest.getParameter("markId"))); //getFileidIn函数就是返回原来传递的字符串,Util.null2String只是处理了null。
String str2 = Util.null2String(paramHttpServletRequest.getParameter("download"));
...
ConnStatement localConnStatement = new ConnStatement();
try
{
String str8 = "select markPath from DocSignature where markId = " + str1; //可控

boolean bool = localConnStatement.getDBType().equals("oracle");
localConnStatement.setStatementSql(str8); //带入查询
localConnStatement.executeQuery();
if (localConnStatement.next())
{
str5 = Util.null2String(localConnStatement.getString("markPath")); //可以通过union控制结果,从而控制markPath,即str5可控。
BufferedInputStream localBufferedInputStream = null;

str3 = "application/octet-stream";

paramHttpServletResponse.setHeader("content-disposition", "attachment; filename=markPicture.jpg");

System.out.println("realPath:" + str5);
if (str5.equals(""))
{
if (bool) {
localBufferedInputStream = new BufferedInputStream(localConnStatement.getBlobBinary("imagefile"));
} else {
localBufferedInputStream = new BufferedInputStream(localConnStatement.getBinaryStream("imagefile"));
}
}
else //如果str5不等于空
{
localObject1 = new File(str5); //可以控制str5,既可以引入任何路径。
if (str6.equals("1"))
{
ZipInputStream localZipInputStream = new ZipInputStream(new FileInputStream((File)localObject1));
if (localZipInputStream.getNextEntry() != null) {
localBufferedInputStream = new BufferedInputStream(localZipInputStream);
}
}
else
{
localBufferedInputStream = new BufferedInputStream(new FileInputStream((File)localObject1));
}
}
Object localObject1 = paramHttpServletResponse.getOutputStream();
paramHttpServletResponse.setContentType(str3);
int i;
while ((i = localBufferedInputStream.read(arrayOfByte)) != -1) //读取
{
((OutputStream)localObject1).write(arrayOfByte, 0, i); //写入
((OutputStream)localObject1).flush();
}
localBufferedInputStream.close();
((OutputStream)localObject1).flush();
((OutputStream)localObject1).close();
}
}
catch (Exception localException)
{
BaseBean localBaseBean = new BaseBean();
localBaseBean.writeLog(localException);
}
finally
{
localConnStatement.close();
}
}
}





可以看到markId未做任何过滤导致了SQL注入,并且通过union可以形成另外一个漏洞,即任意文件读取。

漏洞证明:

0.png

1.png

修复方案:

过滤。


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
#1楼
发帖时间:2016-7-19   |   查看数:0   |   回复数:0
游客组
快速回复