获取用户头像接口com.DocSystem.controller.UserController#getUserImg存在任意文件下载,此接口被系统拦截器拦截,需要登录后访问,但拦截器com.DocSystem.controller.MyInterceptor#preHandle编写存在权限绕过问题。因此可以在未登录情况下造成任意文件下载漏洞。
影响版本:全版本
漏洞危害:任意文件下载
在UserController.java中的com.DocSystem.controller.UserController#getUserImg方法,存在以下代码
其中fileName可控,可以使用../进行目前穿越,从而下载其他目录的文件。
但是此系统存在一个拦截器,会检测请求url是否满足访问权限,具体如下:
可以看到使用contains方法判断是否在allowedUrl中,所以这里很容易绕过。
本地搭建系统后访问:
http://localhost:8081/DocSystem/User/getUserImg?fileName=../../windows/win.ini&s=pay/refund
可成功下载c:/windows/win.ini文件
Get the user avatar interface com.DocSystem.Controller.UserController#getUserImg exist any file to download, the interface is blocked by system interceptors, after need to log in to access, But the interceptor interface com.DocSystem.Controller.MyInterceptor#preHandle write permissions to bypass the problems. Therefore, any file download vulnerability can be caused without login.
Affected version: Full version
Vulnerability damage: arbitrary file download
vulnerability in UserController.Java file, which com.DocSystem.Controller.UserController#getUserImg method, there are the following code:
Where the fileName parameter is controllable, you can use ../ Do a current traversal to download files from another directory.
However, there is an interceptor in this system, which will detect whether the requested url meets the access permission, specifically as follows:
You can see that you use the contains method to determine if it's in the allowedUrl, so it's easy to bypass here.
After setting up the system locally, visit: http://localhost:8081/DocSystem/User/getUserImg?fileName=../../windows/win.ini&s=pay/refund
The c:/windows/win.ini file can be downloaded successfully