568 Star 2.3K Fork 832

Rainy / DocSys

 / 详情

Arbitrary file download Vulnerability

已完成
创建于  
2022-12-15 11:14

中文

漏洞描述

获取用户头像接口com.DocSystem.controller.UserController#getUserImg存在任意文件下载,此接口被系统拦截器拦截,需要登录后访问,但拦截器com.DocSystem.controller.MyInterceptor#preHandle编写存在权限绕过问题。因此可以在未登录情况下造成任意文件下载漏洞。

漏洞影响

影响版本:全版本
漏洞危害:任意文件下载

漏洞发现

在UserController.java中的com.DocSystem.controller.UserController#getUserImg方法,存在以下代码
输入图片说明
其中fileName可控,可以使用../进行目前穿越,从而下载其他目录的文件。
但是此系统存在一个拦截器,会检测请求url是否满足访问权限,具体如下:
输入图片说明
可以看到使用contains方法判断是否在allowedUrl中,所以这里很容易绕过。

漏洞复现

本地搭建系统后访问:
http://localhost:8081/DocSystem/User/getUserImg?fileName=../../windows/win.ini&s=pay/refund
可成功下载c:/windows/win.ini文件
输入图片说明

English

Description

Get the user avatar interface com.DocSystem.Controller.UserController#getUserImg exist any file to download, the interface is blocked by system interceptors, after need to log in to access, But the interceptor interface com.DocSystem.Controller.MyInterceptor#preHandle write permissions to bypass the problems. Therefore, any file download vulnerability can be caused without login.

Impact

Affected version: Full version
Vulnerability damage: arbitrary file download

Code Audit

vulnerability in UserController.Java file, which com.DocSystem.Controller.UserController#getUserImg method, there are the following code:
输入图片说明
Where the fileName parameter is controllable, you can use ../ Do a current traversal to download files from another directory.
However, there is an interceptor in this system, which will detect whether the requested url meets the access permission, specifically as follows:
输入图片说明
You can see that you use the contains method to determine if it's in the allowedUrl, so it's easy to bypass here.

Steps to reproduce

After setting up the system locally, visit: http://localhost:8081/DocSystem/User/getUserImg?fileName=../../windows/win.ini&s=pay/refund
The c:/windows/win.ini file can be downloaded successfully
输入图片说明

评论 (1)

TGAO 创建了任务

relative path check was added to avoid the illegal access of system file

Rainy 任务状态从 待办的 修改为已完成

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(2)
7554608 h3110n3w0r11d 1670478742
Java
1
https://gitee.com/RainyGao/DocSys.git
git@gitee.com:RainyGao/DocSys.git
RainyGao
DocSys
DocSys

搜索帮助