Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
问题描述Description
最近在公司内部渗透测试中发现某处引用的kkFileView 4.0.0存在任意文件读取漏洞,可通过漏洞读取主机任意文件,易造成敏感信息泄漏。
kkFileview v4.0.0 has arbitrary file read vulnerability which may lead to sensitive file leak on related host。
漏洞位置vulerable code location
kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件103行,urlPath参数支持file协议
kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
The vulnerable code is located at line 103 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java. The value which passed through param urlPath supports file protocol.
urlPath
/** * 根据url获取文件内容 * 当pdfjs读取存在跨域问题的文件时将通过此接口读取 * * @param urlPath url * @param response response */ @RequestMapping(value = "/getCorsFile", method = RequestMethod.GET) public void getCorsFile(String urlPath, HttpServletResponse response) { logger.info("下载跨域pdf文件url:{}", urlPath); try { URL url = WebUtils.normalizedURL(urlPath); byte[] bytes = NetUtil.downloadBytes(url.toString()); IOUtils.write(bytes, response.getOutputStream()); } catch (IOException | GalimatiasParseException e) { logger.error("下载跨域pdf文件异常,url:{}", urlPath, e); } }
官方演示站点为最新4.0.0版本,以此为演示,访问漏洞位置https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd 可得
The version of official demo site is v4.0.0. Visit https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd and the concept is proofed.
The text was updated successfully, but these errors were encountered:
谢谢 指点
Sorry, something went wrong.
@RequestMapping(value = "/getCorsFile", method = RequestMethod.GET) public void getCorsFile( HttpServletRequest request, HttpServletResponse response) { String query = request.getQueryString(); query = query.replace("%20", " "); try { query = URLDecoder.decode(query, "UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } String urlPath = query.replaceFirst("urlPath=",""); urlPath = urlPath.replaceFirst("&disabledownload=true",""); if (urlPath == null || urlPath.toLowerCase().startsWith("file") || !urlPath.toLowerCase().startsWith("http")) { logger.info("读取跨域文件异常", urlPath); }else { logger.info("读取跨域文件url:{}", urlPath); try { URL url = WebUtils.normalizedURL(urlPath); byte[] bytes = NetUtil.downloadBytes(url.toString()); IOUtils.write(bytes, response.getOutputStream()); } catch (IOException | GalimatiasParseException e) { logger.error("读取跨域文件异常,url:{}", urlPath, e); } } }
修复没
No branches or pull requests
kkFileView arbitrary file read vulnerability
问题描述Description
最近在公司内部渗透测试中发现某处引用的kkFileView 4.0.0存在任意文件读取漏洞,可通过漏洞读取主机任意文件,易造成敏感信息泄漏。
kkFileview v4.0.0 has arbitrary file read vulnerability which may lead to sensitive file leak on related host。
漏洞位置vulerable code location
kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件103行,urlPath参数支持file协议The vulnerable code is located at line 103 in
kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java. The value which passed through paramurlPathsupports file protocol.漏洞证明PoC
官方演示站点为最新4.0.0版本,以此为演示,访问漏洞位置https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd 可得
The version of official demo site is v4.0.0. Visit https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd and the concept is proofed.
The text was updated successfully, but these errors were encountered: