0x00 前言
漏洞复现见本人github上:https://github.com/ybdt/poc-hub/tree/master/2020_11_18_Citrix%20XenMobile目录遍历漏洞复现(CVE-2020-8209)
0x01 静态分析
漏洞文件help-sb-download.jsp,代码如下
<%
String sbFilePath="/opt/sas/support/";
int length = 0;
String sbFileName=(String)request.getParameter("sbFileName");
ServletOutputStream outStream = response.getOutputStream();
response.setHeader("Set-Cookie","fileDownload=true; path=/");
response.setContentType("application/octet-stream");
response.setHeader("Content-Disposition", "attachment; filename=\"" + sbFileName + '"');
File file = new File(sbFilePath+sbFileName);
byte[] byteBuffer = new byte[4096];
DataInputStream in = new DataInputStream(new FileInputStream(file));
while((in != null) && ((length =in.read(byteBuffer)) != -1))
{
outStream.write(byteBuffer,0,length);
}
in.close();
outStream.flush();
%>
由上述代码可知,以get方式获取的参数sbFileName的值,和已知路径“/opt/sas/support”进行了拼接(所以漏洞利用要向上回溯3层来回到根目录),然后没有任何过滤的读取拼接后的文件内容并输出
0x02 动态分析
无