Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
there is a remote command execution vulnerability at the upload avatar function on the background.
upload pictures, then intercept data package, like this
then modify the file name to jsp, you can bypass the limit that cannot be uploaded by JSP files.
jsp
although JSP files have been uploaded, because of the existence of global interceptors, we cannot execute commands.
it would return 500
however, through my research, I found that the upload directory can be traversed.
just modify the parameter dir, like this
dir
then the file will be saved to the corresponding directory.
access this file, successfully execute system command
Code analysis.
at com.zrlog.admin.web.controller.api.UploadController#generatorUri
com.zrlog.admin.web.controller.api.UploadController#generatorUri
getFile().getFileName().substring(getFile(uploadFieldName).getFileName().lastIndexOf(".") + 1).toLowerCase();
Constants.ATTACHED_FOLDER + getPara("dir") + "/" + sdf.format(new Date()) + "/" + df.format(new Date()) + "_" + new Random().nextInt(1000) + "." + fileExt;
The text was updated successfully, but these errors were encountered:
No branches or pull requests
there is a remote command execution vulnerability at the upload avatar function on the background.
upload pictures, then intercept data package, like this
then modify the file name to
jsp, you can bypass the limit that cannot be uploaded by JSP files.although JSP files have been uploaded, because of the existence of global interceptors, we cannot execute commands.
it would return 500
however, through my research, I found that the upload directory can be traversed.
just modify the parameter
dir, like thisthen the file will be saved to the corresponding directory.
access this file, successfully execute system command
Code analysis.
at
com.zrlog.admin.web.controller.api.UploadController#generatorUriThe text was updated successfully, but these errors were encountered: