Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZrLog 2.2.2 Remote command execution vulnerability #115

Closed
1979139113 opened this issue Nov 16, 2021 · 0 comments
Closed

ZrLog 2.2.2 Remote command execution vulnerability #115

1979139113 opened this issue Nov 16, 2021 · 0 comments

Comments

@1979139113
Copy link

there is a remote command execution vulnerability at the upload avatar function on the background.

image

upload pictures, then intercept data package, like this

image

then modify the file name to jsp, you can bypass the limit that cannot be uploaded by JSP files.

image

although JSP files have been uploaded, because of the existence of global interceptors, we cannot execute commands.

it would return 500

image

however, through my research, I found that the upload directory can be traversed.

just modify the parameter dir, like this

image

then the file will be saved to the corresponding directory.

image

access this file, successfully execute system command

image


Code analysis.

at com.zrlog.admin.web.controller.api.UploadController#generatorUri

getFile().getFileName().substring(getFile(uploadFieldName).getFileName().lastIndexOf(".") + 1).toLowerCase();

image

Constants.ATTACHED_FOLDER + getPara("dir") + "/" + sdf.format(new Date()) + "/" + df.format(new Date()) + "_" + new Random().nextInt(1000) + "." + fileExt;

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants