Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Upload Vulnerability #1

Closed
Fw-fW-fw opened this issue Feb 4, 2023 · 1 comment
Closed

File Upload Vulnerability #1

Fw-fW-fw opened this issue Feb 4, 2023 · 1 comment

Comments

@Fw-fW-fw
Copy link

Fw-fW-fw commented Feb 4, 2023

Description

yf-exam is a multi-role online training and examination system. The system integrates user management, role management, department management, question bank management, test question management, test question import and export, test management, online test, wrong question training and other functions, and the test process is perfect. @PostMapping("/common/api/file/upload") When this interface is uploaded, there is no restriction on the suffix of the uploaded file, resulting in any file upload.

Vulnerability details

This interface accepts uploaded files, and then submits them to upload() for processing.

com.yf.exam.ability.upload.controller#upload()

image

Continue to follow up and come to the implementation class of the upload interface.

com.yf.exam.ability.upload.service.impl#upload()

image
You can see that the incoming files are processed here, continue to follow up

com.yf.exam.ability.upload.utils#processPath()

image

Then rename the incoming file

com.yf.exam.ability.upload.utils#renameFile()

image

It can be seen that only the suffix name is intercepted, without filtering, it is directly spliced and put back。

image

Finally, return directly to the upload path.

TEST

Upload file at routing point

image

It can be found that the upload was successful

image

Try to access, you can find that the access is successful。

@CleverStupidDog
Copy link
Owner

Solved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants