J0hNs0N
J0hNs0N
这是英文的漏洞报告,中文的在(This is the English report, the Chinese report is in): [身份验证绕过漏洞](https://github.com/anji-plus/report/issues/8) ### Description The program uses a fixed JWT key, and the stored Redis key uses username format characters. Any...
This is the Chinese report, the English report is in(这是中文的漏洞报告,英文的在): [身份验证绕过漏洞](https://github.com/anji-plus/report/issues/7) ### 漏洞描述 程序使用固定的 JWT 密钥,存储的 Redis 密钥使用用户名格式字符。 任何在一小时内登录的用户。 可以用他的用户名伪造 JWT Token 以绕过身份验证 登录接口 *com.anjiplus.template.gaea.business.modules.accessuser.controller.AccessUserController#login*  使用用户名创建格式化字符作为 Redis 存储的键值使用,虽然使用了 uuid...
### Descriotion There is an arbitrary file upload vulnerability in the background. An administrator user attacker can upload a .php file to execute malicious code through this vulnerability, thereby gaining...
File Path: [software/actions/programAction.class.php#L217](https://github.com/bettershop/LaikeTui/blob/master/app/LKT/webapp/modules/software/actions/programAction.class.php#L217) This method directly splices the unlimited extension in the file name into the file upload target file extension, and can upload the .php file getshell  But...
There is a file upload getshell vulnerability in the background software/actions/addAction.class.php
File Path: [LKT/webapp/modules/software/actions/addAction.class.php#L111](https://github.com/bettershop/LaikeTui/blob/master/app/LKT/webapp/modules/software/actions/addAction.class.php#L111) This method directly splices the unlimited extension in the file name into the file upload target file extension, and can upload the .php file getshell  But...
File Path [LKT/webapp/modules/system/actions/payAction.class.php#L63](https://github.com/bettershop/LaikeTui/blob/master/app/LKT/webapp/modules/system/actions/payAction.class.php#L63) After uploading as a .zip file, the archive will be decompressed. You can gain system control by putting the php webshell file in the compressed package ...
File Path: [LKT/webapp/modules/software/actions/modifyAction.class.php::execute](https://github.com/bettershop/LaikeTui/blob/master/app/LKT/webapp/modules/software/actions/modifyAction.class.php#L237) This method directly splices the unlimited extension in the file name into the file upload target file extension, and can upload the .php file getshell  But...
File Path: [LKT/webapp/modules/system/actions/uploadImgAction.class.php::execute](https://github.com/bettershop/LaikeTui/blob/master/app/LKT/webapp/modules/system/actions/uploadImgAction.class.php#L38) This method incorrectly splices untrusted file types, resulting in arbitrary file uploads  By modifying the file type in the file upload protocol to: image/php to upload...
In ***AttributeSetFilter***, multiple parameters are not ***XSS*** filtered *cn.keking.web.filter.AttributeSetFilter#setWatermarkAttribute*  Parameters are used in ***commonHeader*** *src/main/resources/web/commonHeader.ftl*  The modified template is referenced by multiple template files, among which ***picture.ftl*** ...
# Vulnerability details The unauthorized interface ***/onlinePreview*** receives ***base64 encode*** encoded parameters: ***url***, get the view processor after parsing ***url***, and call** *filePreviewHandle*** handle view *cn.keking.web.controller.OnlinePreviewController#onlinePreview*  Parse ***fullfilename*** in...