任意文件上传漏洞(Arbitrary File Upload Vulnerability) #7
Description
1、描述(Description)
StudentManager 项目中学生功能菜单下的申请审批中上传附件功能,存在任意文件上传及跨目录上传的漏洞,可导致攻击者上传jsp的webshell文件,从而获取服务器的权限。(The file attachment upload function in the Application Approval section under the Student Function Menu of the StudentManager project has vulnerabilities of arbitrary file upload and cross-directory upload. These vulnerabilities may allow attackers to upload JSP webshell files, thereby gaining access to the server.)
2、复现(Reproduce)
第一步(step 1)
拉取最新的代码,在本地环境中进行部署允许。(Pull the latest code and deploy it in the local environment.)
第二步(step 2)
使用学生账号登录系统后,在学生功能菜单下的申请审批中添加审批并上传附件(After logging into the system with a student account, navigate to the Application Approval section under the Student Function Menu, add an approval request, and upload an attachment.)
第三步(step 3)
使用burp拦截上传附件的接口,并将文件内容修改为webshell,文件名称修改为 “/../../student/jspshell.jsp”后,进行接口重放。(Use Burp to intercept the attachment upload interface, modify the file content to a webshell, change the file name to "/../../student/jspshell.jsp", and then replay the interface request.)
第四步(step 4)
查看本地服务器上的文件,发现jspshell.jsp文件已经存在服务中的student目录下面了。(Check the files on the local server and find that the jspshell.jsp file already exists in the "student" directory of the service.)
第五步(step 5)
访问上传的webshell地址,并将cmd参数设置为ipconfig后请求接口,查看返回的数据包,发现命令已执行。(Access the uploaded webshell address, set the cmd parameter to "ipconfig", send a request to the interface, check the returned data packet, and confirm that the command has been executed.)
3、影响版本(Impact version)
versions <=The current latest version
4、修复建议(Repair suggestions)
限制文件上传的类型并限制文件上传的目录。(Restrict the types of files that can be uploaded and limit the directories for file uploads.)