Java代审-warehouse审计

MCtech 112 0

项目地址:https://github.com/yeqifu/warehouse
启动项目:
改数据库连接信息,修改端口参数
image.png
image.png

0x1任意文件读取

在登陆流程中,会获取管理员头像,但path参数未过滤../特殊字符
image.png

分析:

/file/showImageByPath?path=../../../../../../../../etc/passwd

代码层:
com/yeqifu/sys/controller/FileController.java
在其控制层

   @RequestMapping("showImageByPath")
    public ResponseEntity<Object> showImageByPath(String path){
        return AppFileUtils.createResponseEntity(path);
    }

直接传递path参数,并通过AppFileUtils.createResponseEntity返回文件信息
跟进com/yeqifu/sys/common/AppFileUtils.java


public static String UPLOAD_PATH="G:/upload/";
···
//此时path为"../../../../../../../../etc/passwd"
//UPLOAD_PATH="G:/upload/"
public static ResponseEntity<Object> createResponseEntity(String path) {
        //1,构造文件对象
        File file=new File(UPLOAD_PATH, path);
        if(file.exists()) {
            //将下载的文件,封装byte[]
            byte[] bytes=null;
            try {
                bytes = FileUtil.readBytes(file);
            } catch (Exception e) {
                e.printStackTrace();
            }
            //创建封装响应头信息的对象
            HttpHeaders header=new HttpHeaders();
            //封装响应内容类型(APPLICATION_OCTET_STREAM 响应的内容不限定)
            header.setContentType(MediaType.APPLICATION_OCTET_STREAM);
            //创建ResponseEntity对象
            ResponseEntity<Object> entity= new ResponseEntity<Object>(bytes, header, HttpStatus.CREATED);
            return entity;
        }
        return null;
    }

涉及到java.io.File类
file.exists()

public boolean exists() {
    SecurityManager security = System.getSecurityManager();
    if (security != null) {
        security.checkRead(path);
    }
    if (isInvalid()) {
        return false;
    }
    return ((fs.getBooleanAttributes(this) & FileSystem.BA_EXISTS) != 0);
}

其中path为

 public File(String parent, String child) {
        if (child == null) {
            throw new NullPointerException();
        }
        if (parent != null) {
            if (parent.equals("")) {
                this.path = fs.resolve(fs.getDefaultParent(),
                                       fs.normalize(child));
            } else {
                this.path = fs.resolve(fs.normalize(parent),
                                       fs.normalize(child));
            }
        } else {
            this.path = fs.normalize(child);
        }
        this.prefixLength = fs.prefixLength(this.path);
    }

处理的path
整个过程没有过滤器,造成了任意文件读取的情况,java.io.file接口并未对path过滤特殊字符,直接调用用户输入的参数而不做处理是不对的。

0x2 XSS

发表评论 取消回复
表情 图片 链接 代码

分享