joeybling / bootplus Goto Github PK
View Code? Open in Web Editor NEW基于SpringBoot + Shiro + MyBatisPlus的权限管理框架
Home Page: http://bootplus.diandianys.com/admin
License: MIT License
bootplus's Issues
vulnerability
概述:
我在使用springboot1版本进行二次开发,最后测试时发现本项目以及springboot1版本的项目存在两个比较严重的漏洞,分别是任意文件上传,shiro权限绕过。
问题:
1.任意文件上传
http://domain/admin/sys/user/avatar.html(漏洞页面,即头像上传处)
url:http://domain/file/upload
原因:
漏洞在文件SysFileController.java中52-100行,头像上传功能处。代码中只对上传的头像判空,并未做任何校验。只需要将webshell写入图片然后抓包修改后缀即可上传成功,点击提交修改的时候暴露了上传地址,直接访问即可getshell。
效果:
2.shiro权限绕过
payload:http://domain/;/需要授权页面路径
原因:
利用了spring控制器和shiro的路由处理方式不同,当这两个一起使用时,url先进入shiro鉴权,分号起到截断作用,"/;/admin/index.html"变成"/",从而绕过shiro。在spring中,分号路由默认会被去掉,"/;/admin/index.html"当成"/admin/index.html"解析,然后匹配相应路由。详细请参考漏洞编号cve-2020-11989。
效果:
解决方案:
1.文件上传漏洞
在代码中增加上传校验步骤,并将上传路径加密传输。例如:
/**
* 文件校验
*/
private int verifyForm(MultipartFile file){
// 大小: 0<file<1M
if (file == null || file.getSize() > 1048576){
return 0;
}
// 文件后缀: .png/.jpg/.jpeg
fileName = file.getOriginalFilename();
if (!fileName.contains(".") &&
!fileName.substring(fileName.lastIndexOf(".") + 1).equals("png") &&
!fileName.substring(fileName.lastIndexOf(".") + 1).equals("jpg") &&
!fileName.substring(fileName.lastIndexOf(".") + 1).equals("jpeg")){
return 0;
}
// 文件头: ffd8ff=jpg/jpeg,89504e47=png
if (!getFile(file).toLowerCase().startsWith("ffd8ff") &&
!getFile(file).toLowerCase().startsWith("89504e47")){
return 0;
}
// 文件名字是否包含sql注入特征:
if (Pattern.matches("[()<>/';\"@#!$%^`-]*", fileName)){
return 0;
}
// 文件内容是否为图片
if (FileTypeHelp.getImageFileType((File) file) == null ||
!FileTypeHelp.getImageFileType((File) file).equals("PNG") ||
!FileTypeHelp.getImageFileType((File) file).equals("JPG") ||
!FileTypeHelp.getImageFileType((File) file).equals("JPEG")){
return 0;
}
return 1;
}
public R upload(...){
...
// 上传路径加密传输: AES->Base64
fileContextPath = fileContextPath.replace("/", "+");
byte[] encrypt = AESUtil.encrypt(fileContextPath.getBytes(StandardCharsets.UTF_8), AESKEY);
return R.ok().put("filePath", Base64.getEncoder().encodeToString(encrypt));
}
public R updateAvatar(...){
// 解密头像上传地址: Base64->AES
byte[] decryptd = AESUtil.decrypt(
Base64.getDecoder().decode(avatarUrl), AESKEY);
currentUser.setAvatarUrl(new String(decryptd).replace("+", "/"));
int updateAvatar = sysUserService.updateAvatar(currentUser);
...
}
2.shiro权限绕过
将依赖版本升级至 1.7.1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.