Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit dfc3316

Browse filesBrowse files
JoyChou93JoyChou93
committed
add file upload
1 parent 790d2c5 commit dfc3316
Copy full SHA for dfc3316

File tree

Expand file treeCollapse file tree

7 files changed

+138
-29
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

7 files changed

+138
-29
lines changed
Open diff view settings
Collapse file

‎README.md‎

Copy file name to clipboardExpand all lines: README.md
+14-3Lines changed: 14 additions & 3 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
- [CRLF注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
1717
- [远程命令执行](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
1818
- [反序列化](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
19+
- [文件上传](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
1920

2021
## 如何运行
2122

@@ -59,13 +60,12 @@ http://localhost:8080/rce/exec?cmd=whoami
5960
Viarus
6061
```
6162

62-
## 说明
6363

6464
## SSRF
6565

6666
针对SSRF具体利用,可以阅读我写的[这篇博文](https://joychou.org/java/javassrf.html)
6767

68-
### 反序列化
68+
## 反序列化
6969

7070
打包ysoserial
7171

@@ -92,4 +92,15 @@ def poc(url , gadget, command):
9292

9393
if __name__ == '__main__':
9494
poc('http://127.0.0.1:8080/deserialize/test', 'CommonsCollections5', 'open -a Calculator')
95-
```
95+
```
96+
97+
## 文件上传
98+
99+
目前这类漏洞在spring里非常少,原因有两点:
100+
1. 大多数公司上传的文件都会到cdn
101+
2. spring的jsp文件必须在web-inf目录下才能执行
102+
103+
除非,可以上传war包到tomcat的webapps目录。所以就不YY写漏洞了。
104+
105+
访问`http://localhost:8080/file/`进行文件上传,上传成功后,再访问`http://localhost:8080/image/上传的文件名`可访问上传后的文件。
106+
Collapse file

‎java-sec-code.iml‎

Copy file name to clipboardExpand all lines: java-sec-code.iml
+9-25Lines changed: 9 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,6 @@
99
<webroots>
1010
<root url="file://$MODULE_DIR$/src/main/webapp" relative="/" />
1111
</webroots>
12-
<sourceRoots>
13-
<root url="file://$MODULE_DIR$/src/main/java" />
14-
<root url="file://$MODULE_DIR$/src/main/resources" />
15-
</sourceRoots>
1612
</configuration>
1713
</facet>
1814
</component>
@@ -22,38 +18,17 @@
2218
<content url="file://$MODULE_DIR$">
2319
<sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
2420
<sourceFolder url="file://$MODULE_DIR$/src/main/resources" type="java-resource" />
25-
<sourceFolder url="file://$MODULE_DIR$/src/test/java" isTestSource="true" />
2621
<excludeFolder url="file://$MODULE_DIR$/target" />
2722
</content>
2823
<orderEntry type="inheritedJdk" />
2924
<orderEntry type="sourceFolder" forTests="false" />
30-
<orderEntry type="module-library">
31-
<library>
32-
<CLASSES>
33-
<root url="jar://$USER_HOME$/javasec/commons-collections-3.2.1.jar!/" />
34-
</CLASSES>
35-
<JAVADOC />
36-
<SOURCES />
37-
</library>
38-
</orderEntry>
39-
<orderEntry type="module-library">
40-
<library>
41-
<CLASSES>
42-
<root url="jar://$MODULE_DIR$/../CDNBalance-1.1.1.jar!/" />
43-
</CLASSES>
44-
<JAVADOC />
45-
<SOURCES />
46-
</library>
47-
</orderEntry>
48-
<orderEntry type="library" scope="PROVIDED" name="Maven: org.apache.tomcat:tomcat-servlet-api:8.0.36" level="project" />
4925
<orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-web:1.5.1.RELEASE" level="project" />
5026
<orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter:1.5.1.RELEASE" level="project" />
5127
<orderEntry type="library" name="Maven: org.springframework.boot:spring-boot:1.5.1.RELEASE" level="project" />
5228
<orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-autoconfigure:1.5.1.RELEASE" level="project" />
5329
<orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-logging:1.5.1.RELEASE" level="project" />
5430
<orderEntry type="library" name="Maven: ch.qos.logback:logback-classic:1.1.9" level="project" />
5531
<orderEntry type="library" name="Maven: ch.qos.logback:logback-core:1.1.9" level="project" />
56-
<orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
5732
<orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
5833
<orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.22" level="project" />
5934
<orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
@@ -73,6 +48,15 @@
7348
<orderEntry type="library" name="Maven: org.springframework:spring-webmvc:4.3.6.RELEASE" level="project" />
7449
<orderEntry type="library" name="Maven: org.springframework:spring-expression:4.3.6.RELEASE" level="project" />
7550
<orderEntry type="library" scope="PROVIDED" name="Maven: org.apache.tomcat:tomcat-servlet-api:8.0.36" level="project" />
51+
<orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-thymeleaf:1.5.1.RELEASE" level="project" />
52+
<orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf-spring4:2.1.5.RELEASE" level="project" />
53+
<orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf:2.1.5.RELEASE" level="project" />
54+
<orderEntry type="library" name="Maven: ognl:ognl:3.0.8" level="project" />
55+
<orderEntry type="library" name="Maven: org.javassist:javassist:3.21.0-GA" level="project" />
56+
<orderEntry type="library" name="Maven: org.unbescape:unbescape:1.1.0.RELEASE" level="project" />
57+
<orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
58+
<orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
59+
<orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
7660
<orderEntry type="library" name="Maven: com.google.guava:guava:21.0" level="project" />
7761
<orderEntry type="library" name="Maven: commons-collections:commons-collections:3.1" level="project" />
7862
<orderEntry type="library" name="Maven: commons-lang:commons-lang:2.4" level="project" />
Collapse file

‎pom.xml‎

Copy file name to clipboardExpand all lines: pom.xml
+9-1Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
<version>1.0.0</version>
1010
<packaging>war</packaging>
1111

12+
1213
<parent>
1314
<groupId>org.springframework.boot</groupId>
1415
<artifactId>spring-boot-starter-parent</artifactId>
@@ -19,7 +20,7 @@
1920
<dependency>
2021
<groupId>org.springframework.boot</groupId>
2122
<artifactId>spring-boot-starter-web</artifactId>
22-
<!-- 移除嵌入式tomcat插件 -->
23+
<!-- 移除嵌入式tomcat插件,为了使用非嵌入式的tomcat -->
2324
<exclusions>
2425
<exclusion>
2526
<groupId>org.springframework.boot</groupId>
@@ -36,6 +37,13 @@
3637
<scope>provided</scope>
3738
</dependency>
3839

40+
<!-- 添加thymeleaf为了动态解析html-->
41+
<dependency>
42+
<groupId>org.springframework.boot</groupId>
43+
<artifactId>spring-boot-starter-thymeleaf</artifactId>
44+
</dependency>
45+
46+
3947
<dependency>
4048
<groupId>com.google.guava</groupId>
4149
<artifactId>guava</artifactId>
Collapse file

‎src/main/java/org/joychou/controller/FileUpload.java‎

Copy file name to clipboard
+66Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
package org.joychou.controller;
2+
3+
import org.springframework.stereotype.Controller;
4+
import org.springframework.web.bind.annotation.GetMapping;
5+
import org.springframework.web.bind.annotation.PostMapping;
6+
import org.springframework.web.bind.annotation.RequestMapping;
7+
import org.springframework.web.bind.annotation.RequestParam;
8+
import org.springframework.web.multipart.MultipartFile;
9+
import org.springframework.web.servlet.mvc.support.RedirectAttributes;
10+
11+
import java.io.IOException;
12+
import java.nio.file.Files;
13+
import java.nio.file.Path;
14+
import java.nio.file.Paths;
15+
16+
/**
17+
* @author: JoyChou (joychou@joychou.org)
18+
* @date: 2018.08.15
19+
* @desc: Java file upload
20+
*/
21+
22+
@Controller
23+
@RequestMapping("/file")
24+
public class FileUpload {
25+
26+
// Save the uploaded file to this folder
27+
private static String UPLOADED_FOLDER = "/tmp/";
28+
29+
@GetMapping("/")
30+
public String index() {
31+
return "upload"; // return upload.html page
32+
}
33+
34+
@PostMapping("/upload")
35+
public String singleFileUpload(@RequestParam("file") MultipartFile file,
36+
RedirectAttributes redirectAttributes) {
37+
if (file.isEmpty()) {
38+
// 赋值给uploadStatus.html里的动态参数message
39+
redirectAttributes.addFlashAttribute("message", "Please select a file to upload");
40+
return "redirect:/file/status";
41+
}
42+
43+
try {
44+
// Get the file and save it somewhere
45+
byte[] bytes = file.getBytes();
46+
Path path = Paths.get(UPLOADED_FOLDER + file.getOriginalFilename());
47+
Files.write(path, bytes);
48+
49+
redirectAttributes.addFlashAttribute("message",
50+
"You successfully uploaded '" + UPLOADED_FOLDER + file.getOriginalFilename() + "'");
51+
52+
} catch (IOException e) {
53+
redirectAttributes.addFlashAttribute("message", "upload failed");
54+
e.printStackTrace();
55+
return "uploadStatus";
56+
}
57+
58+
return "redirect:/file/status";
59+
}
60+
61+
@GetMapping("/status")
62+
public String uploadStatus() {
63+
return "uploadStatus";
64+
}
65+
66+
}
Collapse file

‎src/main/java/org/joychou/imageConfig.java‎

Copy file name to clipboard
+17Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
package org.joychou;
2+
3+
import org.springframework.context.annotation.Configuration;
4+
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
5+
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
6+
7+
/**
8+
* 将本地的/tmp/目录的文件映射到http://localhost:8080/image/
9+
*/
10+
@Configuration
11+
public class imageConfig extends WebMvcConfigurerAdapter{
12+
@Override
13+
public void addResourceHandlers(ResourceHandlerRegistry registry) {
14+
registry.addResourceHandler("/image/**").addResourceLocations("file:/tmp/");
15+
super.addResourceHandlers(registry);
16+
}
17+
}
Collapse file

‎src/main/resources/templates/upload.html‎

Copy file name to clipboard
+13Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
<!DOCTYPE html>
2+
<html xmlns:th="http://www.thymeleaf.org">
3+
<body>
4+
5+
<h3>file upload</h3>
6+
7+
<form method="POST" action="/file/upload" enctype="multipart/form-data">
8+
<input type="file" name="file" /><br/><br/>
9+
<input type="submit" value="Submit" />
10+
</form>
11+
12+
</body>
13+
</html>
Collapse file

‎src/main/resources/templates/uploadStatus.html‎

Copy file name to clipboard
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
<!DOCTYPE html>
2+
<html lang="en" xmlns:th="http://www.thymeleaf.org">
3+
<body>
4+
5+
<div th:if="${message}">
6+
<h4 th:text="${message}"/>
7+
</div>
8+
9+
</body>
10+
</html>

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.