我喜欢黑夜,喜欢网络安全,孤独寂寞的黑夜里,我只需要,一包烟,一台笔记本...
更多
首  页>>JAVA安全开发>> 漏洞信息百度ueditor开源编辑器jsp版上传漏洞
百度ueditor开源编辑器jsp版上传漏洞
10968
1推荐
0评论

百度ueditor编辑jsp版上传漏洞,测试版本v1.2.2Java版,其他版本自行测试

呵呵,本站就是基于百度ueditor v1.2.2版本的


直接看上代码


imageUp.jsp


<%@ page language="java" contentType="text/html; charset=UTF-8"
        pageEncoding="UTF-8"%>
    <%@ page import="java.io.*"%>
    <%@ page import="org.apache.commons.fileupload.*" %>
    <%@ page import="org.apache.commons.fileupload.util.*" %>
    <%@ page import="org.apache.commons.fileupload.servlet.*" %>
    <%@ page import="org.apache.commons.fileupload.FileItemIterator" %>
    <%@ page import="org.apache.commons.fileupload.disk.DiskFileItemFactory" %>
    <%@ page import="java.io.BufferedInputStream" %>
    <%@ page import="java.io.BufferedOutputStream" %>
    <%@ page import="java.io.File"%>
    <%@ page import="java.io.InputStream" %>
    <%@ page import="java.io.OutputStream" %>
    <%@ page import="java.io.FileOutputStream" %>
    <%@ page import="java.util.regex.Matcher" %>
    <%@ page import="java.util.regex.Pattern" %>
    <%@ page import="java.util.Date" %>
 
 
 
    <%
    //仅做示例用,请自行修改
    //保存文件路径
    String filePath = "jsp/upload";
    String realPath = request.getRealPath("\") + filePath;
    //判断路径是否存在,不存在则创建
    File dir = new File(realPath);
    if(!dir.isDirectory())
        dir.mkdir();
    if(ServletFileUpload.isMultipartContent(request)){
        DiskFileItemFactory dff = new DiskFileItemFactory();
        dff.setRepository(dir);
        dff.setSizeThreshold(1024000);
        ServletFileUpload sfu = new ServletFileUpload(dff);
        FileItemIterator fii = sfu.getItemIterator(request);
        String title = "";   //图片标题
        String url = "";    //图片地址
        String fileName = "";
        String noName = "";
        String state="SUCCESS";
        String ftype = "";
 
        try{
            while(fii.hasNext()){
                FileItemStream fis = fii.next();
 
                    if(!fis.isFormField() && fis.getName().length()>0){
                        fileName = fis.getName();
                        Pattern reg=Pattern.compile("[.]jpg|png|jpeg|gif$");
                        Matcher matcher=reg.matcher(fileName);
                        if(!matcher.find()) {
                            state = "文件类型不允许!";
                            break;
                        }
                        ftype = matcher.group();
                        fileName = new Date().getTime()+ftype;
                        url = realPath+"/"+fileName;
                        BufferedInputStream in = new BufferedInputStream(fis.openStream());//获得文件输入流
                        FileOutputStream a = new FileOutputStream(new File(url));
                        BufferedOutputStream output = new BufferedOutputStream(a);
                        Streams.copy(in, output, true);//开始把文件写到你指定的上传文件夹
                    }else{
                        String fname = fis.getFieldName();
                        if(fname.indexOf("fileName")!=-1){
                            BufferedInputStream in = new BufferedInputStream(fis.openStream());
                            byte c [] = new byte[10];
                            int n = 0;
                            while((n=in.read(c))!=-1){
                                noName = new String(c,0,n);
                                break;
                            }
                            in.close();
 
                        }
                        if(fname.indexOf("pictitle")!=-1){
                            BufferedInputStream in = new BufferedInputStream(fis.openStream());
                            byte c [] = new byte[10];
                            int n = 0;
                            while((n=in.read(c))!=-1){
                                title = new String(c,0,n);
                                break;
                            }
                            in.close();
                        }
                    }
            }
        }catch(Exception e){
            e.printStackTrace();
        }
        title = title.replace("&", "&").replace("'", "&qpos;").replace(""", """).replace("<", "<").replace(">", ">");
        response.getWriter().print("{'no':'"+noName+"','url':'"+filePath.substring(filePath.lastIndexOf("/")+1,filePath.length())+"/"+fileName+"','title':'"+title+"','state':'"+state+"'}");
 
    }
%>


问题出在imageUp.jsp


这里使用java正则表达式验证上传文件的文件名,重新设置文件名的时候,没有使用lastIndexOf()方法来找最后一个点,导致可以上传xx.jpg.jsp,xx.png.jsp

等类型文件,强烈建议官方修改这个,虽然官方声明此上传jsp做示例,但很多程序员,站长,基本没有修改就使用了。



修复方案:



完整修复imageUp.jsp


<%@page import="org.apache.jasper.tagplugins.jstl.core.ForEach"%>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="org.apache.commons.fileupload.*" %>
<%@ page import="org.apache.commons.fileupload.util.*" %>
<%@ page import="org.apache.commons.fileupload.servlet.*" %>
<%@ page import="org.apache.commons.fileupload.FileItemIterator" %>
<%@ page import="org.apache.commons.fileupload.disk.DiskFileItemFactory" %>
<%@ page import="java.io.BufferedInputStream" %>
<%@ page import="java.io.BufferedOutputStream" %>
<%@ page import="java.io.File"%>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.OutputStream" %>
<%@ page import="java.io.FileOutputStream" %>
<%@ page import="java.util.regex.Matcher" %>
<%@ page import="java.util.regex.Pattern" %>
<%@ page import="java.util.Date" %>
 
 
 
<%
//仅做示例用,请自行修改
//保存文件路径
request.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
String filePath = "ufile";
String realPath = request.getRealPath("/") + filePath;
//判断路径是否存在,不存在则创建
File dir = new File(realPath);
if(!dir.isDirectory())
    dir.mkdir();
if(ServletFileUpload.isMultipartContent(request)){
 
    DiskFileItemFactory dff = new DiskFileItemFactory();
    dff.setRepository(dir);
    dff.setSizeThreshold(1024000);
    ServletFileUpload sfu = new ServletFileUpload(dff);
    FileItemIterator fii = sfu.getItemIterator(request);
    String title = "";   //图片标题
    String url = "";    //图片地址
    String fileName = "";
    String noName = "";
    String state="SUCCESS";
    String newFileName="";
     
    try{
        while(fii.hasNext()){
            FileItemStream fis = fii.next();
     
                if(!fis.isFormField() && fis.getName().length()>0){
                    fileName = fis.getName();
     
                    //允许上传文件
                    String[] allowFile="jpg,gif,jpeg,png".split(",");
                     
                    //默认不可以上传
                    boolean canupload=false;
                     
                    //当前上传文件后缀
                    String upex=fileName.substring(fileName.lastIndexOf(".")+1);
                     
                    for(String ex:allowFile){
                        if(ex.equals(upex)){
                            //可以上传
                            canupload=true;
                            break;
                        }
                    }
                    //文件后缀验证没通过,禁止上传
                    if(canupload==false) {
                        state = "文件类型不允许!";
                        break;
                    }
                    newFileName=new Date().getTime()+fileName.substring(fileName.lastIndexOf("."),fileName.length());
                    url = realPath+"/"+newFileName;
                    BufferedInputStream in = new BufferedInputStream(fis.openStream());//获得文件输入流
                    FileOutputStream a = new FileOutputStream(new File(url));
                    BufferedOutputStream output = new BufferedOutputStream(a);
                    Streams.copy(in, output, true);//开始把文件写到你指定的上传文件夹
                }else{
                    String fname = fis.getFieldName();
                    if(fname.indexOf("fileName")!=-1){
                        BufferedInputStream in = new BufferedInputStream(fis.openStream());
                        byte c [] = new byte[10];
                        int n = 0;
                        while((n=in.read(c))!=-1){
                            noName = new String(c,0,n);
                            break;
                        }
                        in.close();
                         
                    }
                    if(fname.indexOf("upfile")!=-1){
                        BufferedInputStream in = new BufferedInputStream(fis.openStream());
                        byte c [] = new byte[10];
                        int n = 0;
                        while((n=in.read(c))!=-1){
                            title = new String(c,0,n);
                            break;
                        }
                        in.close();
                    }
                }
     
             
        }
    }catch(Exception e){
        e.printStackTrace();
    }
    title = title.replace("&", "&").replace("'", "&qpos;").replace(""", """).replace("<", "<").replace(">", ">");
     
    out.print("");
}
%>



已经有 ( 0 ) 位网友对此发表了自己的看法,你也评一评吧! 此文不错,我要推荐-->    推 荐
欢迎参与讨论,请在这里发表您的看法、交流您的观点@禁止各种脚本

  • 点击Top
  • 推荐Top
  • 评论Top
更 多>>
本站采用Java语言开发,Spring框架,欢迎朋友们提意见。重新对页面进行布局,修改了程序,方便开源使用,由于本人美工真的不行 ,很少用背景图片,页面基本都用背景色...
主题:无色无味 | 网站地图|
Copyright (c) 2012-2013 www.shack2.org All Rights Reserved. | 空ICP备111111111号 | 程序设计: shack2 Powered by SJBlog v1.0 联系QQ:1341413415