Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There exists an arbitrary file upload and delete vulnerability in the Database management and Deployment management #851

Closed
nerowander opened this issue Jul 26, 2024 · 0 comments

Comments

@nerowander
Copy link

Description

Eladmin is a back-end management system with front-end and back-end separation based on Spring Boot 2.6.4, Spring Boot Jpa, JWT, Spring Security, Redis, and Vue

Eladmin v2.7 has an arbitrary file upload vulnerability in the Database management and Deployment management

Attackers can construct filenames like ../../file to upload arbitrary files to arbitrary directories or delete arbitrary files in arbitrary directories

The affected API interfaces are /api/deploy/upload and /api/database/upload

Vulnerable code

The codes corresponding to these two interfaces do not filter the path and suffix of the uploaded file name.

https://github.com/elunez/eladmin/blob/master/eladmin-system/src/main/java/me/zhengjie/modules/mnt/rest/DatabaseController.java

@Log("执行SQL脚本")
	@ApiOperation(value = "执行SQL脚本")
	@PostMapping(value = "/upload")
	@PreAuthorize("@el.check('database:add')")
	public ResponseEntity<Object> uploadDatabase(@RequestBody MultipartFile file, HttpServletRequest request)throws Exception{
		String id = request.getParameter("id");
		DatabaseDto database = databaseService.findById(id);
		String fileName;
		if(database != null){
			fileName = file.getOriginalFilename();
			File executeFile = new File(fileSavePath+fileName);
			FileUtil.del(executeFile);
			file.transferTo(executeFile);
			String result = SqlUtils.executeFile(database.getJdbcUrl(), database.getUserName(), database.getPwd(), executeFile);
			return new ResponseEntity<>(result,HttpStatus.OK);
		}else{
			throw new BadRequestException("Database not exist");
		}
	}

https://github.com/elunez/eladmin/blob/master/eladmin-system/src/main/java/me/zhengjie/modules/mnt/rest/DeployController.java

@Log("上传文件部署")
	@ApiOperation(value = "上传文件部署")
	@PostMapping(value = "/upload")
	@PreAuthorize("@el.check('deploy:edit')")
	public ResponseEntity<Object> uploadDeploy(@RequestBody MultipartFile file, HttpServletRequest request)throws Exception{
		Long id = Long.valueOf(request.getParameter("id"));
		String fileName = "";
		if(file != null){
			fileName = file.getOriginalFilename();
			File deployFile = new File(fileSavePath+fileName);
			FileUtil.del(deployFile);
			file.transferTo(deployFile);
			//文件下一步要根据文件名字来
			deployService.deploy(fileSavePath+fileName ,id);
		}else{
			System.out.println("没有找到相对应的文件");
		}
		System.out.println("文件上传的原名称为:"+ Objects.requireNonNull(file).getOriginalFilename());
		Map<String,Object> map = new HashMap<>(2);
		map.put("errno",0);
		map.put("id",fileName);
		return new ResponseEntity<>(map,HttpStatus.OK);
	}

Attackers can exploit this vulnerability to upload dynamic link libraries or write scheduled tasks to implement RCE. Attackers can also delete any files in any directory, affecting the stable operation of the web service site.

How to reproduced

POC

/api/database/upload

Upload arbitrary files to arbitrary directories

ca410b040a02889530eadc6abf1bbaff 781a2b62cb4a7f675d5e87d68478b77a 874bf4ed3a5b8b35f3a92e22c2cb927a 06132d08b05e0db3d1baf1c72dc6baab

Delete arbitrary files in arbitrary directories

Firstly I create a file something-important in /tmp directory

df08680506ee2693389bda4704161a1b ba8186b25fc7c00441fc7bd55f4bbbd6 57a2514662b61583321ef8cab3331972 7e670d92e4cec5bedc5f9ef518003d7f

The something-important file has been deleted

/api/deploy/upload

Upload arbitrary files to arbitrary directories

8c23c2e5d805e7bfcb726879e326f54e e9f9697dbc3a8321a026d1b0a4f7fb05 e31c5e5f7d0b2e1f60dd1d0210d6a049

Delete arbitrary files in arbitrary directories

The situation is consistent with the above /api/database/uploadinterface

Versions

eladmin ≤ v2.7

Reporter

https://github.com/nerowander

@elunez elunez closed this as completed in 008181b Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant