File upload vulnerability caused by file name truncation BUG 00 during Java file writing and repair

When writing a file in the preceding two environments, Java cannot correctly name the newly generated file due to 00 truncation. For example, the user name abc. jsp. jpg, but after 00 truncation, the name of the generated file becomes abc. jsp, so we can use it when the file name involved in the upload is not changed or the name can be customized.Test environment:1. windows 7 (x64) + tomcat7 + jdk1.62.Linux3.0 (ubuntu11.10) (x86) + tomcat7 + jdk1.7Java when writing files in the above two environments, it will be unable to name the newly generated file due to 00 truncation. For example, the user name abc. jsp. jpg, but after 00 truncation, the name of the generated file becomes abc. jsp, so we can use it when the file name involved in the upload is not changed or the name can be customized. The data sent in the test header is as follows: POST/simpleUpload/write. jsp HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: zh-cnContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) host: 192.168.200.142: 8084Content-Length: 17 Connection: Keep-AliveCache-Control: no-cacheCo Okie: JSESSIONID = D2EC5F95AD581EB5FD3A860FC4CE640 name = abc. jsp. jpg (note that the space here needs to be changed to 00 in the hexadecimal editor before uploading) The server code for testing is as follows: <% @ page import = "java. io. * "%> <% out. clear (); String filename = request. getParameter ("name"); if (filename! = Null) {String path = application. getRealPath ("/"); String p = path + "/" + filename; File uploadfile = new File (p); if (! Uploadfile. exists () {uploadfile. createNewFile ();} out. println ("System Name:" + System. getProperty ("OS. name "); out. println ("1.The information of UploadFile:"); if (uploadfile! = Null) {out. println ("a. the UploadFile exists! "); Out. println ("B. the path of UploadFile: "+ uploadfile. getAbsolutePath (); out. println ("c. the name of UploadFile: "+ uploadfile. getName (); p = uploadfile. getAbsolutePath (). substring (0, uploadfile. getAbsolutePath (). length ()-5); File bugFile = new File (p); out. println ("2.The information of BugFile:"); if (bugFile. exists () {out. println (". the BugFile exists! "); Out. println ("B. the path of BugFile: "+ bugFile. getAbsolutePath (); out. println ("c. the name of BugFile: "+ bugFile. getName ();} else {out. println ("The BugFile:" + bugFile + "does't exist! ");} File uploadfile2 = new File (p + uploadfile. getAbsolutePath (). substring (uploadfile. getAbsolutePath (). length ()-5); out. println ("3. assure whether the nonexistent UploadFile exists because of the java API or not: "); if (uploadfile2.exists () {out. println (". the nonexistent UploadFile exists! "); Out. println ("B. the path of nonexistent UploadFile: "+ uploadfile2.getAbsolutePath (); out. println ("c. the name of nonexistent UploadFile: "+ uploadfile2.getName ();} else {out. println ("The nonexistent UploadFile:" + uploadfile2 + "does't exist! ") ;}} Else out. println (" The UploadFile: "+ uploadfile +" isn' t uploaded successfully! ");} Else {out. println (" Null name! ");} Out. flush (); %> 1. returned results of data submitted in Windows 7 (x64) + tomcat7 + jdk1.6: 2. returned results of data submitted in Linux3.0 (ubuntu11.10) (x86) + tomcat7 + jdk1.7:
From this we can see that the success point is that the upload file has been successfully uploaded, and the file name abc.jsp00.jpg has not changed, and java considers this file to exist. At, we also succeeded, indicating that abc.jps..3we used abc.jsp 00.jpg to check whether the file exists. The result is that java considers the file exists. Note: (here 00 represents hexadecimal characters) when we open the corresponding directory, we find that only abc. jsp exists. This indicates that the 00 truncation of the file name is caused by JAVA. Not the cause of the system. To prevent the web shell from being uploaded due to this vulnerability, we recommend that you use the fckeditor method to replace the user-defined path name or file name with a regular expression. The Code is as follows: filename = filename. replaceAll ("\\/ |\/ |\||:| \\? | \ * | \ "| <|> | \ P {Cntrl }","_"); (\ p {Cntrl} in regular expression is 00 characters .)