Simple Analysis of JSP version upload vulnerability in SinaEditor Secondary Development

0 × 00 about SinaEditor
0 × 01 vulnerability description
0 × 02 vulnerability Exploitation
0 × 03 Vulnerability Analysis
0 × 04 vulnerability repair
 
Author: itleaf
 
Note: I am a beginner. please correct me if the analysis is incorrect.
 
0 × 00 about SinaEditor
 
SinaEditor is an open source editor based on Sina Blog editor. You can use it to edit rich text content.
 
The core of the editor is an execution queue scheduling system. It adds plug-ins to implement functions and uses events to drive the editor. We encapsulate events once to effectively solve the problem that anonymous event functions cannot be recycled and reduce memory usage.
 
Features
 
All functions are compiled based on plug-ins. You can configure the function as needed.
Range API is provided. The text range of IE is compatible and extended to reduce the difficulty of writing the plug-in.
You can modify the appearance. You can customize the rendering of the editor by modifying or adding few codes.
For more references here http://code.google.com/p/sinaeditor/
 
0 × 01 vulnerability description
 
SinaEditor is an open-source web Editor. It is originally an asp version. Someone can develop a JSP version. I have analyzed a version with vulnerabilities.
This version has the upload vulnerability, which causes hackers to directly upload jsp webshells to intrude into the web server.
 
0 × 02 vulnerability Exploitation
 
 
 
0 × 03 Vulnerability Analysis
 
The. class file cannot be de-assembled and analyzed with limited capabilities and energy. The following code is a brief comment.
Vulnerability code
 
<% @ Page contentType = "text/html; charset = UTF-8" %>
<% @ Page import = "java. text. SimpleDateFormat" %>
<% @ Page import = "java. io. File" %>
<% @ Page import = "java. util. *" %>
<% @ Page import = "javazoom. upload. *" %>
<% @ Page import = "uploadutilities. FileMover" %>
<% @ Page errorPage = "ExceptionHandler. jsp" %>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8">
</Head> www.2cto.com
<%
Request. setCharacterEncoding ("UTF-8 ");
FileMover fileMover = new FileMover ();
UploadBean upBean = new UploadBean ();
MultipartFormDataRequest mrequest = null;
Hashtable files = null;
If (MultipartFormDataRequest. isMultipartFormData (request ))
{
Mrequest = new MultipartFormDataRequest (request, null, 100*1024*1024,
MultipartFormDataRequest. COSPARSER, "UTF-8 ");
Files = mrequest. getFiles ();
}
String sWebRootPath = request. getRealPath ("/");
String sPath = sWebRootPath + "upload \ Image ";
Int iFileCount = 0;
String sServerFileName = "";
String sLocalFileName = ""; // sLocalFileName sServerFileName should all be struct
If (files! = Null )&&(! Files. isEmpty ())){
IFileCount = files. size ();
UploadFile file = (UploadFile) files. get ("file1 ");
SLocalFileName = file. getFileName (); // obtain the local file
Int ii = sLocalFileName. indexOf ("."); // gets the local file.
String sExt = sLocalFileName. substring (ii, sLocalFileName. length ());
// Call sLocalFileName. substring here
// Its function should be to judge the. And later files. If the judgment succeeds, the suffix is obtained.
Java. util. Date dt = new java. util. Date (System. currentTimeMillis ());
SimpleDateFormat fmt = new SimpleDateFormat ("yyyyMMddHHmmssSSS ");
SServerFileName = fmt. format (dt );
SServerFileName = sServerFileName + sExt;
// Re-create the Server File Name
// Year, month, day, and time + Random Number + suffix
File dir = new File (sPath );
If (! Dir. exists ()){
Dir. mkdirs ();
}
UpBean. setFolderstore (sPath );
UpBean. setBlacklist ("*. jsp"); // call upBean here
// The general meaning is to determine whether or not it matches the. jsp format in the future, that is, the upload is prohibited; otherwise, all requests pass
// Because it is a jsp environment, it is not difficult to judge. jsp here, but it ignores windows vulnerabilities and parsing vulnerabilities.
// There are too many methods to judge against. jsp alone.
UpBean. addUploadListener (fileMover );
FileMover. setNewfilename (sServerFileName );
UpBean. store (mrequest, "file1 ");
Out. println ("<script> window. parent. LoadIMG ('/upload/Image/" + sServerFileName + "');
</Script> ");
} // Www.2cto.com does the author not understand/upload/Image during code copying?
}
%>
 
 
0 × 04 vulnerability repair
 
Add the following code at the end of row 31st:
 
If (sLocalFileName. contains (". jsp ")){
 
Return;
 
}
 
This is a temporary solution to the Image Upload Vulnerability in the editor of this version.
 
 
 
From the itleaf's blog http://www.itleaf.info /? P = 189