0day-seeyonOA-zipslip(win)
Incorrect decompression exists in seeyonOA v8. An attacker can gain access to the server through zipslip after obtaining ordinary user privileges.
Route
Analyse
The vulnerability lies in WorkFlowDesignerController.class
's importProcess
method, which constructs multipart upload to upload malicious zip compressed files and writes shell to the web directory via.. /
- get the input zipfile
- create the temporary file and directory
write the input to tempZipFile
- Extract zipfile and write to the file
CtpLocalFile newFile = new CtpLocalFile(savepath + entryName);
As can be seen from this code, the file name in the package is not checked during decompression, so that files can be written across directories.
POC
作者:Rainy-Day
出处:https://www.cnblogs.com/Rainy-Day/p/18061399
版权:本作品采用「署名-非商业性使用-相同方式共享 4.0 国际」许可协议进行许可。
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· DeepSeek 解答了困扰我五年的技术问题。时代确实变了!
· PPT革命!DeepSeek+Kimi=N小时工作5分钟完成?
· What?废柴, 还在本地部署DeepSeek吗?Are you kidding?
· DeepSeek企业级部署实战指南:从服务器选型到Dify私有化落地
· 程序员转型AI:行业分析
2023-03-08 库源与类 AnnotationInvocationHandler 的字节码不符