There exists an arbitrary file upload and delete vulnerability in the Database management and Deployment management

[nerowander]

Description

Eladmin is a back-end management system with front-end and back-end separation based on Spring Boot 2.6.4, Spring Boot Jpa, JWT, Spring Security, Redis, and Vue

Eladmin v2.7 has an arbitrary file upload vulnerability in the Database management and Deployment management

Attackers can construct filenames like ../../file to upload arbitrary files to arbitrary directories or delete arbitrary files in arbitrary directories

The affected API interfaces are /api/deploy/upload and /api/database/upload

Vulnerable code

The codes corresponding to these two interfaces do not filter the path and suffix of the uploaded file name.

https://github.com/elunez/eladmin/blob/master/eladmin-system/src/main/java/me/zhengjie/modules/mnt/rest/DatabaseController.java

@Log("执行SQL脚本")
	@ApiOperation(value = "执行SQL脚本")
	@PostMapping(value = "/upload")
	@PreAuthorize("@el.check('database:add')")
	public ResponseEntity<Object> uploadDatabase(@RequestBody MultipartFile file, HttpServletRequest request)throws Exception{
		String id = request.getParameter("id");
		DatabaseDto database = databaseService.findById(id);
		String fileName;
		if(database != null){
			fileName = file.getOriginalFilename();
			File executeFile = new File(fileSavePath+fileName);
			FileUtil.del(executeFile);
			file.transferTo(executeFile);
			String result = SqlUtils.executeFile(database.getJdbcUrl(), database.getUserName(), database.getPwd(), executeFile);
			return new ResponseEntity<>(result,HttpStatus.OK);
		}else{
			throw new BadRequestException("Database not exist");
		}
	}

https://github.com/elunez/eladmin/blob/master/eladmin-system/src/main/java/me/zhengjie/modules/mnt/rest/DeployController.java

@Log("上传文件部署")
	@ApiOperation(value = "上传文件部署")
	@PostMapping(value = "/upload")
	@PreAuthorize("@el.check('deploy:edit')")
	public ResponseEntity<Object> uploadDeploy(@RequestBody MultipartFile file, HttpServletRequest request)throws Exception{
		Long id = Long.valueOf(request.getParameter("id"));
		String fileName = "";
		if(file != null){
			fileName = file.getOriginalFilename();
			File deployFile = new File(fileSavePath+fileName);
			FileUtil.del(deployFile);
			file.transferTo(deployFile);
			//文件下一步要根据文件名字来
			deployService.deploy(fileSavePath+fileName ,id);
		}else{
			System.out.println("没有找到相对应的文件");
		}
		System.out.println("文件上传的原名称为:"+ Objects.requireNonNull(file).getOriginalFilename());
		Map<String,Object> map = new HashMap<>(2);
		map.put("errno",0);
		map.put("id",fileName);
		return new ResponseEntity<>(map,HttpStatus.OK);
	}

Attackers can exploit this vulnerability to upload dynamic link libraries or write scheduled tasks to implement RCE. Attackers can also delete any files in any directory, affecting the stable operation of the web service site.

How to reproduced

POC

/api/database/upload

Upload arbitrary files to arbitrary directories

Delete arbitrary files in arbitrary directories

Firstly I create a file something-important in /tmp directory

The something-important file has been deleted

/api/deploy/upload

Upload arbitrary files to arbitrary directories

Delete arbitrary files in arbitrary directories

The situation is consistent with the above /api/database/uploadinterface

Versions

eladmin ≤ v2.7

Reporter

https://github.com/nerowander