Jfinal cms Background Scrolling Image File Upload Vulnerability

## Jfinal cms Background Scrolling Image File Upload Vulnerability ### Introduction to Vulnerability Jfinal cms, using the simple and powerful JFinal as the web framework, the template engine is beetl, the database uses mysql, front-end bootstrap, flat ui and other frameworks. Support multi-site, oauth2 authentication, account registration, password encryption, comments and replies, message prompts, website traffic statistics, article comments and pageview statistics, response management, rights management, etc. There is an arbitrary file upload vulnerability in the background scrolling image. ### Vulnerability Impact - <= v4.7.1 ### Vulnerability Analysis The vulnerability trigger point is at `com/jflyfox/modules/admin/folderrollpicture/FolderrollpictureController.java` ```java public void save() { TbSite site = getBackSite(); UploadFile uploadImage = getFile("model.image_url", FileUploadUtils.getUploadTmpPath(site), FileUploadUtils.UPLOAD_MAX); Integer pid = getParaToInt(); TbFolderRollPicture model = getModel(TbFolderRollPicture.class); // 图片附件 if (uploadImage != null) { String fileUrl = uploadHandler(site, uploadImage.getFile(), "roll_image"); model.set("image_url", fileUrl); } Integer userid = getSessionUser().getUserid(); String now = getNow(); model.put("update_id", userid); model.put("update_time", now); if (pid != null && pid > 0) { // 更新 model.update(); } else { // 新增 model.remove("id"); model.setIsDeleted(JFlyFoxUtils.IS_DELETED_NO); model.put("create_id", userid); model.put("create_time", now); model.save(); } renderMessage("保存成功"); } ``` The getFile function is called to process the uploaded image. The getFile function has a defect. Only the file suffix is judged on the uploaded file, and special characters can be bypassed to form an arbitrary file uploading vulnerability. ### Recurring environment * Tomcat 6.0.29 * Jfinal cms 4.7.1 * Windows ### Vulnerability recurrence 1. Login to the background 2. Click Content Management -> Column to scroll the picture, add or modify, you can see here you can upload the picture, upload a file named shell.jpg, and the content is `<% out.print("123");% >`s file.  3. Click Save, upload the image, use Burpsuite to capture the package, and change the file name to `shell.jsp::$DATA` ``` Http://localhost:8080/jfinal_cms/admin/folderrollpicture/save/ ```  4. Access the shell ``` Http://localhost:8080/jfinal_cms/upload/jflyfox/bbs/tmp/shell.jsp ```