When Java writes files in the above two environments, it will not be able to correctly name the newly generated file due to 00 truncation. For example, the user name abc.jsp.jpg required by the user, but after truncation of 00, the name of the generated file becomes abc.jsp, so we use it when the uploaded file name is not changed or the directory can be customized.
test environment:
1.windows7(x64)+tomcat7+jdk1.6
2.Linux3.0(ubuntu11.10)(x86)+tomcat7+jdk1.7
When Java writes files in the above two environments, it will not be able to correctly name the newly generated file due to 00 truncation. For example, the user name abc.jsp.jpg required by the user, but after truncation of 00, the name of the generated file becomes abc.jsp, so we use it when the uploaded file name is not changed or the directory can be customized. .
The header data sent by the test is as follows:
POST /simpleUpload/write.jsp HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.200.142:8084
Content-Length: 17
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=D2EC5F95AD581EB5FD3A860FC4CE640
name=abc.jsp .jpg (note that the spaces here need to be changed to 00 with a hex editor before uploading)
The test server code is as follows:
<%@page import=”java.io.*”%>
<%
out.clear();
String filename = request.getParameter(“name”);
if (filename != null) {
String path = application.getRealPath(“/”);
String p=path + “/” + filename;
File uploadfile = new File(p);
if (!uploadfile.exists()) {
uploadfile.createNewFile();
}
out.println(“System Name:”+System.getProperty(“os.name”));
out.println(“1.The information of UploadFile:”);
if(uploadfile!=null){
out.println(” a.the UploadFile exists!”);
out.println(” b.The path of UploadFile: “+uploadfile.getAbsolutePath());
out.println(” c.The name of UploadFile: “+uploadfile.getName());
p=uploadfile.getAbsolutePath().substring(0,uploadfile.getAbsolutePath().length()-5);
File bugFile=new File(p);
out.println(“2.The information of BugFile:”);
if(bugFile.exists()){
out.println(” a.The BugFile exists!”);
out.println(” b.The path of BugFile: “+bugFile.getAbsolutePath());
out.println(” c.The name of BugFile: “+bugFile.getName());
}else{
out.println(“The BugFile: “+bugFile+” does’t exist!”);
}
File uploadfile2 = new File(p+uploadfile.getAbsolutePath().substring(uploadfile.getAbsolutePath().length()-5));
out.println(“3.Assure whether the nonexistent UploadFile exists because of the java API or not:”);
if(uploadfile2.exists()){
out.println(” a.The nonexistent UploadFile exists!”);
out.println(” b.The path of nonexistent UploadFile: “+uploadfile2.getAbsolutePath());
out.println(” c.The name of nonexistent UploadFile: “+uploadfile2.getName());
}else{
out.println(“The nonexistent UploadFile: “+uploadfile2+” does’t exist!”);
}
}else
out.println(“The UploadFile: “+uploadfile+” isn’t uploaded successfully!”);
} else {
out.println(“Null name!”);
}
out.flush();
%>
1.在windows7(x64)+tomcat7+jdk1.6环境下提交的数据返回结果的截图:
2.在Linux3.0(ubuntu11.10)(x86)+tomcat7+jdk1.7环境下提交的数据返回结果的截图:
从上图我们可以看到:
1点成功了,表示文件已经上传成功了,并且文件名abc.jsp00.jpg没变,且java认为这个文件存在的。
2点也成功了,表明 abc.jps存在.
3我们用abc.jsp组全00.jpg去确认这个文件是否存在,结果java认为存在。
注:(这里的00表示16进制字符)
当我们打开对应的目录时,发现只有abc.jsp存在。这说明文件名00截断是JAVA的原因。而不是系统的原因。
为了不让web shell由于这个漏洞而得以上传,推荐你使用fckeditor的方法,用一个正则表达式替换用户可以定义的路径名或者文件名,代码如下
filename = filename.replaceAll(“\\/|\\/|\\||:|\\?|\\*|\”|<|>|\\p{Cntrl}”, “_”);(正则表达中\\p{Cntrl}这个是处理00字符的。)