Web安全 文件上传可执行文件漏洞解决方案
一、问题重现
1、一个基于SpringMVC的文件上传,假设上传一个script.jsp的文件,里面写好java代码,文件上传成功后,可以直接访问到 如:,localhost:8080/uploadFiles/script.jsp ,会造成jsp文件执行,从而对系统造成危害。
2、script.jsp ,代码如下:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@page import="java.io.File"%>
<%
String root = request.getServletContext().getRealPath("/uploadFiles");
out.write("系统部署文件上传的绝对路径:"+root);
File file = new File(root);
String[] tempList = file.list();
System.out.println(file);
System.out.println(file.list());
File temp = null;
String fileName;
if(null == tempList){
out.write("目录:"+root + " -- 没有文件");
return;
}
for (int i = 0; i < tempList.length; i++) {
if (root.endsWith(File.separator)) {
fileName = root + tempList[i];
} else {
fileName = root + File.separator + tempList[i];
}
temp = new File(fileName);
if (temp.isFile()) {
out.write("删除文件:" + fileName + ";");
temp.delete();
}
}
file.delete();
%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
<script type="text/javascript">
alert('111');
//window.location.href="https://www.baidu.com";
</script>
</body>
</html>
3、假设文件上传成功后,获取文件存储的相对路径,/uploadFiles/script.jsp,则可以通过localhost:8080/uploadFiles/script.jsp 访问到文件,从而达到运行script.jsp文件,执行删除文件操作。(上传示例源码)
二、尝试解决方案
1、假设所有上传文件,都是放到 uploadFiles 目录下面,增加 FileReadServlet,对所有请求 /uploadFiles/* 路径的请求,予以处理,浏览器可执行的jsp,html文件等,直接显示内容。
2、FileReadServlet 代码如下:
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URLDecoder;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.runcode.web.FileUploadController;
/**
* description: 文件查看Servlet, 避免文件上传漏洞目录遍历攻击,如jsp文件,html文件等
* @version v1.0
* @author w
* @date 2020年9月28日下午4:31:02
*/
@WebServlet(name = "/fileReadServlet" , urlPatterns = {"/uploadFiles/*"})
public class FileReadServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String filepath = request.getRequestURI();
int index = filepath.indexOf(FileUploadController.DIRECTORY);
if(index >= 0) {
filepath = filepath.substring(index + FileUploadController.DIRECTORY.length());
}
// 中文解码
filepath = URLDecoder.decode(filepath, "UTF-8");
String basePath = request.getServletContext().getRealPath(FileUploadController.DIRECTORY).concat(File.separator);
File file = new File(basePath,filepath);
ServletOutputStream outputStream = response.getOutputStream();
FileInputStream fileInputStream = new FileInputStream(file);
int len ;
byte[] buffer = new byte[2048];
while((len= fileInputStream.read(buffer))!= -1) {
outputStream.write(buffer, 0, len);
}
// 输入输出流,必须关掉 , 否则会下载文件
fileInputStream.close();
outputStream.close();
response.setHeader("Content-Type", "application/octet-stream");
return;
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doGet(request, response);
}
}
3、再次访问 localhost:8080/uploadFiles/script.jsp , 就会变成显示内容啦,如下
好啦,基本可以解决问题,我也不知道这样可行否,欢迎留言补充,谢谢。