Geek-framework can upload JSP backdoor

**I.	Source code analysis**
/src/main/java/com/geekcattle/controller/console/UeditorController.java 
File upload. When an exception of file extension is detected, no exit or return.
![CodeAnalysis-en](https://user-images.githubusercontent.com/47202604/57271405-e5eca100-70c1-11e9-9207-09ea90d7b043.png)

**II.  Vulnerability testing**
![ueditor](https://user-images.githubusercontent.com/47202604/57271426-f4d35380-70c1-11e9-952e-71e5ea4e4008.png)
Ueditor editor, upload pictures.
The front end validates the file extension, so you need to upload a normal image file. 
After using BurpSuite to intercept, modify the upload file name and content.
![burpsuite](https://user-images.githubusercontent.com/47202604/57271434-fd2b8e80-70c1-11e9-9ffa-be8c6476d42d.png)
Geek-framework is a java development framework; the ueditor plug-in here is incomplete, but the back door is uploaded.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Geek-framework can upload JSP backdoor #32

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Geek-framework can upload JSP backdoor #32

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions