前言
未经授权,禁止转载!
0x01
前段时间,在对某站群系统进行代码审计时,发现某处DWR-AJAX接口存在文件上传漏洞
代码层:public String upload(InputStream is, String fileName) {
String fileUploadPath = getFileUploadPath();
String file = String.valueOf(fileUploadPath) + “/” + IDCreator.getRandom() + “/” + fileName;
String fileExtName = FilenameUtils.getExtension(fileName);
File f = new File(file);
Properties pro = new Properties();
try {
long size = is.available();
FileUtils.copyInputStreamToFile(is, f);
pro.put(“extName”, fileExtName);
pro.put(“originName”, fileName);
pro.put(“url”, file);
pro.put(”
版权声明:本文为weixin_34878397原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。