百木园-与人分享,
就是让自己快乐。

JAVA审计-文件操作

前言

上篇主要是关于文件上传的操作,这一篇记录一下其他文件操作

0x01 任意文件下载/读取

@WebServlet(\"/FileRead\")
public class fileRead extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        //以当前get请求的路径+filename参数值作为File对象
        File file = new File(this.getServletContext().getRealPath(\"/\") + req.getParameter(\"filename\"));
        FileInputStream in = new FileInputStream(file);
        ServletOutputStream sos = resp.getOutputStream();
        int len;
        byte[] buffer = new byte[1024];

        while ((len = in.read(buffer)) != -1) {
            sos.write(buffer, 0, len);
        }
        in.close();
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doGet(req, resp);
    }
}

image-20220302170547670

下载:

@WebServlet(\"/downServlet\")
public class readServlet extends HttpServlet {
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    this.doGet(request, response);
    }

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        
        String filename = request.getParameter(\"filename\");
        String fileContent = \"\";
        FileReader fileReader = new FileReader(filename);
        response.setHeader(\"content-disposition\", \"attachment;fileName=\" + filename);
        BufferedReader bufferedReader = new BufferedReader(fileReader);
        String line = \"\";
        while (null != (line = bufferedReader.readLine())) {
            fileContent += (line + \"\\n\");
        }
        }
}

和前面的文件读取也差不多,只是多了设置了一个响应体。

image-20220302172020588

0x02 任意文件删除

@WebServlet(\"/FileDeleteServlet\")
public class FileDeleteServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        resp.setCharacterEncoding(\"gbk\");
        File file = new File(this.getServletContext().getRealPath(\"/\") + req.getParameter(\"filename\"));
        PrintWriter writer = resp.getWriter();
        writer.println(this.getServletContext().getRealPath(\"/\"));
        writer.println(this.getServletContext().getRealPath(\"/\") + req.getParameter(\"filename\"));
        if (file.exists()){
            writer.println(file.getName() + \"文件已删除!\");
            file.delete();
        }else {
            writer.println(\"文件不存在!\");
        }
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doGet(req, resp);
    }
}

image-20220302173248161

0x03 任意文件写入

@WebServlet(\"/FileWriteServlet\")
public class FileWriteServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        File file = new File(req.getParameter(\"f\"));
        FileOutputStream fos = new FileOutputStream(file);
        fos.write(req.getParameter(\"c\").getBytes());
        fos.flush();
        fos.close();

        ServletOutputStream sos = resp.getOutputStream();
        sos.println(file.getAbsoluteFile() + \"\\t\" + file.exists());
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doGet(req, resp);
    }
}

0x04 任意文件复制

@WebServlet(\"/FileCopyServlet\")
public class FileCopyServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        resp.setCharacterEncoding(\"gbk\");
        Path path = Files.copy(Paths.get(req.getParameter(\"source\")), Paths.get(req.getParameter(\"dest\")));
        PrintWriter writer = resp.getWriter();
        writer.println(path);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doGet(req, resp);
    }
}

0x05 任意文件重命名

@WebServlet(\"/FileReNameServlet\")
public class FileReNameServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String fileName1 = req.getParameter(\"source\");
        String fileName2 = req.getParameter(\"dest\");

        File file1 = new File(fileName1);
        File file2 = new File(fileName2);

        file1.renameTo(file2);
        PrintWriter writer = resp.getWriter();
        writer.println(file2.getAbsolutePath() + \"\\t\" + file2.exists());

    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doGet(req, resp);
    }
}

0x06 目录遍历

@WebServlet(\"/DirListServlet\")
public class DirList extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        resp.setCharacterEncoding(\"gbk\");
        String[] files = new File(req.getParameter(\"dir\")).list();
        PrintWriter writer = resp.getWriter();
        for (String file : files) {
            writer.println(file);
        }
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doGet(req, resp);
    }
}

image-20220302174114201

总结

审计重点方法,主要是参数需要可控:

  • java.io.FileInputStream
  • java.io.FileOutputStream
  • org.apache.commons.io.FileUtils

参考

https://www.cnblogs.com/CoLo/p/15265624.html

https://www.cnblogs.com/nice0e3/p/13698256.html


来源:https://www.cnblogs.com/N0r4h/p/15957899.html
本站部分图文来源于网络,如有侵权请联系删除。

未经允许不得转载:百木园 » JAVA审计-文件操作

相关推荐

  • 暂无文章