前言
上篇主要是关于文件上传的操作,这一篇记录一下其他文件操作
0x01 任意文件下载/读取
@WebServlet(\"/FileRead\")
public class fileRead extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
//以当前get请求的路径+filename参数值作为File对象
File file = new File(this.getServletContext().getRealPath(\"/\") + req.getParameter(\"filename\"));
FileInputStream in = new FileInputStream(file);
ServletOutputStream sos = resp.getOutputStream();
int len;
byte[] buffer = new byte[1024];
while ((len = in.read(buffer)) != -1) {
sos.write(buffer, 0, len);
}
in.close();
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
super.doGet(req, resp);
}
}
下载:
@WebServlet(\"/downServlet\")
public class readServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
this.doGet(request, response);
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String filename = request.getParameter(\"filename\");
String fileContent = \"\";
FileReader fileReader = new FileReader(filename);
response.setHeader(\"content-disposition\", \"attachment;fileName=\" + filename);
BufferedReader bufferedReader = new BufferedReader(fileReader);
String line = \"\";
while (null != (line = bufferedReader.readLine())) {
fileContent += (line + \"\\n\");
}
}
}
和前面的文件读取也差不多,只是多了设置了一个响应体。
0x02 任意文件删除
@WebServlet(\"/FileDeleteServlet\")
public class FileDeleteServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setCharacterEncoding(\"gbk\");
File file = new File(this.getServletContext().getRealPath(\"/\") + req.getParameter(\"filename\"));
PrintWriter writer = resp.getWriter();
writer.println(this.getServletContext().getRealPath(\"/\"));
writer.println(this.getServletContext().getRealPath(\"/\") + req.getParameter(\"filename\"));
if (file.exists()){
writer.println(file.getName() + \"文件已删除!\");
file.delete();
}else {
writer.println(\"文件不存在!\");
}
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
super.doGet(req, resp);
}
}
0x03 任意文件写入
@WebServlet(\"/FileWriteServlet\")
public class FileWriteServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
File file = new File(req.getParameter(\"f\"));
FileOutputStream fos = new FileOutputStream(file);
fos.write(req.getParameter(\"c\").getBytes());
fos.flush();
fos.close();
ServletOutputStream sos = resp.getOutputStream();
sos.println(file.getAbsoluteFile() + \"\\t\" + file.exists());
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
super.doGet(req, resp);
}
}
0x04 任意文件复制
@WebServlet(\"/FileCopyServlet\")
public class FileCopyServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setCharacterEncoding(\"gbk\");
Path path = Files.copy(Paths.get(req.getParameter(\"source\")), Paths.get(req.getParameter(\"dest\")));
PrintWriter writer = resp.getWriter();
writer.println(path);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
super.doGet(req, resp);
}
}
0x05 任意文件重命名
@WebServlet(\"/FileReNameServlet\")
public class FileReNameServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String fileName1 = req.getParameter(\"source\");
String fileName2 = req.getParameter(\"dest\");
File file1 = new File(fileName1);
File file2 = new File(fileName2);
file1.renameTo(file2);
PrintWriter writer = resp.getWriter();
writer.println(file2.getAbsolutePath() + \"\\t\" + file2.exists());
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
super.doGet(req, resp);
}
}
0x06 目录遍历
@WebServlet(\"/DirListServlet\")
public class DirList extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setCharacterEncoding(\"gbk\");
String[] files = new File(req.getParameter(\"dir\")).list();
PrintWriter writer = resp.getWriter();
for (String file : files) {
writer.println(file);
}
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
super.doGet(req, resp);
}
}
总结
审计重点方法,主要是参数需要可控:
java.io.FileInputStream
java.io.FileOutputStream
org.apache.commons.io.FileUtils
参考
https://www.cnblogs.com/CoLo/p/15265624.html
https://www.cnblogs.com/nice0e3/p/13698256.html
来源:https://www.cnblogs.com/N0r4h/p/15957899.html
本站部分图文来源于网络,如有侵权请联系删除。