<p>漏洞文件:/servlet/ChangeBGServlet</p><p>漏洞参数:skinName</p><p>影响版本:FE5.5.2及以下版本</p><p>代码片段:<br></p> ``` public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String savePath = getServletConfig().getServletContext().getRealPath(""); String themeDir = request.getParameter("skinName");//获取参数,未过滤处理 savePath = savePath + File.separator + "login" + File.separator + "theme" + File.separator + themeDir + File.separator + "images" + File.separator;//参数拼接到路径里 String name = "bgimage.jpg"; if (StringUtils.isNotEmpty(themeDir)) { File pathDir = new File(savePath); if (!pathDir.exists()) { pathDir.mkdirs(); } DiskFileItemFactory fac = new DiskFileItemFactory(); ServletFileUpload upload = new ServletFileUpload(fac); upload.setHeaderEncoding("utf-8"); List fileList = null; try { fileList = upload.parseRequest(request); Iterator iter = fileList.iterator(); while (iter.hasNext()) { FileItem item = (FileItem)iter.next(); if...
<p>漏洞文件:/servlet/ChangeBGServlet</p><p>漏洞参数:skinName</p><p>影响版本:FE5.5.2及以下版本</p><p>代码片段:<br></p> ``` public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String savePath = getServletConfig().getServletContext().getRealPath(""); String themeDir = request.getParameter("skinName");//获取参数,未过滤处理 savePath = savePath + File.separator + "login" + File.separator + "theme" + File.separator + themeDir + File.separator + "images" + File.separator;//参数拼接到路径里 String name = "bgimage.jpg"; if (StringUtils.isNotEmpty(themeDir)) { File pathDir = new File(savePath); if (!pathDir.exists()) { pathDir.mkdirs(); } DiskFileItemFactory fac = new DiskFileItemFactory(); ServletFileUpload upload = new ServletFileUpload(fac); upload.setHeaderEncoding("utf-8"); List fileList = null; try { fileList = upload.parseRequest(request); Iterator iter = fileList.iterator(); while (iter.hasNext()) { FileItem item = (FileItem)iter.next(); if (!item.isFormField()) { File saveFile = new File(savePath + name);//路径+文件名,java可用%00截断 if (saveFile.exists()) { saveFile.delete(); } item.write(saveFile); } } } } ```