<p>漏洞文件:/servlet/ChangeBGServlet</p><p>漏洞参数:skinName</p><p>影响版本:FE5.5.2及以下版本</p><p>代码片段:<br></p>
```
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
{
String savePath = getServletConfig().getServletContext().getRealPath("");
String themeDir = request.getParameter("skinName");//获取参数,未过滤处理
savePath = savePath + File.separator + "login" + File.separator + "theme" + File.separator + themeDir + File.separator + "images" + File.separator;//参数拼接到路径里
String name = "bgimage.jpg";
if (StringUtils.isNotEmpty(themeDir))
{
File pathDir = new File(savePath);
if (!pathDir.exists())
{
pathDir.mkdirs();
}
DiskFileItemFactory fac = new DiskFileItemFactory();
ServletFileUpload upload = new ServletFileUpload(fac);
upload.setHeaderEncoding("utf-8");
List fileList = null;
try
{
fileList = upload.parseRequest(request);
Iterator iter = fileList.iterator();
while (iter.hasNext())
{
FileItem item = (FileItem)iter.next();
if (!item.isFormField())
{
File saveFile = new File(savePath + name);//路径+文件名,java可用%00截断
if (saveFile.exists())
{
saveFile.delete();
}
item.write(saveFile);
}
}
}
}
```
京公网安备 11010502034610号
暂无评论