Exploit the classpath based vulnerability with something like:
curl "http://<host>/..\..\spark\Spark.class"
The number of ..\ you need in the path depends on where in the classpath the static file location is configured to be. If you don't have the right amount then you don't get anything, but this is trivially brute forced. The classpath often has juicy things like configuration files and keystores, or you could look for non-framework class files and decompile them.
Try something like:
curl
"http://<host>/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd"
I'm sure you can figure out what to do from here.
This is tested on Spark 2.5 and git master, it should work on earlier versions.
If you need a workaround, don't use Spark to serve static files and move them to another web server.
暂无临时解决方案
暂无官方解决方案
暂无防护方案
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论