此漏洞可以下载服务器任何文件
源码如下
@RequestMapping("file")
public class FileDownloadController {
@GetMapping("down")
public void download(@RequestParam("p") String path, HttpServletResponse response) {
try {
File f = new File(path);
String filename = f.getName();
FileInputStream fileInputStream = new FileInputStream(f);
InputStream inputStream = new BufferedInputStream(fileInputStream);
byte[] buffer = new byte[inputStream.available()];
inputStream.read(buffer);
inputStream.close();
response.reset();
response.setCharacterEncoding("UTF-8");
response.addHeader("Content-Disposition", "attachment;filename=" + URLEncoder.encode(filename, "UTF-8"));
response.addHeader("Content-Length", "" + f.length());
OutputStream outputStream = new BufferedOutputStream(response.getOutputStream());
response.setContentType("application/octet-stream");
outputStream.write(buffer);
outputStream.flush();
} catch (IOException e) {
e.printStackTrace();
}
}
}
模拟请求
http://127.0.0.1:8080/file/download?p=/root/a.txt
解决方案:
对传入参数进行判断