网鼎杯2020-filejava_src

Posted h3zh1

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了网鼎杯2020-filejava_src相关的知识,希望对你有一定的参考价值。

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
   
  <display-name>file_in_java</display-name>
  <welcome-file-list>
    <welcome-file>upload.jsp</welcome-file>
  </welcome-file-list>
    
  <servlet>
    <description></description>
    <display-name>UploadServlet</display-name>
    <servlet-name>UploadServlet</servlet-name>
    <servlet-class>cn.abc.servlet.UploadServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>UploadServlet</servlet-name>
    <url-pattern>/UploadServlet</url-pattern>
  </servlet-mapping>
  <servlet>
    <description></description>
    <display-name>ListFileServlet</display-name>
    <servlet-name>ListFileServlet</servlet-name>
    <servlet-class>cn.abc.servlet.ListFileServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>ListFileServlet</servlet-name>
    <url-pattern>/ListFileServlet</url-pattern>
  </servlet-mapping>
  <servlet>
    <description></description>
    <display-name>DownloadServlet</display-name>
    <servlet-name>DownloadServlet</servlet-name>
    <servlet-class>cn.abc.servlet.DownloadServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>DownloadServlet</servlet-name>
    <url-pattern>/DownloadServlet</url-pattern>
  </servlet-mapping>
</web-app>

DownloadServlet

import cn.abc.servlet.DownloadServlet;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URLEncoder;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


public class DownloadServlet
  extends HttpServlet
{
  private static final long serialVersionUID = 1L;
  
  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost(request, response); }


  
  protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String fileName = request.getParameter("filename");
    fileName = new String(fileName.getBytes("ISO8859-1"), "UTF-8");
    System.out.println("filename=" + fileName);
    if (fileName != null && fileName.toLowerCase().contains("flag")) {
      request.setAttribute("message", "禁止读取");
      request.getRequestDispatcher("/message.jsp").forward(request, response);
      
      return;
    } 
    
    String fileSaveRootPath = getServletContext().getRealPath("/WEB-INF/upload");
    
    String path = findFileSavePathByFileName(fileName, fileSaveRootPath);
    
    File file = new File(path + "/" + fileName);
    
    if (!file.exists()) {
      request.setAttribute("message", "您要下载的资源已被删除!");
      request.getRequestDispatcher("/message.jsp").forward(request, response);
      
      return;
    } 
    String realname = fileName.substring(fileName.indexOf("_") + 1);
    
    response.setHeader("content-disposition", "attachment;filename=" + URLEncoder.encode(realname, "UTF-8"));
    
    FileInputStream in = new FileInputStream(path + "/" + fileName);
    
    ServletOutputStream out = response.getOutputStream();
    
    byte[] buffer = new byte[1024];
    int len = 0;
    while ((len = in.read(buffer)) > 0) {
      out.write(buffer, 0, len);
    }

    
    in.close();
    
    out.close();
  }


  
  public String findFileSavePathByFileName(String filename, String saveRootPath) {
    int hashCode = filename.hashCode();
    int dir1 = hashCode & 0xF;
    int dir2 = (hashCode & 0xF0) >> 4;
    String dir = saveRootPath + "/" + dir1 + "/" + dir2;
    File file = new File(dir);
    if (!file.exists()) {
      file.mkdirs();
    }
    return dir;
  }
}

ListFileServlet

mport cn.abc.servlet.ListFileServlet;
mport java.io.IOException;
mport java.util.HashMap;
mport java.util.Map;
mport javax.servlet.ServletException;
mport javax.servlet.http.HttpServlet;
mport javax.servlet.http.HttpServletRequest;
mport javax.servlet.http.HttpServletResponse;


ublic class ListFileServlet
 extends HttpServlet

 private static final long serialVersionUID = 1L;
 
 protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost(request, response); }


 
 protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
   String uploadFilePath = getServletContext().getRealPath("/WEB-INF/upload");
   
   Map<String, String> fileNameMap = new HashMap<String, String>();
   
   String saveFilename = (String)request.getAttribute("saveFilename");
   String filename = (String)request.getAttribute("filename");
   System.out.println("saveFilename" + saveFilename);
   System.out.println("filename" + filename);
   String realName = saveFilename.substring(saveFilename.indexOf("_") + 1);
   fileNameMap.put(saveFilename, filename);
   request.setAttribute("fileNameMap", fileNameMap);
   request.getRequestDispatcher("/listfile.jsp").forward(request, response);
 }

UploadServlet

import cn.abc.servlet.UploadServlet;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.List;
import java.util.UUID;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.FileUploadException;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
import org.apache.poi.ss.usermodel.Sheet;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.poi.ss.usermodel.WorkbookFactory;


public class UploadServlet
  extends HttpServlet
{
  private static final long serialVersionUID = 1L;
  
  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost(request, response); }


  
  protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String savePath = getServletContext().getRealPath("/WEB-INF/upload");
    
    String tempPath = getServletContext().getRealPath("/WEB-INF/temp");
    File tempFile = new File(tempPath);
    if (!tempFile.exists())
    {
      tempFile.mkdir();
    }

    
    String message = "";
    
    try {
      DiskFileItemFactory factory = new DiskFileItemFactory();

      
      factory.setSizeThreshold(102400);
      
      factory.setRepository(tempFile);

      
      ServletFileUpload upload = new ServletFileUpload(factory);
      
      upload.setProgressListener(new Object(this));


      upload.setHeaderEncoding("UTF-8");
      
      upload.setFileSizeMax(1048576L);
      
      upload.setSizeMax(10485760L);

      
      if (!ServletFileUpload.isMultipartContent(request)) {
        return;
      }

      
      List<FileItem> list = upload.parseRequest(request);
      for (FileItem fileItem : list)
      {
        if (fileItem.isFormField()) {
          String name = fileItem.getFieldName();
          
          String str = fileItem.getString("UTF-8");
          
          continue;
        } 
        
        String filename = fileItem.getName();
        if (filename == null || filename.trim().equals("")) {
          continue;
        }
        
        String fileExtName = filename.substring(filename.lastIndexOf(".") + 1);
        
        InputStream in = fileItem.getInputStream();
        
        if (filename.startsWith("excel-") && "xlsx".equals(fileExtName)) {
          
          try {

            
            Workbook wb1 = WorkbookFactory.create(in);
            Sheet sheet = wb1.getSheetAt(0);
            System.out.println(sheet.getFirstRowNum());
          } catch (InvalidFormatException e) {
            System.err.println("poi-ooxml-3.10 has something wrong");
            e.printStackTrace();
          } 
        }

        
        String saveFilename = makeFileName(filename);
        request.setAttribute("saveFilename", saveFilename);
        request.setAttribute("filename", filename);
        
        String realSavePath = makePath(saveFilename, savePath);
        
        FileOutputStream out = new FileOutputStream(realSavePath + "/" + saveFilename);
        
        byte[] buffer = new byte[1024];
        
        int len = 0;
        while ((len = in.read(buffer)) > 0) {
          out.write(buffer, 0, len);
        }

        
        in.close();
        
        out.close();
        
        message = "文件上传成功!";
      }
    
    } catch (FileUploadException e) {
      e.printStackTrace();
    } 
    
    request.setAttribute("message", message);
    request.getRequestDispatcher("/ListFileServlet").forward(request, response);
  }
  
  private String makeFileName(String filename) { return UUID.randomUUID().toString() + "_" + filename; }

  private String makePath(String filename, String savePath) {
    int hashCode = filename.hashCode();
    int dir1 = hashCode & 0xF;
    int dir2 = (hashCode & 0xF0) >> 4;
    
    String dir = savePath + "/" + dir1 + "/" + dir2;
    
    File file = new File(dir);
    
    if (!file.exists()) {
      file.mkdirs();
    }
    return dir;
  }
}

upload.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
	<title>Hello File</title>
</head>
<style>
	.sketch-button{
		border-bottom-left-radius: 15px 255px;
		border-bottom-right-radius: 225px 15px;
		border-top-left-radius: 255px 15px;
		border-top-right-radius: 15px 225px;
		transition: all 235ms ease 0s;
		box-shadow: 15px 28px 25px -18px rgba(0,0,0,.2);
		transition: all 235ms ease-in-out 0s;
		align-self: center;
		background: 0 0;
		border: 2px solid #41403e;
		color: #41403e;
		cursor: pointer;
		display: inline-block;
		font-size: 1rem;
		outline: 0;
		padding: .75rem;
	}
</style>
<body>
<div style="margin-top:50px; text-align:center">
	<h2>Hello File!</h2>
	<form action="${pageContext.request.contextPath }/UploadServlet"
		  method="post" enctype="multipart/form-data">
		<center>

			<input type="file" name="file" class="sketch-button">
			<input type="submit" value="??????" class="sketch-button">
		</center>

	</form>
</div>
<br /><br />
<!-- flag in /flag -->
</body>
</html>

META-INF_MANIFEST.MF


Manifest-Version: 1.0
Class-Path: 

以上是关于网鼎杯2020-filejava_src的主要内容,如果未能解决你的问题,请参考以下文章

代码审计:[网鼎杯 2020 青龙组]AreUSerialz

网鼎杯 fakebook

[网鼎杯 2020 朱雀组]phpweb

Java安全-Java In CTF([网鼎杯 2020 青龙组]filejava[网鼎杯 2020 朱雀组]Think Java)

[网鼎杯 2020 青龙组]AreUSerialz

Java安全-Java In CTF([网鼎杯 2020 青龙组]filejava[网鼎杯 2020 朱雀组]Think Java)