/defaultroot/public/editor/tpsc.jsp
/defaultroot/public/editor/1_tpsc.jsp /defaultroot/work_flow/formOptJSPUpload.jsp /defaultroot/work_flow/formStartJSPUpload.jsp /defaultroot/govezoffice/custom_documentmanager/smartUpload.jsp?path=innerMailbox&fileName=innerMailFileName&saveName=innerMailSaveName&tableName=innerMaildisplaytable&fileMaxSize=0&fileMaxNum=0&fileType=&fileMinHeight=0&fileMinWidth=0&fileMaxHeight=0&fileMaxWidth=0 /defaultroot/custom_form/smartUpload.jsp?path=innerMailbox&fileName=innerMailFileName&saveName=innerMailSaveName&tableName=innerMaildisplaytable&fileMaxSize=0&fileMaxNum=0&fileType=&fileMinHeight=0&fileMinWidth=0&fileMaxHeight=0&fileMaxWidth=0 /defaultroot/public/jsp/goodsphotoupload.jsp?path=goodspic&visualName=goodsPicName&hiddenName=goodsPicName&del=yes /defaultroot/public/jsp/livephotoupload.jsp?path=peopleinfo&visualName=empLivingPhotoTemp&hiddenName=empLivingPhoto&del=yes /defaultroot/public/jsp/livephotoupload2.jsp?path=peopleinfo&visualName=empLivingPhotoTemp&hiddenName=empLivingPhoto&del=yes /defaultroot/public/jsp/singleupload.jsp?path=desktop&visualName=unitImgName&hiddenName=unitImgSaveName&del=yes /defaultroot/public/jsp/smartUpload.jsp?path=innerMailbox&fileName=innerMailFileName&saveName=innerMailSaveName&tableName=innerMaildisplaytable&fileMaxSize=0&fileMaxNum=0&fileType=&fileMinHeight=0&fileMinWidth=0&fileMaxHeight=0&fileMaxWidth=0上面是面哥发的,自己看了下 源码 ,发现有上传的地方基本都是调用smartUpload的javabean。于是顺手找了下剩下的上传点。 特征代码
<%@ page language="java" import="com. jsp smart.upload.*"%> <jsp:useBean id="myUpload" scope="page" class="com.jspsmart.upload.SmartUpload" />有部分使用apache fileupload 组件 的但是通用性不强就不说了。
\defaultroot\customize\upload.jsp (需截断doc) \defaultroot\information_manager\informationmanager_upload.jsp (无限制直接上传) \defaultroot\work_flow\workflow_upload.jsp (无过滤,报错前已经执行成功,鸡肋未返回文件名可以根据时间暴力采集) \defaultroot\dragpage_department\upload.jsp (需截断jpg) \defaultroot\skin\5\dragpage_department\upload.jsp (需截断jpg) \defaultroot\information_manager\产品-信息管理UTF-8-2009--8.21.1\defaultroot\information_manager\information_smartUpload.jsp(通用性不强,无过滤) \defaultroot\ dos sier\dossier_import.jsp 代码大致就分一种无过滤的,直接可以上传shell。
myUpload.initialize(pageContext); myUpload.upload(); for(int j = 0; j < myUpload.getFiles().getCount(); j ++){ myRandom=new com.whir测试数据mon.util.Random().getRandom(); com.jspsmart.upload.File myFile = myUpload.getFiles().getFile(j); if (!myFile.isMissing()) { saveName=myRandom+"."+myFile.getFileExt(); fileName=myFile.getFileName(); myFile.saveAs("\\upload\\information\\" + saveName); } }另一种就是有过滤的,但是可以用截断绕过
// Initialization mySmartUpload.initialize(pageContext); //mySmartUpload.setTotalMaxFileSize(100000); mySmartUpload.setAllowedFilesList("jpg,gif,bmp,swf,avi"); // Upload mySmartUpload.upload();部分证明如下图。
查看更多关于万户OA任意文件上传导致代码执行(多处总结)的详细内容...