部分ewebeditor jsp版存在的0day
文章作者：落叶纷飞[J.L.S.T]
信息来源：安全叶子技术小组[J.Leaves Security Team]（http://00day.cn）

第一种是由savefile.jsp来完成上传过程，给出它的代码：
Copy code    String sType = request.getParameter("type");
    if (sType == null) {
      sType = "";
    }
    //式
    String sStyleName = request.getParameter("style");
    if (sStyleName == null) {
      sStyleName = "";
    }
    String sUploadDir = request.getParameter("dir");
    if (sUploadDir == null) {
      sUploadDir = "uploadfile";
    }
    String sAllowExt = request.getParameter("ext");
    if (sAllowExt == null) {
      sAllowExt = "";
    }
    int nAllowSize = 100;
    if (request.getParameter("size") != null) {
      nAllowSize = Integer.parseInt(request.getParameter("size"));
    }
    //洗
    DiskFileUpload upload = new DiskFileUpload();
    try {
      List items = upload.parseRequest(request);
      Iterator iter = items.iterator();
      while (iter.hasNext()) {
        FileItem item = (FileItem) iter.next();
        if (!item.isFormField()) {
          long sizeInBytes = item.getSize();
          String sFileExt = this.getFileExt(item.getName());
          if (sizeInBytes > nAllowSize * 1024) { //薅洗小
          }
          if (!this.CheckValidExt(sFileExt, sAllowExt)) { //展欠
          }
          StringBuffer newFile = new StringBuffer(this.getFileName() + "." +
                                                  sFileExt);
          String realPath=this.getRealPath(sUploadDir);
          File uploadedFolder = new File(realPath);
          uploadedFolder.mkdirs();
          File uploadedFile=new File(realPath + newFile.toString());
          item.write(uploadedFile); //写
          response.sendRedirect("/supereditor/upload.jsp?action=success&file=" +
                                newFile.toString());
        }
      }
    }

另一种把处理上传的文件转成servlet，所以部分代码看不到。

提交的时候涉及到一个小技巧，这里就不公布鸟

demo已经做出来了，内部要的找我~~

另外，这个漏洞有部分局限性，1.4版以上的不受到影响