<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.1//EN" "http://struts.apache.org/dtds/struts-2.1.dtd">
<struts>
<constant name="struts.i18n.encoding" value="utf-8"></constant>
<package name="test" namespace="/test" extends="struts-default">
<interceptors>
<interceptor name="myInterceptor" class="interceptor.MyInterceptor"></interceptor>
</interceptors>
<action name="tokenAction" class="action.TokenAction">
<interceptor-ref name="token"></interceptor-ref>
<interceptor-ref name="defaultStack"></interceptor-ref>
<result name="input" type="redirect">/index.jsp</result>
<result name="success">/success.jsp</result>
<result name="invalid.token">/error.jsp</result>
</action>
<action name="singleUploadAction" class="action.SingleUploadAction">
<interceptor-ref name="fileUpload"></interceptor-ref>
<interceptor-ref name="defaultStack"></interceptor-ref>
<result name="uploadSuccess">/uploadSuccess.jsp</result>
</action>
<action name="multiUploadAction" class="action.MultiUploadAction">
<interceptor-ref name="fileUploadStack"></interceptor-ref>
<interceptor-ref name="defaultStack"></interceptor-ref>
<result name="uploadSuccess">/uploadSuccess.jsp</result>
</action>
<action name="interceptorAction" class="action.InterceptorAction">
<interceptor-ref name="myInterceptor"></interceptor-ref>
<interceptor-ref name="defaultStack"></interceptor-ref>
<result name="success">/success.jsp</result>
</action>
</package>
</struts>
package action;
import com.opensymphony.xwork2.ActionSupport;
public class InterceptorAction extends ActionSupport {
public String test(){
System.out.println("action in");
return SUCCESS;
}
}
package action;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import javax.servlet.ServletContext;
import org.apache.struts2.util.ServletContextAware;
import com.opensymphony.xwork2.ActionSupport;
public class MultiUploadAction extends ActionSupport implements
ServletContextAware {
private File[] su;
private String[] suContentType;
private String[] suFileName;
private ServletContext context;
private String separator = File.separator;
private String directory = "file";
public String upload() throws Exception {
String realPath = context.getRealPath("");
File uploadDirectory = new File(realPath, directory);// 上传文件保存文件夹
if (!uploadDirectory.exists()) {
uploadDirectory.mkdir();
}
File uploadFile;
FileInputStream fis;
BufferedInputStream bis;
FileOutputStream fos;
BufferedOutputStream bos;
for (int i = 0; i < su.length; i++) {
uploadFile = new File(uploadDirectory, suFileName[i]);// 上传文件
fis = new FileInputStream(su[i]);// 读取源文件
bis = new BufferedInputStream(fis);// 缓冲流
fos = new FileOutputStream(uploadFile);// 上传文件
bos = new BufferedOutputStream(fos);// 缓冲流
int len = 0;
byte[] buff = new byte[1024 * 8];
while ((len = bis.read(buff)) != -1) {
bos.write(buff, 0, len);
bos.flush();
}
if (null != bos) {
bos.close();
}
if (null != fos) {
fos.close();
}
if (null != bis) {
bis.close();
}
if (null != fis) {
fis.close();
}
}
return "uploadSuccess";
}
public File[] getSu() {
return su;
}
public void setSu(File[] su) {
this.su = su;
}
public String[] getSuContentType() {
return suContentType;
}
public void setSuContentType(String[] suContentType) {
this.suContentType = suContentType;
}
public String[] getSuFileName() {
return suFileName;
}
public void setSuFileName(String[] suFileName) {
this.suFileName = suFileName;
}
public void setServletContext(ServletContext context) {
this.context = context;
}
}
package action;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import javax.servlet.ServletContext;
import org.apache.struts2.util.ServletContextAware;
import com.opensymphony.xwork2.ActionSupport;
public class SingleUploadAction extends ActionSupport implements
ServletContextAware {
private File su;
private String suContentType;
private String suFileName;
private ServletContext context;
private String separator = File.separator;
public String upload() throws Exception {
// 上传路径文件夹地址
String path = context.getRealPath("");
File uploadAddress = new File(path, "file");
if (!uploadAddress.exists()) {
uploadAddress.mkdir();
}
File uploadFile = new File(uploadAddress, suFileName);// 上传文件
FileInputStream fis = new FileInputStream(su);// 读取原始文件
BufferedInputStream bis = new BufferedInputStream(fis);// 缓冲流
FileOutputStream fos = new FileOutputStream(uploadFile);// 上传文件流
BufferedOutputStream bos = new BufferedOutputStream(fos);// 缓冲流
int len = 0;
byte[] buff = new byte[1024 * 8];
while ((len = bis.read(buff)) != -1) {
bos.write(buff, 0, len);
bos.flush();
}
bos.close();
fos.close();
bis.close();
fis.close();
return "uploadSuccess";
}
public File getSu() {
return su;
}
public void setSu(File su) {
this.su = su;
}
public String getSuContentType() {
return suContentType;
}
public void setSuContentType(String suContentType) {
this.suContentType = suContentType;
}
public String getSuFileName() {
return suFileName;
}
public void setSuFileName(String suFileName) {
this.suFileName = suFileName;
}
public void setServletContext(ServletContext context) {
this.context = context;
}
}
package action;
import com.opensymphony.xwork2.ActionSupport;
public class TokenAction extends ActionSupport {
private String username;
private String password;
public String init(){
return INPUT;
}
public String register() {
System.out.println("username : " + username);
System.out.println("password : " + password);
return SUCCESS;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
package interceptor;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
public class MyInterceptor implements Interceptor {
public void destroy() {
}
public void init() {
}
public String intercept(ActionInvocation invocation) throws Exception {
System.out.println("myInterceptor in ");
String result = invocation.invoke();
System.out.println(result);
System.out.println("myInterceptor out ");
return result;
}
}
package test;
public class Action {
public String test(){
System.out.println("action");
return "input";
}
}
package test;
import java.util.ArrayList;
import java.util.List;
public class ActionInvocation {
private List<Interceptor> interceptors = new ArrayList<Interceptor>();
private Action action = new Action();
public ActionInvocation(){
FirstInterceptor fi = new FirstInterceptor();
SecondInterceptor si = new SecondInterceptor();
interceptors.add(fi);
interceptors.add(si);
}
int index = -1;
String result;
public String invoke(){
index++;
if(index < interceptors.size()){
result = interceptors.get(index).interceptor(this);
}else{
result = action.test();
}
return result;
}
}
package test;
public class FirstInterceptor implements Interceptor {
public void destroy() {
}
public void init() {
}
public String interceptor(ActionInvocation invocation) {
System.out.println("1");
String result = invocation.invoke();
System.out.println(result);
System.out.println("-1");
return result;
}
}
package test;
public class InteceptorTest {
/**
* @param args
*/
public static void main(String[] args) {
ActionInvocation invocation = new ActionInvocation();
invocation.invoke();
}
}
package test;
public interface Interceptor {
public void destroy();
public void init();
public String interceptor(ActionInvocation invocation);
}
package test;
public class SecondInterceptor implements Interceptor {
public void destroy() {
}
public void init() {
}
public String interceptor(ActionInvocation invocation) {
System.out.println("2");
String result = invocation.invoke();
System.out.println(result);
System.out.println("-2");
return result;
}
}
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@ taglib uri="/struts-tags" prefix="s" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>My JSP 'error.jsp' starting page</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css">
-->
<style type="text/css">
#num{
font-size:14px;
color:red;
font-weight:bold;
}
</style>
<script type="text/javascript" src="javascript/common.jsp"></script>
<script type="text/javascript">
function daojishi(){
document.getElementById("num").innerText = parseInt(document.getElementById("num").innerText) - 1;
if(parseInt(document.getElementById("num").innerText) == 0){
to("/index.jsp");
}
setTimeout(daojishi,1000);
}
window.onload = daojishi;
</script>
</head>
<body>
系统正在处理中...请勿重复提交 ! <span id="num" >5</span>秒后返回注册页面!
<a href="javascript:to('/index.jsp')">手动跳转</a>
</body>
</html>
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@taglib uri="/struts-tags" prefix="s" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>My JSP 'index.jsp' starting page</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css">
-->
</head>
<body>
<s:form action="test/tokenAction!register" theme="simple">
username: <s:textfield name="username"></s:textfield><br>
password: <s:password name="password"></s:password><br>;
<s:token></s:token>
<s:submit value="submit"></s:submit><br>
</s:form>
</body>
</html>
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@taglib uri="/struts-tags" prefix="s" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>My JSP 'success.jsp' starting page</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css">
-->
</head>
<body>
success
</body>
</html>
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@ taglib uri="/struts-tags" prefix="s" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>My JSP 'upload.jsp' starting page</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css">
-->
</head>
<body>
<s:form action="test/singleUploadAction!upload" method="post" enctype="multipart/form-data">
<s:file name="su"></s:file>
<s:submit value="上传"></s:submit>
</s:form>
<s:form action="test/multiUploadAction!upload" method="post" enctype="multipart/form-data">
<s:file name="su"></s:file>
<s:file name="su"></s:file>
<s:file name="su"></s:file>
<s:file name="su"></s:file>
<s:submit value="上传"></s:submit>
</s:form>
</body>
</html>
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@ taglib uri="/struts-tags" prefix="s" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>My JSP 'uploadSuccess.jsp' starting page</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css">
-->
</head>
<body>
<font color="red"><s:property value="suFileName"/></font>上传成功!
</body>
</html>
分享到:
相关推荐
]10 S2-045 CVE-2017-5638 支持GetShell/获取物理路径/执行CMD命令 [+]9 devMode CVE-xxxx-xxxx 支持GetShell/获取物理路径/执行CMD...[+]1 S2-005 CVE-2010-1870 支持GetShell/获取物理路径/执行CMD命令/列文件目录
首先,s2-005漏洞(CVE-2012-0881)是2012年发现的一个严重问题,它涉及到Struts2的OGNL(Object-Graph Navigation Language)表达式在反序列化过程中的不当处理。OGNL是一种强大的表达式语言,允许动态访问和操作...
[神器]K8 Struts2 Exp 20160516(Struts2综合漏洞利用工具) ...目前已支持以下struts2漏洞编号 (S2-032 s2-020 s2-019 s2-016 s2-013 s2-009 S2-005) 声明:工具仅供安全检测或网络攻防研究,非法用途后果自负.
5、作者对不同的struts2漏洞测试语句做了大量修改,执行命令、上传功能已经能通用。 6、支持HTTPS。 7、支持GET、POST、UPLOAD三种请求方法,您可以自由选择。(UPLOAD为Multi-Part方式提交) 8、部分漏洞测试支持...
轻量级Java_EE企业应用实战_Struts_2+Spring_3+Hibernate整合开发_第3版_mk.zip.005
10. **S2-005安全漏洞**:Struts2-showcase还包含了一些已知的安全漏洞实例,用于教育开发者如何避免和修复这些漏洞。 通过深入研究和分析struts2-showcase项目,开发者能够全面了解Struts2的特性和最佳实践,从而...
Struts2漏洞检查工具2019版 警告: 本工具为漏洞自查工具,请勿非法攻击他人网站! ==漏洞编号==============影响版本=========================官方公告==========================================影响范围====...
struts2 漏洞检测工具 ,快速检测struts命令执行漏洞,可批量。运行环境要求:MAC/Linux下的Python2、Python3 。支持ST2-005,ST2-008,ST2-009,ST2-013,ST2-016,ST2-019,ST2-020,ST2-devmode,ST2-032,ST2-033,ST2-037...
在这个“Struts2之Servlet API及单元测试初识案例struts005”中,我们将探讨Struts2如何与Servlet API结合使用,以及如何进行单元测试。 Servlet API是Java EE平台的核心部分,用于构建动态Web应用程序。Struts2...
Struts2 漏洞 S2-045 修补方法 Struts2 是一个基于 Java 的 Web 应用程序框架,广泛应用于企业级应用程序中。然而,Struts2 中存在着一些漏洞,例如 S2-045 漏洞,该漏洞可能会导致严重的安全问题。今天,我们将...
著名的Struts2漏洞,如S2-005和S2-016,就是由于OGNL表达式的不当处理导致的远程代码执行风险。因此,在使用OGNL时,开发者需要特别注意输入验证和安全配置,避免恶意用户通过OGNL注入执行任意代码。 在深入学习...
1. 虽然Struts2在安全方面有一些漏洞,但通过及时更新版本和合理配置,可以有效避免如S2-005、S2-016等已知漏洞。 七、最佳实践 1. 使用ActionSupport基类,可以自动处理表单回显和错误显示。 2. 避免过度依赖OGNL...
虽然Struts2强大且灵活,但也曾曝出过安全漏洞,如S2-005、S2-016等。开发者应当关注并及时修复这些漏洞,确保应用安全。 10. **Struts2与Spring集成**: Struts2可以很好地与Spring框架集成,实现依赖注入(DI)...
Struts2历史上曾出现过一些严重的安全漏洞,如著名的S2-005和S2-045,这些漏洞可能导致远程代码执行。开发者需要及时更新Struts2的版本,应用安全补丁,并遵循最佳实践,例如限制对Action的访问、使用参数化查询防止...
[+]struts2-053检测+利用(需要提供参数) [+]检测过程中输出超时原因 [+]兼容HTTP/1.0,修复了struts-045检测不准确的问题 [+]struts2-046检测+利用 [+]修改struts2-048的payload [+]针对某些超时的情况,注释掉 ...
Struts2是一款非常流行的Java Web框架,用于构建和维护可扩展、易于管理的企业级应用程序。然而,随着时间的推移,Struts2框架发现了一系列的安全漏洞,这些漏洞可能导致远程代码执行、敏感信息泄露等问题,对使用...
Struts2的安全性是其重要的关注点,比如2.0版本中存在著名的Struts2 S2-005远程代码执行漏洞,需要及时更新框架版本以修复已知的安全问题。 总结来说,Struts2.0是一个功能强大且灵活的Java Web开发框架,其配置...
批量扫描,支持文件,支持单url,支持多线程。少量误报,可扩展,可修改。
增加S2-048 Struts 2.3.X 支持检查官方示例struts2-showcase应用的代码执行漏洞,参考地址:http://127.0.0.1:8080/struts2-showcase/integration/saveGangster.action 2017-03-21: 增加S2-046,官方发布S2-046和S2...
Struts2是一个基于MVC(Model-View-Controller)设计模式的Java web应用程序框架,它在...在实际项目中,还需要关注安全性问题,如利用Struts2的S2-005漏洞进行攻击,因此应保持框架和依赖库的更新,及时修复安全漏洞。