HttpClient使用之下载远程服务器中的文件(注意目录遍历漏洞)
參考文獻:
http://bbs.csdn.net/topics/390952011
http://blog.csdn.net/ljj_9/article/details/53306468
1.下載地址
http://hc.apache.org/downloads.cgi
Apache-》Projects-》HttpComponents
2.DownloadServlet
1 package com.servlet; 2 3 import java.io.BufferedInputStream; 4 import java.io.BufferedOutputStream; 5 import java.io.File; 6 import java.io.FileInputStream; 7 import java.io.IOException; 8 import java.io.InputStream; 9 import java.io.OutputStream; 10 import java.net.URLDecoder; 11 import java.net.URLEncoder; 12 13 import javax.servlet.ServletException; 14 import javax.servlet.http.HttpServlet; 15 import javax.servlet.http.HttpServletRequest; 16 import javax.servlet.http.HttpServletResponse; 17 18 19 20 public class DownloadServlet extends HttpServlet { 21 22 private static final long serialVersionUID = 1L; 23 24 public void doGet(HttpServletRequest request, HttpServletResponse response) 25 throws ServletException, IOException { 26 String filename = request.getParameter("id"); 27 String fileUrl = request.getServletContext().getRealPath("").replace("\\", "/"); 28 fileUrl = fileUrl + "/files/document/" + filename; 29 System.out.println("fileUrl:"+fileUrl); 30 String rname = new String(filename.getBytes("utf-8")); 31 System.out.println("begin:"+rname); 32 rname = URLEncoder.encode(rname); 33 System.out.println("end:"+rname); 34 response.addHeader("Content-Disposition", "attachment;filename="+rname); 35 response.setContentType("application/octet-stream"); 36 37 File file = new File(fileUrl); 38 InputStream is = new BufferedInputStream(new FileInputStream(file)); 39 byte[] buffer = new byte[is.available()]; 40 is.read(buffer); 41 is.close(); 42 43 OutputStream os = new BufferedOutputStream(response.getOutputStream()); 44 os.write(buffer); 45 os.flush(); 46 os.close(); 47 } 48 49 50 public void doPost(HttpServletRequest request, HttpServletResponse response) 51 throws ServletException, IOException { 52 53 54 } 55 56 57 } 58 593.ClientA.java
?
package com.tool;import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream;import org.apache.http.HttpResponse; import org.apache.http.client.ClientProtocolException; import org.apache.http.client.HttpClient; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.DefaultHttpClient;public class ClientA {/*** * @param args*/public static void main(String[] args) {// TODO 自動生成的方法存根ClientA client = new ClientA();client.service();}public void service() {// TODO 自動生成的方法存根 String url = "http://此處填寫ip或網址/download.do";HttpClient client = new DefaultHttpClient();HttpGet get = new HttpGet(url);try {HttpResponse response = client.execute(get);} catch (ClientProtocolException e) {// TODO Auto-generated catch block e.printStackTrace();} catch (IOException e) {// TODO Auto-generated catch block e.printStackTrace();}}}4.注意服務器的編碼方式和客戶端的區別
統一為utf-8
5.注意目錄遍歷漏洞
目錄遍歷是通過操作URL強行訪問web目錄以外的文件,目錄和命令,攻擊者可以在目標機器的任何位置訪問文件,執行命令。?
最基本的目錄遍歷攻擊技術是在URL中使用"../"序列,改變訪問資源的路徑,訪問到web目錄以外的文件。?
例如:?
http://example.com/../../../../some/file?
http://example.com/..%255c..%255c/some/file?
正常請求為:?
http://example.com/test.cgi?look=intex.html?
如果存在目錄遍歷漏洞,攻擊者可以訪問?
http://example.com/test.cgi?look=test.cgi
解決辦法:
過濾請求數據中"../"字符序列及其各種變形。?
驗證用戶請求中提交的需要訪問的文件是否在限定的范圍內。
java web使用fliter過濾url即可。
轉載于:https://www.cnblogs.com/landiljy/p/6408382.html
總結
以上是生活随笔為你收集整理的HttpClient使用之下载远程服务器中的文件(注意目录遍历漏洞)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: PHP数据结构之三 线性表中的单链表的P
- 下一篇: POI搜索简介