jsp 之文件包含漏洞

一、静态包含

　　被静态包含文件的后缀名可以是txt、png、jpg等，只要文件内容是正常的jsp内容，被包含文件就可以正常加载、编译和执行。

<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>JSP - Hello World</title>
</head>
<body>
    <%@include file="cmd.cdr"%>
</body>
</html>

<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
</head>
<body>
    <%
        Process process = Runtime.getRuntime().exec("ls -l");
        BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
        String lines = "", line = "";
        while ((line = reader.readLine()) != null) {
            lines += line+ "<br>";
        }
    %>
    <%= lines %>
</body>
</html>

　　访问效果如下：

 二、动态包含

　　被动态包含文件的后缀名必需是jsp，否则不能正常运行，如下：

<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>JSP - Hello World</title>
</head>
<body>
    <jsp:include page="cmd.txt"/>
</body>
</html>