### Classpath Vuln
Exploit the classpath based vulnerability with something like:
```
curl "http:///..\..\spark\Spark.class"
```
The number of ..\ you need in the path depends on where in the classpath
the static file location is configured to be. If you don't have the
right amount then you don't get anything, but this is trivially brute
forced. The classpath often has juicy things like configuration files
and keystores, or you could look for non-framework class files and
decompile them.
### Filesystem Vuln
Try something like:
```
curl
"http:///..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd"
```
I'm sure you can figure out what to do from here.
This is tested on Spark 2.5 and git master, it should work on earlier
versions.
If you need a workaround, don't use Spark to serve static files and move
them to another web server.
1057
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
