Web入门-Java相关

[NUSTCTF 2022 新生赛]Ezjava1

丢IDEA，HelloController.java主代码：

package com.joe1sn.controller;

import com.joe1sn.module.EvalBean;
import java.io.File;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController {
    public HelloController() {
    }

    @RequestMapping({"/hello"})
    public ModelAndView handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        ModelAndView mav = new ModelAndView("index");
        mav.addObject("message", "Do you know \"beans\"?");
        return mav;
    }

    @PostMapping({"/index"})
    public void postIndex(@ModelAttribute EvalBean evalBean, Model model) {
        System.out.println("@POST Called");
    }

    @GetMapping({"/index"})
    public void getIndex(@ModelAttribute EvalBean evalBean, Model model) {
        System.out.println("@GET Called");
    }

    @RequestMapping({"/addUser1"})
    @ResponseBody
    public String addUser(User user) throws IOException {
        System.out.println(user.getDepartment().getName1());
        if (user.getDepartment().getName1().contains("njust") && user.getName().contains("2022")) {
            return "flag{1}";
        } else {
            String var10002 = user.getDepartment().getName1();
            File f = new File("../webapps/ROOT/" + var10002 + user.getName() + ".njust.jsp");
            return f.exists() ? "flag{2}" : user.getName();
        }
    }
}

User类：

package com.joe1sn.controller;

public class User {
    private String name;
    private Department department;

    public User() {
    }

    public String getName() {
        return this.name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public Department getDepartment() {
        return this.department;
    }

    public void setDepartment(Department department) {
        this.department = department;
    }
}

Department类：

package com.joe1sn.controller;

public class Department {
    private String name1;

    public Department() {
    }

    public String getName1() {
        return this.name1;
    }

    public void setName1(String name1) {
        this.name1 = name1;
    }
}

Java可以直接GET传参传一个类的成员，Payload：

1	http://node4.anna.nssctf.cn:28940/addUser1?department.name1=njust&name=2022