Statement
createStatement
like '%${
in(${
select
update
insert
statement、select、update、delete
mybatis:${}、$param$、select、update、delete
Runtime.getRuntime().exec()
ProcessBuilder.start()
GroovyShell.evaluate()
javax.xml.parsers.DocumentBuilder
javax.xml.stream.XMLStreamReader
org.jdom.input.SAXBuilder
org.jdom2.input.SAXBuilder
javax.xml.parsers.SAXParser
org.dom4j.io.SAXReader
org.xml.sax.XMLReader
javax.xml.transform.sax.SAXSource
javax.xml.transform.TransformerFactory
javax.xml.transform.sax.SAXTransformerFactory
javax.xml.validation.SchemaFactory
javax.xml.bind.Unmarshaller
javax.xml.xpath.XpathExpression
DocumentBuilder
DocumentHelper.parseText
HttpClient.execute
HttpClient.executeMethod
HttpURLConnection.connect
HttpURLConnection.getInputStream
URL.openStream
Socket
URL
ImageIO
HttpURLConnection
org.apache.commons.fileupload java.io.File MultipartFile RequestMethod MultipartHttpServletRequest CommonsMutipartResolver
<%=
${
<c:if
<c:forEach
ModelAndView
ModelMap
Model
request.getParameter
request.setAttribute
response.getWriter().print()
response.getWriter().writer()
java.io.File 文件读取且路径可控 根据经验判断Paths path System.getProperty(“user.dir”) 路由path/* file*
redirect sendRedirect ModelAndView Location addAttribute