代码拉取完成,页面将自动刷新
Risky path: /api/upload

Risk function: com.xzjie.cms.picture.service.impl.UploadServiceImpl#upload


Because there is no security detection file suffix function, users can upload any file, or even upload it to other working directories
like upload "test.jsp" to getshell